diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f3234c0e64..383c1a4d7a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,14 +1,149 @@ { "redirections": [ { - "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", - "redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", - "redirect_document_id": true - }, +"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility", +"redirect_document_id": true +}, { - "source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", - "redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started", - "redirect_document_id": true +"source_path": "browsers/edge/emie-to-improve-compatibility.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/windows-update-sources.md", +"redirect_url": "/windows/deployment/update/how-windows-update-works", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/hardware-and-software-requirements.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/security-enhancements-microsoft-edge.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/new-policies.md", +"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/change-history-for-microsoft-edge", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/intelligence/av-tests.md", +"redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md", +"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/intelligence/transparency-report.md", +"redirect_url": "/windows/security/threat-protection/intelligence/av-tests", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", +"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md", +"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/encrypted-hard-drive.md", +"redirect_url": "/windows/security/information-protection/encrypted-hard-drive", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/secure-the-windows-10-boot-process.md", +"redirect_url": "/windows/security/information-protection/secure-the-windows-10-boot-process", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md", +"redirect_url": "/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md", +"redirect_url": "/windows/security/information-protection/tpm/change-the-tpm-owner-password", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/how-windows-uses-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md", +"redirect_url": "/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-commands.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-commands", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/manage-tpm-lockout.md", +"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-lockout", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md", +"redirect_url": "/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-fundamentals.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-fundamentals", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/tpm-recommendations.md", +"redirect_url": "/windows/security/information-protection/tpm/tpm-recommendations", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-overview.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md", +"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node", +"redirect_document_id": true }, { "source_path": "windows/deployment/update/waas-windows-insider-for-business.md", @@ -5186,8 +5321,8 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md", -"redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields", +"source_path": "devices/hololens/hololens-insider.md", +"redirect_url": "/devices/hololens/hololens-whats-new", "redirect_document_id": true }, { @@ -6566,6 +6701,21 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/kiosk-shared-pc.md", +"redirect_url": "/windows/configuration/kiosk-methods", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/setup-kiosk-digital-signage.md", +"redirect_url": "/windows/configuration/kiosk-single-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/multi-app-kiosk-xml.md", +"redirect_url": "/windows/configuration/kiosk-xml", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -6686,11 +6836,6 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/multi-app-kiosk-xml.md", -"redirect_url": "windows/configuration/kiosk-xml.md", -"redirect_document_id": true -}, -{ "source_path": "windows/configure/provisioning-uninstall-package.md", "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package", "redirect_document_id": true @@ -6746,6 +6891,11 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/start-taskbar-lockscreen.md", +"redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/stop-employees-from-using-the-windows-store.md", "redirect_url": "/windows/configuration/stop-employees-from-using-the-windows-store", "redirect_document_id": true @@ -13646,6 +13796,11 @@ "redirect_document_id": true }, { +"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", +"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809", +"redirect_document_id": true +}, +{ "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", "redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703", "redirect_document_id": true @@ -13709,6 +13864,6 @@ "source_path": "education/windows/windows-automatic-redeployment.md", "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": true -}, +} ] } diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md deleted file mode 100644 index f8a80c7b8d..0000000000 --- a/browsers/edge/Index.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. -ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb -author: shortpatti -ms.prod: edge -ms.mktglfcycl: general -ms.sitesec: library -title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros) -ms.localizationpriority: high -ms.date: 10/16/2017 ---- - -# Microsoft Edge - Deployment Guide for IT Pros - -**Applies to:** - -- Windows 10 -- Windows 10 Mobile - ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities. - -Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. - ->[!Note] ->For more information about the potential impact of using Microsoft Edge in a large organization, refer to the [Measuring the impact of Microsoft Edge](https://www.microsoft.com/itpro/microsoft-edge/technical-benefits) topic on the Microsoft Edge IT Center. - ->If you are looking for Internet Explorer 11 content, please visit the [Internet Explorer 11 (IE11)](https://docs.microsoft.com/en-us/internet-explorer/) area. - -## In this section - -| Topic | Description | -| -----------------------| ----------------------------------- | -|[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) |Lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. | -|[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Guidance about how to use both Microsoft Edge and Internet Explorer 11 in your enterprise.| -| [Microsoft Edge requirements and language support](hardware-and-software-requirements.md) |Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.| -| [Available policies for Microsoft Edge](available-policies.md) |Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.

Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. | -| [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.

Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. | -|[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md)|Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. - -## Interoperability goals and enterprise guidance - -Our primary goal is that your modern websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. - -However, if you're running web apps that continue to use: - -* ActiveX controls - -* x-ua-compatible headers - -* <meta> tags - -* Enterprise mode or compatibility view to address compatibility issues - -* legacy document modes - -You'll need to keep running them using IE11. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md). - -## Related topics - -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=55956) - -- [Total Economic Impact of Microsoft Edge: Forrester Study](https://www.microsoft.com/download/details.aspx?id=55847) - -- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - -- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644) - -- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) - diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 21eef4d813..304c8bd604 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -1,26 +1,32 @@ -#[Microsoft Edge - Deployment guidance for IT Pros](index.md) +# [Microsoft Edge deployment for IT Pros](index.yml) -##[New Microsoft Edge Group Policies and MDM settings](new-policies.md) +## [System requirements and supported languages](about-microsoft-edge.md) -##[Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) +## [Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) -##Group Policy configuration options -###[Home button settings](group-policies/home-button-gp.md) -###[Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md) -###[Search engine customization](group-policies/search-engine-customization-gp.md) -###[Security and privacy management](group-policies/security-privacy-management-gp.md) -###[Start pages settings](group-policies/start-pages-gp.md) -###[Sync browser settings](group-policies/sync-browser-settings-gp.md) -###[Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md) - -##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md) - -##[Microsoft Edge requirements and language support](hardware-and-software-requirements.md) - -##[Available policies for Microsoft Edge](available-policies.md) - -##[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) - -##[Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +## [Group policies & configuration options](group-policies/index.yml) +### [Address bar](group-policies/address-bar-settings-gp.md) +### [Adobe Flash](group-policies/adobe-settings-gp.md) +### [Books Library](group-policies/books-library-management-gp.md) +### [Browser experience](group-policies/browser-settings-management-gp.md) +### [Developer tools](group-policies/developer-settings-gp.md) +### [Extensions](group-policies/extensions-management-gp.md) +### [Favorites](group-policies/favorites-management-gp.md) +### [Home button](group-policies/home-button-gp.md) +### [Interoperability and enterprise mode guidance](group-policies/interoperability-enterprise-guidance-gp.md) +### [Kiosk mode deployment in Microsoft Edge](microsoft-edge-kiosk-mode-deploy.md) +### [New Tab page](group-policies/new-tab-page-settings-gp.md) +### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md) +### [Search engine customization](group-policies/search-engine-customization-gp.md) +### [Security and privacy](group-policies/security-privacy-management-gp.md) +### [Start page](group-policies/start-pages-gp.md) +### [Sync browser](group-policies/sync-browser-settings-gp.md) +### [Telemetry and data collection](group-policies/telemetry-management-gp.md) +### [All group policies](available-policies.md) + + +## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) + +## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/about-microsoft-edge.md similarity index 85% rename from browsers/edge/hardware-and-software-requirements.md rename to browsers/edge/about-microsoft-edge.md index 307e1293de..974364ebb1 100644 --- a/browsers/edge/hardware-and-software-requirements.md +++ b/browsers/edge/about-microsoft-edge.md @@ -1,28 +1,28 @@ --- -description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. -ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa +title: Microsoft Edge system and language requirements +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb author: shortpatti ms.prod: edge -ms.mktglfcycl: support +ms.mktglfcycl: general ms.sitesec: library -ms.pagetype: appcompat -title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros) +title: Microsoft Edge for IT Pros ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 10/02/2018 --- -# Microsoft Edge requirements and language support +# Microsoft Edge system and language requirements +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile ->Applies to: Windows 10, Windows 10 Mobile +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. -Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. +>[!IMPORTANT] +>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ->[!NOTE] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. ## Minimum system requirements -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. +Some of the components might also need additional system resources. Check the component's documentation for more information. | Item | Minimum requirements | @@ -156,12 +156,4 @@ Microsoft Edge supports all of the same languages as Windows 10, including: | Welsh | United Kingdom | cy-GB | | Wolof | Senegal | wo-SN | | Yoruba | Nigeria | yo-NG | - -  - -  - -  - - - +--- \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 44bbbb103c..93f763fc07 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -1,34 +1,37 @@ --- -description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. +description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 author: shortpatti ms.author: pashort -manager: elizapo +manager: dougkim ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 07/20/2018 +ms.date: 10/02/2018 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge -> Applies to: Windows 10, Windows 10 Mobile +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile -Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. +You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. -By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain. +Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. -> [!NOTE] -> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** + +      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* +When you edit a Group Policy setting, you have the following configuration options: +• Enabled - writes the policy setting to the registry with a value that enables it. +• Disabled - writes the policy setting to the registry with a value that disables it. +• Not configured leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. + +Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. ->*You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:* -> ->      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* -

## Allow a shared books folder [!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] @@ -57,15 +60,33 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Allow Extensions [!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + ## Allow InPrivate browsing [!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] ## Allow Microsoft Compatibility List [!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + ## Allow search engine customization [!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + ## Allow web content on New Tab page [!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] @@ -78,6 +99,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Configure Autofill [!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + ## Configure cookies [!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] @@ -87,6 +111,21 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Configure Favorites [!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + ## Configure Password Manager [!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] @@ -129,6 +168,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Prevent bypassing Windows Defender SmartScreen prompts for sites [!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + ## Prevent changes to Favorites on Microsoft Edge [!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] @@ -138,6 +180,12 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Prevent the First Run webpage from opening on Microsoft Edge [!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + ## Prevent using Localhost IP address for WebRTC [!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] @@ -150,10 +198,23 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Set default search engine [!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + ## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include.md](includes/show-message-opening-sites-ie-include.md)] +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] ## Related topics -* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) +- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) +- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) +- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) +- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) +- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). \ No newline at end of file diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index ea57180317..e008145cec 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -1,19 +1,59 @@ --- title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) -description: This topic lists new and updated topics in the Microsoft Edge documentation for Windows 10 and Windows 10 Mobile. +description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library ms.localizationpriority: medium -ms.date: '' +manager: dougkim ms.author: pashort author: shortpatti +ms.date: 10/02/2018 --- # Change history for Microsoft Edge -This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile. +Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/). + +# [2018](#tab/2018) + +## October 2018 + +The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable +full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. + +We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +| **New or updated** | **Group Policy** | **Description** | +|------------|-----------------|--------------------| +| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | +| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | +| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | +| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | +| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | +| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | +| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | +| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | +| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | +| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset after idle timeout](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | +| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | +| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | +| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | +| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | +| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | +| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | +| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | + + +# [2017](#tab/2017) ## September 2017 |New or changed topic | Description | @@ -25,23 +65,22 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |----------------------|-------------| |[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | + +# [2016](#tab/2016) + ## November 2016 |New or changed topic | Description | |----------------------|-------------| |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| |[Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) |Added a note about the 65 second wait before checking for a newer version of the site list .XML file. | |[Available policies for Microsoft Edge](available-policies.md) |Added notes to the Configure the Enterprise Mode Site List Group Policy and the EnterpriseModeSiteList MDM policy about the 65 second wait before checking for a newer version of the site list .XML file. | -|[Microsoft Edge - Deployment Guide for IT Pros](index.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | +|Microsoft Edge - Deployment Guide for IT Pros |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | ## July 2016 |New or changed topic | Description | |----------------------|-------------| |[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | - -## July 2016 -|New or changed topic | Description | -|----------------------|-------------| |[Enterprise guidance about using Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) | Content moved from What's New section. | |[Available policies for Microsoft Edge](available-policies.md) |Updated | @@ -56,3 +95,5 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th |New or changed topic | Description | |----------------------|-------------| |[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | + +--- \ No newline at end of file diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md deleted file mode 100644 index 3f8deb3963..0000000000 --- a/browsers/edge/emie-to-improve-compatibility.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11. -ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 -author: shortpatti -ms.author: pashort -ms.prod: edge -ms.mktglfcycl: support -ms.sitesec: library -ms.pagetype: appcompat -title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 04/15/2018 ---- - -# Use Enterprise Mode to improve compatibility - -> Applies to: Windows 10 - -If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. - -Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. - ->[!NOTE] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). - -## Fix specific websites - -Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and need IE11, you can add them to the Enterprise Mode site list, using the Enterprise Mode Site List Manager. - -**To add sites to your list** - -1. In the Enterprise Mode Site List Manager, click **Add**.

If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](https://go.microsoft.com/fwlink/p/?LinkId=618322).

![Enterprise Mode Site List Manager with Open in IE box](images/emie_open_in_ie.png) - -2. Type or paste the URL for the website that’s experiencing compatibility problems, like *<domain>*.com or *<domain>*.com/*<path>* into the **URL** box.

You don’t need to include the `http://` or `https://` designation. The tool will automatically try both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. - -4. Click **Open in IE** next to the URL that should automatically open in IE11.

The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, Enterprise Mode is automatically selected. - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your Group Policy setting. For more info, see [Turn on Enterprise Mode and use a site list](https://go.microsoft.com/fwlink/p/?LinkId=618952). - -### Set up Microsoft Edge to use the Enterprise Mode site list - -You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). - -> **Note**
-> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. - -**To turn on Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.

Turning this setting on also requires you to create and store a site list.

![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your site list. - -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. - -**To turn on Enterprise Mode using the registry** - -1. **To turn on Enterprise Mode for all users on the PC:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`. - -2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:

![Enterprise mode with site list in the registry](images/edge-emie-registrysitelist.png) - - - **HTTP location**: *“SiteList”=”http://localhost:8080/sites.xml”* - - - **Local network**: *"SiteList"="\\\\network\\shares\\sites.xml"* - - - **Local file**: *"SiteList"="file:///c:\\\\Users\\\\<user>\\\\Documents\\\\testList.xml"* - - All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. - -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. - -## Fix your intranet sites - -You can add the **Send all intranet traffic over to Internet Explorer** Group Policy setting for Windows 10 so that all of your intranet sites open in IE11. This means that even if your employees are using Microsoft Edge, they will automatically switch to IE11 while viewing the intranet. - -> **Note**
-> If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). - -**To turn on Sends all intranet traffic over to Internet Explorer using Group Policy** - -1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting. - - ![Local Group Policy Editor with setting to send all intranet traffic to IE11](images/sendintranettoie.png) - -2. Click **Enabled**. - -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. - -## Related topics -* [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035) -* [Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 download](https://go.microsoft.com/fwlink/p/?LinkId=394378) -* [Enterprise Mode Site List Manager for Windows 10 download](https://go.microsoft.com/fwlink/?LinkId=746562) -* [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377) -* [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714) -  - - - diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md deleted file mode 100644 index 010a44e44b..0000000000 --- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros) -description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11. -author: shortpatti -ms.prod: edge -ms.mktglfcycl: support -ms.sitesec: library -ms.pagetype: appcompat -ms.localizationpriority: medium -ms.date: 10/16/2017 ---- - -# Browser: Microsoft Edge and Internet Explorer 11 -**Microsoft Edge content applies to:** - -- Windows 10 -- Windows 10 Mobile - -**Internet Explorer 11 content applies to:** - -- Windows 10 - -## Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). - -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. - -If you're having trouble deciding whether Microsoft Edge is good for your organization, you can take a look at this infographic about the potential impact of using Microsoft Edge in an organization. - -![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
-[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) - -### Microsoft Edge -Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. - -- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. -- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. -- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. -- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. - -### IE11 -IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. - -- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE. -- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps. -- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk. -- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering. -- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices. -- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control. - -## Related topics -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892) -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) -- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie) -- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) -- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index) -- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index) -- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md index 7fe1afeed2..da3686718d 100644 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -1,23 +1,32 @@ --- -title: Microsoft Edge - Address bar settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Address bar group policies +description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Address bar settings ->*Supported versions: Microsoft Edge on Windows 10* +# Address bar -I need a description here +Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** -[!INCLUDE [allow-address-bar-suggestions-include](../includes/allow-address-bar-suggestions-include.md)] -[!INCLUDE [configure-search-suggestions-address-bar-include](../includes/configure-search-suggestions-address-bar-include.md)] \ No newline at end of file +## Allow Address bar drop-down list suggestions +[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] + +## Configure search suggestions in Address bar +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] + diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md index f910a747dd..a5bcbb0ea4 100644 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -1,24 +1,34 @@ --- -title: Microsoft Edge - Adobe settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Adobe Flash group policies +description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Adobe settings ->*Supported versions: Microsoft Edge on Windows 10* +# Adobe Flash -I need a description here, maybe with scenarios +Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -[!INCLUDE [allow-adobe-flash-include](../includes/allow-adobe-flash-include.md)] +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). -[!INCLUDE [configure-adobe-flash-click-to-run-include](../includes/configure-adobe-flash-click-to-run-include.md)] +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow Adobe Flash +[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] + + +## Configure the Adobe Flash Click-to-Run setting +[!INCLUDE [configure-adobe-flash-click-to-run-include.md](../includes/configure-adobe-flash-click-to-run-include.md)] diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md index 95761893b2..2fc892d73b 100644 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -1,27 +1,36 @@ --- -title: Microsoft Edge - Books Library management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Books Library group policies +description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Books Library management ->*Supported versions: Microsoft Edge on Windows 10* +# Books Library -I need a description here, maybe with scenarios +Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. -[!INCLUDE [allow-shared-folder-books-include](../includes/allow-shared-folder-books-include.md)] +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: -[!INCLUDE [allow-config-updates-books-include](../includes/allow-config-updates-books-include.md)] +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** -[!INCLUDE [allow-ext-telemetry-books-tab-include](../includes/allow-ext-telemetry-books-tab-include.md)] +## Allow a shared books folder +[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] -[!INCLUDE [always-enable-book-library-include](../includes/always-enable-book-library-include.md)] \ No newline at end of file +## Allow configuration updates for the Books Library +[!INCLUDE [allow-config-updates-books-include.md](../includes/allow-config-updates-books-include.md)] + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Always show the Books Library in Microsoft Edge +[!INCLUDE [always-enable-book-library-include.md](../includes/always-enable-book-library-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/bowser-settings-management-gp.md b/browsers/edge/group-policies/bowser-settings-management-gp.md deleted file mode 100644 index e38cacbf4c..0000000000 --- a/browsers/edge/group-policies/bowser-settings-management-gp.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Microsoft Edge - Browser settings management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. -services: -keywords: Don’t add or edit keywords without consulting your SEO champ. -author: shortpatti -ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library ---- - -# Browser settings management ->*Supported versions: Microsoft Edge on Windows 10* - -I need a description here, maybe with scenarios - - - -## Allow clearing browsing data on exit -[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] - -## Configure Autofill -[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] - -## Configure Pop-up Blocker -[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] - -## Do not sync -[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] - -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] - - - diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md new file mode 100644 index 0000000000..4cd1c73ad2 --- /dev/null +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -0,0 +1,51 @@ +--- +title: Microsoft Edge - Browser experience group policies +description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. +services: +keywords: +ms.localizationpriority: medium +manager: dougkim +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.topic: article +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +--- + +# Browser experience + +Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. + + + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow clearing browsing data on exit +[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] + +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include](../includes/allow-saving-history-include.md)] + +## Configure Autofill +[!INCLUDE [configure-autofill-include](../includes/configure-autofill-include.md)] + +## Configure Pop-up Blocker +[!INCLUDE [configure-pop-up-blocker-include](../includes/configure-pop-up-blocker-include.md)] + +## Do not sync +[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] + +To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). + + + diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md index 22cdbb9c06..4e2e437372 100644 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -1,21 +1,26 @@ --- -title: Microsoft Edge - Developer settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Developer tools +description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +managre: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Developer settings ->*Supported versions: Microsoft Edge on Windows 10* +# Developer tools -I need a description here, maybe with scenarios +Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow Developer Tools [!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 0d236f343b..577d254742 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -1,21 +1,26 @@ --- -title: Microsoft Edge - Extensions management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Extensions group policies +description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Extensions management ->*Supported versions: Microsoft Edge on Windows 10* +# Extensions -I need a description here, maybe with scenarios +Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow Extensions [!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index 8f9645dee1..4dcf0faf29 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,22 +1,29 @@ --- -title: Microsoft Edge - Favorites management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Favorites group policies +description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 +ms.date: 10/02/2018 ms.topic: article ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Favorites management ->*Supported versions: Microsoft Edge on Windows 10* +# Favorites -I need a description here, maybe with scenarios +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. +>[!TIP] +>You can find the Favorites under C:\\Users\\<_username_>\\Favorites. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configure Favorites Bar [!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] @@ -28,4 +35,4 @@ I need a description here, maybe with scenarios [!INCLUDE [prevent-changes-to-favorites-include](../includes/prevent-changes-to-favorites-include.md)] ## Provision Favorites -[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] \ No newline at end of file +[!INCLUDE [provision-favorites-include](../includes/provision-favorites-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md index 442126a454..a4bac9dd9a 100644 --- a/browsers/edge/group-policies/home-button-gp.md +++ b/browsers/edge/group-policies/home-button-gp.md @@ -1,31 +1,45 @@ --- -title: Microsoft Edge - Home button configuration options -description: Microsoft Edge shows the home button and by clicking it the Start page loads by default. +title: Microsoft Edge - Home button group policies +description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/23/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Home button configuration options ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +# Home button -Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. +Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. -## Policies -- [Configure Home button](../new-policies.md#configure-home-button) - -- [Set Home button URL](../new-policies.md#set-home-button-url) - -- [Unlock Home Button](../new-policies.md#unlock-home-button) +## Relevant group policies + +- [Configure Home Button](#configure-home-button) +- [Set Home Button URL](#set-home-button-url) +- [Unlock Home Button](#unlock-home-button) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options -![Show home button and load Start page or New tab page](../images/home-button-start-new-tab-page-v4-sm.png) +![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) ![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) ![Hide home button](../images/home-button-hide-v4-sm.png) + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](../includes/configure-home-button-include.md)] + +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](../includes/set-home-button-url-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](../includes/unlock-home-button-include.md)] + diff --git a/browsers/edge/group-policies/index.md b/browsers/edge/group-policies/index.md deleted file mode 100644 index 33786107dc..0000000000 --- a/browsers/edge/group-policies/index.md +++ /dev/null @@ -1,205 +0,0 @@ -### YamlMime:YamlDocument - -documentType: LandingData - -title: Microsoft Edge Group Policy configuration options - -metadata: - - document_id: - - title: Microsoft Edge Group Policy configuration options - - description: Learn about the different configuration options available in Microsoft Edge on Windows 10. - - text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. - - keywords: Microsoft Edge, Windows 10 - - ms.localizationpriority: high - - author: shortpatti - - ms.author: pashort - - ms.date: 07/23/2018 - - ms.topic: article - - ms.devlang: na - -sections: - -- title: Learn about... - -- items: - - - type: markdown - - text: Get ready to deploy Microsoft Edge. - -- items: - - - type: list - - style: cards - - className: cardsE - - columns: 3 - - items: - - - href: \browsers\edge\group-policies - - html:

Learn about the Always On VPN deployment and where to get started.

- - image: - - src: https://docs.microsoft.com/media/common/i_get-started.svg - - title: Begin your journey - - - href: \windows-server\remote\remote-access\vpn\vpn-map-da - - html:

Learn how Always On VPN has expanded the VPN functionality beyond the capabilities of DirectAccess.

- - image: - - src: https://docs.microsoft.com/media/common/i_quick-start.svg - - title: DirectAccess and Always On VPN feature comparison - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\always-on-vpn-enhancements - - html:

Learn about the key improvements in integration, security, connectivity, networking control, and compatibility.

- - image: - - src: https://docs.microsoft.com/media/common/i_whats-new.svg - - title: Enhancements in Always On VPN - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\always-on-vpn-technology-overview - - html:

Learch about the technologies used in the Always On VPN deployment.

- - image: - - src: https://docs.microsoft.com/media/common/i_overview.svg - - title: Technology overview - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\deploy\always-on-vpn-adv-options - - html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

- - image: - - src: https://docs.microsoft.com/media/common/i_advanced.svg - - title: Extend Always On VPN with advanced features - -- title: Get started... - - items: - - - type: paragraph - - text: 'Deploy Always On VPN connections for domain-joined Windows 10 client computers. You can also migrate from DirectAccess to Always On VPN and configure conditional access using Azure AD.' - - - type: list - - style: cards - - className: cardsE - - columns: 3 - - items: - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\deploy\always-on-vpn-deploy-deployment - - html:

Discover what's needed to deploy VPN connections.

- - image: - - src: https://docs.microsoft.com/media/common/i_architecture.svg - - title: Deployment workflow and scenarios - - - href: \windows-server\remote\remote-access\da-always-on-vpn-migration\da-always-on-migration-overview - - html:

Start planning the migration from DirectAccess to Always On VPN.

- - image: - - src: https://docs.microsoft.com/media/common/i_upgrade.svg - - title: Migrate from DirectAccess - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\deploy\always-on-vpn-deploy-planning - - html:

Start planning and preparing your Always On VPN deployment.

- - image: - - src: https://docs.microsoft.com/media/common/i_guidelines.svg - - title: Plan the Always On VPN deployment - - - href: \windows-server\remote\remote-access\vpn\always-on-vpn\deploy\vpn-deploy-server-infrastructure - - html:

Start setting up and configuring the VPN infrastructure along with the Windows 10 client VPN connectivity.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Deploy the VPN infrastructure - - - href: \windows-server\remote\remote-access\vpn\ad-ca-vpn-connectivity-windows10 - - html:

Fine-tune how VPN users access your resources using Azure AD conditional access.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Configure conditional access - -- items: - - - type: list - - style: cards - - className: cardsL - - items: - - - title: Troubleshoot Always On VPN - - html:

VPN_Profile.ps1 script issues

- -

Always On VPN client connection issues

- -

Azure AD Conditional Access connection issues

- -

Error codes


- -

Log files

- - - title: Additional resources - - html:

Windows 10 VPN Technical Guide

- -

VPNv2 CSP

- -

Active Directory Certificate Services Overview

- -

Certificate Templates

- -

Public Key Infrastructure Design Guidance

- -

AD CS Step by Step Guide - Two Tier PKI Hierarchy Deployment

diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml new file mode 100644 index 0000000000..8be9af2e9d --- /dev/null +++ b/browsers/edge/group-policies/index.yml @@ -0,0 +1,231 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge group policies + +metadata: + + document_id: + + title: Microsoft Edge group policies + + description: Learn how to configure group policies in Microsoft Edge on Windows 10. + + text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10, Windows 10 Mobile + + ms.localizationpriority: medium + + author: shortpatti + + ms.author: pashort + + ms.date: 10/02/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/address-bar-settings-gp + + html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

+ + image: + + src: https://docs.microsoft.com/media/common/i_http.svg + + title: Address bar + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/adobe-settings-gp + + html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Adobe Flash + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/books-library-management-gp + + html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

+ + image: + + src: https://docs.microsoft.com/media/common/i_library.svg + + title: Books Library + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/browser-settings-management-gp + + html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Browser experience + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/developer-settings-gp + + html:

Learn how configure Microsoft Edge for development and testing.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Developer tools + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/extensions-management-gp + + html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

+ + image: + + src: https://docs.microsoft.com/media/common/i_extensions.svg + + title: Extensions + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/favorites-management-gp + + html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_link.svg + + title: Favorites + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/home-button-gp + + html:

Learn how you can customize the home button or hide it.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Home button + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Interoperability and enterprise guidance + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + + html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

+ + image: + + src: https://docs.microsoft.com/media/common/i_categorize.svg + + title: Kiosk mode deployment in Microsoft Edge + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + + html:

Learn how to configure the New Tab page in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: New Tab page + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/prelaunch-preload-gp + + html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Prelaunch Microsoft Edge and preload tabs + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/search-engine-customization-gp + + html:

Learn how you can set the default search engine and configure additional ones.

+ + image: + + src: https://docs.microsoft.com/media/common/i_search.svg + + title: Search engine customization + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how you can keep your environment and users safe from attacks.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security and privacy + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/start-pages-gp + + html:

Learn how to configure the Start pages in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_setup.svg + + title: Start page + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp + + html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ + image: + + src: https://docs.microsoft.com/media/common/i_sync.svg + + title: Sync browser + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp + + html:

Learn how you can configure Microsoft Edge to collect certain data.

+ + image: + + src: https://docs.microsoft.com/media/common/i_data-collection.svg + + title: Telemetry and data collection + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies + + html:

View all available group policies for Microsoft Edge on Windows 10.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: All group policies \ No newline at end of file diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index 760bd9aeee..65e68d1a5e 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -1,41 +1,77 @@ --- -title: Microsoft Edge - Interoperability and enterprise guidance -description: +title: Microsoft Edge - Interoperability and enterprise mode guidance +description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. +ms.localizationpriority: medium +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/23/2018 +ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Interoperability and enterprise guidance ->*Supported versions: Microsoft Edge on Windows 10* +# Interoperability and enterprise mode guidance -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + +>[!TIP] +>If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** + + +- ActiveX controls + +- Browser Heler Objects + +- VBScript + +- x-ua-compatible headers + +- \ tags + +- Legacy document modes + +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. +## Relevant group policies -**Policies** -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) + +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) + +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options ![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) ## Configure the Enterprise Mode Site List -[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + ## Send all intranet sites to Internet Explorer 11 + [!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] -## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge -[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] \ No newline at end of file +## Show message when opening sites in Internet Explorer + +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge + +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index c9058539c8..6d6ba06617 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -1,21 +1,44 @@ --- -title: Microsoft Edge - New tab page -description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. +title: Microsoft Edge - New Tab page group policies +description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# New tab page ->*Supported versions: Microsoft Edge on Windows 10* +# New Tab page +Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. -Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. +>[!NOTE] +>New tab pages do not load while running InPrivate mode. + +## Relevant group policies + +- [Set New Tab page URL](#set-new-tab-page-url) +- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) + +![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) + +![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) ## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] \ No newline at end of file +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md index 7cb69d09f4..eae661d455 100644 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -1,31 +1,41 @@ --- -title: Microsoft Edge - Prelaunch and tab preload configuration options +title: Microsoft Edge - Prelaunch and tab preload group policies description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium --- -# Prelaunch Microsoft Edge and preload tabs in the background ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - +# Prelaunch Microsoft Edge and preload tabs in the background Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. -Additionally, Microsoft Edge preloads the Start and New tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. +Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. -## Policies +## Relevant group policies -- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](../new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) -- [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](../new-policies.md#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options -![Only preload the Start and New tab pages during Windows startup](../images/preload-tabs-only-sm.png) +![Only preload the Start and New Tab pages during Windows startup](../images/preload-tabs-only-sm.png) -![Prelauch Microsoft Edge and preload Start and New tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) +![Prelauch Microsoft Edge and preload Start and New Tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) -![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) \ No newline at end of file +![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) + + + +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](../includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](../includes/allow-tab-preloading-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md index cc58a01261..75d3d2b070 100644 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -1,21 +1,28 @@ --- -title: Microsoft Edge - Search engine customization -description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. +title: Microsoft Edge - Search engine customization group policies +description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium --- -# Search engine customization +# Search engine customization -By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings. +Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. -**Policies** +## Relevant group policies - [Set default search engine](#set-default-search-engine) - [Allow search engine customization](#allow-search-engine-customization) - [Configure additional search engines](#configure-additional-search-engines) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options ![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index 6b576d712b..100feaa54d 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -1,28 +1,26 @@ --- -title: Microsoft Edge - Security and privacy management +title: Microsoft Edge - Security and privacy group policies description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium --- -# Security and privacy management ->*Supported versions: Microsoft Edge on Windows 10* +# Security and privacy -Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites are malicious in nature, like stealing personal information or gain access to your system’s resources. By no longer supporting VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and Internet Explorer document modes, Microsoft Edge significantly reduces attacks making the browser more secure. +Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. +Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. -| | | -|---|---| -| **Windows Hello** | Authenticates the user and the website with asymmetric cryptography. | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. | -| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features: | -| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. | -| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). | -| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. | -| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. | +The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. +For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configure cookies [!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] @@ -46,3 +44,28 @@ Microsoft Edge helps to defend from increasingly sophisticated and prevalent web [!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] +## Help protect against web-based security threats + +While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. + +Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. + +Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. + +Microsoft Edge addresses these threats to help make browsing the web a safer experience. + + +| Feature | Description | +|---|---| +| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | +| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | +| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | +| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | +| **All web content runs in an app container sandbox** |Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | +| **Extension model and HTML5 support** |Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | +| **Reduced attack surfaces** |Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | +--- diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index 2dd04e1e28..4a048616d8 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -1,26 +1,31 @@ --- -title: Microsoft Edge - Start pages -description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. +title: Microsoft Edge - Start pages group policies +description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.localizationpriority: medium +ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- # Start pages ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. -Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. - -**Policies** +## Relevant group policies - [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) - [Configure Start Pages](#configure-start-pages) - [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options ![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png) @@ -34,16 +39,3 @@ Microsoft Edge loads the pages specified in App settings as the default Start pa ## Disable Lockdown of Start pages [!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] - -## Configuration options - -| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** | -| --- | --- | --- | --- | -| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. | -| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .| -| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. | -| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. | -| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. | -| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. | -| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. | ---- \ No newline at end of file diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index 9a056e4c25..19670fa3e2 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -1,22 +1,26 @@ --- -title: Microsoft Edge - Sync browser settings options -description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. +title: Microsoft Edge - Sync browser settings +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/23/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium --- -# Sync browser settings options ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. +# Sync browser settings -## Policies -- [Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings) +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. -- [Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing) +## Relevant policies +- [Do not sync browser settings](#do-not-sync-browser-settings) +- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options @@ -25,8 +29,15 @@ By default, the “browser” group syncs automatically between the user’s dev ![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) -## Verify the configuration -To verify if syncing is turned on or off: -1. In the upper-right corner of Microsoft Edge, click the ellipses \(**...**\). +### Verify the configuration +To verify the settings: +1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) \ No newline at end of file +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) + + +## Do not sync browser settings +[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md index e69de29bb2..446721b2a4 100644 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -0,0 +1,29 @@ +--- +title: Microsoft Edge - Telemetry and data collection group policies +description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. +manager: dougkim +ms.author: pashort +author: shortpatti +ms.date: 10/02/2018 +ms.localizationpriority: medium +--- + +# Telemetry and data collection + +Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Allow extended telemetry for the Books tab +[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] + +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] + +## Configure Do Not Track +[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] + +## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] \ No newline at end of file diff --git a/browsers/edge/images/Multi-app_kiosk_inFrame.png b/browsers/edge/images/Multi-app_kiosk_inFrame.png deleted file mode 100644 index a1c62f8ffe..0000000000 Binary files a/browsers/edge/images/Multi-app_kiosk_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/Normal_inFrame.png b/browsers/edge/images/Normal_inFrame.png deleted file mode 100644 index fccb0d4e56..0000000000 Binary files a/browsers/edge/images/Normal_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png deleted file mode 100644 index b7dfc0ee28..0000000000 Binary files a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/allow-shared-books-folder_sm.png b/browsers/edge/images/allow-shared-books-folder_sm.png new file mode 100644 index 0000000000..fc49829b14 Binary files /dev/null and b/browsers/edge/images/allow-shared-books-folder_sm.png differ diff --git a/browsers/edge/images/home-button-hide-sm.png b/browsers/edge/images/home-button-hide-sm.png new file mode 100644 index 0000000000..beab1c22ef Binary files /dev/null and b/browsers/edge/images/home-button-hide-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png index b8adce292b..fe21f0523c 100644 Binary files a/browsers/edge/images/home-button-hide-v4-sm.png and b/browsers/edge/images/home-button-hide-v4-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4.png b/browsers/edge/images/home-button-hide-v4.png index ef43ce6f77..761143f0c8 100644 Binary files a/browsers/edge/images/home-button-hide-v4.png and b/browsers/edge/images/home-button-hide-v4.png differ diff --git a/browsers/edge/images/home-button-hide.png b/browsers/edge/images/home-button-hide.png new file mode 100644 index 0000000000..761143f0c8 Binary files /dev/null and b/browsers/edge/images/home-button-hide.png differ diff --git a/browsers/edge/images/load-any-start-page-let-users-make-changes.ai b/browsers/edge/images/load-any-start-page-let-users-make-changes.ai deleted file mode 100644 index 04b3c0b6ca..0000000000 --- a/browsers/edge/images/load-any-start-page-let-users-make-changes.ai +++ /dev/null @@ -1,7588 +0,0 @@ -%PDF-1.5 % -1 0 obj <>/OCGs[13 0 R 76 0 R 138 0 R 200 0 R 262 0 R]>>/Pages 3 0 R/Type/Catalog>> endobj 2 0 obj <>stream - - - - - application/pdf - - - Print - - - 2018-07-22T15:12:45-07:00 - 2018-07-22T15:12:45-07:00 - 2018-07-22T15:02:37-07:00 - Adobe Illustrator CC 22.1 (Windows) - - - - 176 - 256 - JPEG - /9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgBAACwAwER AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE 1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp 0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo +DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9Q29vb/V4v3SfYX9keGK qn1a3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A 30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/Aj FXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxV31a 3/30n/AjFXfVrf8A30n/AAIxV31a3/30n/AjFXfVrf8A30n/AAIxVZNBCqqVjUEOlCAAftjFV9t/ vPF/qL+rFWHN5uS1hntk1S0ivRqlxDcSXr+qtrBzkKPJGJI2VPhVFqyj4hmd+Xsg8JrhHLqdnEOc AEWLvr096WT/AJmakk9tEq2xaWMCblGVWMmP1PrVfX9ZrfgfU/uQONRzqMtGhjR5/jpyq+nP4MDq jdbfjrz5fD4plZeaJ7fyzqepyahBdSLfvDb3qLztSCUVeKyXESInX7U4UHue9csAOSMaI9PLr936 GYzEQMrB359Pv/ShdN88eZry0TURDaNavIsItVjk9ZmXTxfSkP6rJ8XFkReJ6ipNN5T0uOJ4d7/4 9w9zGGeZ32r/AI7fem+peaby20Ky1QPb26X1x+69ZCa2zh2iohliJldApIBJ3NEY7ZTDADMx3ND7 fly/Fts8pEQdhZ/Hx/FMZuPzI1jTrREku7S+vkFx9Zj9ARFWRpVQH/SuZ4mL4gsR26lTvmUNFGR5 EDbr7v6P6XHOplHqCd/x9TI7TV/MNtea1Fqd7Zzz2Vil1BaQwNFQlHJYcpZHZOS8Sf1dMxpY4ERM QdzV3+xvjOYJEiNh3ftSG7/M2/tdIku/rNhdyrGk0ctvERAzGIyS2pMtzHSVPh+yzNQ/3dQRmRHQ gyqpD7/f9PL8W0T1ZjC7B/HLnz/FKl5+YusQSSKj2MjUkMtuqkSWPC6SAC6aW4hjY8X7tHv7UqI6 OJ7/APitr22P6WU9TIXy/Vv13H6E7n8030enaLNcTWemtqCM893P+/t6oAVjj9GYKXmDck/enYH7 RygYAZSAuVdOR+0dPc2nMaiTQv8AHf196W2HnPzDqF1ZWdnPpzz3zJ6pEMziyJjmkeCdRMOUtIdt 06H4aUOWT00IgkiVD3b8txty382Ec8pGgY2fs57Hf9SAsfM2trPNqtzcQqbtYwDIbkWtoCtiHdoz cemyL9bYluKtUVLBT8NksEKEQDt7rP1eXkwGSQuRI399Dl5+fki2/Mi4h0qSSSeylvmKCxMausVy BqE9rI8amRmKiGBX2bYnqajI/kgZcjXXy9IP3lI1R4dyL+/1ELJPPnmi1uJLa4is5JobcTScQsQo 9uJvWVGunuGjiZgj8YSDRm5r0BGkxkWL5/pqvpqz7/gj8xMSo1y/B+q66cvimeleZpU0rVdTnv7a 9hh1SCE3kPJbVYHFrHI0YaSTgqq7MfjK8qt0ynJg9UYgEek7db9TbDL6TIkHfn06JafP11dm49Oa 1khSUNZxwiQSNHHfpCkkjpOrgMhFVMYRv5j8SC38oBXPz/0vu/Tf3sPHJ6j8S9/4+xdN548wWsKJ fT6bazPbJeC9kimFv+8iLpahTMGMrMrcW57gfZrtiNLAnYSO9Vtfv5clOeQG5iPPp7ubONMuZLrT bS6kAEk8McrhagAugY0rXbfMCcakR5uXE2AUTkGTsVU5/sD/AF0/4mMVdbf7zxf6i/qxVJx5iuRJ c3UtpHBoVo80c2oSTESkwFldkt1jaq+onAfHyPZcyPBGwv1npXf5tXiGya9I6/sWf468siYQtcTL NWjxNa3SvGSyqPVUxAxVLrTnTqPEY/lclXX2j9e6BqIfgH8D4oPTfzB06e1a5v4zZoSWghRLqacx gvWSSIW6MgCx1JHJR3PjZPRyBob/ACr72EdSCLO3z/Ui9V8w+VrjRi15cyNp94j/AN0tyruqTx27 AeiBL/eyolB1r3Fchjw5BLYeoe7uvrtyZZMsOHc7H399dEVYeY9JvIp1071JWtYy6wCGWEuq1WkX qKgccl4/DUA7ZCeGUSOLr5s45AeXRBab5ygnNtFd27JcXcEt1GLJZ72IRw8QyvIkKUlBahjCmh2r VlBnPTEXR2Breh+nl5sI5+QI3PdZ/RzU77zz5Wkgkt2+tXSycIbiGGzu2ZRPKbbjJSMcG5hhxJDb UALUGShpcgN7D4jpv3/sYy1MOW5+B93cu1HzVHpWs2ujx28TRNFbFVadluik8jxfubb03aX0hFyf 4gQMENPxxMr7+m23eb2vomWbhkI/p3+A6qFtrnknT7ua9R7hLqYlJxLFfO8ILg8WikVvqyM8goOK qe2SliyyFbV/m/g/aiOTGDe+/wDW/A+xMl84+X3l9JJ5WcsFULb3B5A8v3ikR0aP4GrIPgFNzlX5 afd9o/F+XNs8aP4B/Hx5J1lDaoXtlb3ts9tcBvSehPpu8TgqwZSrxlXUggGoOSjIxNhEogii6wsL WwtI7S0T04I68VLM5qxLMSzFmYliSSTXGczI2VjEAUFfIpdirsVQWq6NYapCIbxZGjFQRHLLCSrC jKxiZCysOqnY5ZjyGBsMJwEhRRiIiIqIoVFAVVUUAA2AAGVks28VdiqnP9gf66f8TGKutv8AeeL/ AFF/ViqTXPlK3nNyn1+8isrpnlewjeMRLLJUmRCY2lU8z6lOfHlvTMiOoIrYWOv428mk4ee5ruWJ 5Lsf9Mee8urm4vwouriVog7cGUqQEjRFoI1XZaU998P5k7UAAPx3qMIF2SbS7WfJF0IFbQrlobz0 WtWmllWOkLg1FRBOGBYgleIOwoy03sx6oX6xtz/G4/HRhkwmvSd/x5H8dUXY+QrG2aAtfXUqW3Ew 27GIRI31iG6cqBHz+OW2UmrnYmmQlqyb2G/6iPuKRpwDdn8EH9CK0fyfpWkSXsllWNr3kCyx26PG GYsQsscSStu23qO2RyamU6vp7/118qZY8EYEkdfd+r70PP5GtbgSGfUrySab1frE5+rBpRMsC0ZR AI6L9UjoAorQ8uQJyQ1RHID7fPz8yx/L+Z+zy8vJ2neQ9L0/TJrC1uLiNZpI5hMPQDpJDcNcoY1W IRACRvs8ONNqYz1cpSBIH291d9rDTRjHhB+7vvupNbrRra5e+d3kDahapZTFGCkRp6tGQgVDfv23 +WUxyEV5G/u/U2mAN+YpiVx+XFxbcoNGuzDbXrodTd2hh5Irq1BBDbCNhQNxCmOhJqSDTMwa0HeQ 3HLn95P63GOmI2idjz5fq/UmNv8Alvolsf8ARpZYAJknX0orNGHAllX1VgEpoT9ouXHZtzWs62Z5 /p/XX6PJnHSxHLv8v1ft82V5huS7FXYq7FXYq7FXYq7FXYq7FVOf7A/10/4mMVdbf7zxf6i/qxVU xVjHnjz7p3lO3tzPBJd3l4xW1tIqBm40qSTWg+IDod8y9LpJZiaNAdXG1OqjiAvcno7yV58sPNCX USW8ljqNi3C7sZvtpuRUGgrupB2qDjqtIcVb3E8iun1Uct1sRzCM1jzloOkagtjfSyJIIRc3Eqwy PDbwMWVZbmVVKRI7RsqlyOh8DmI5KS6z+cn5caVbCd9bt7pmKBYLWRJZCJF9QNTkAqhPiYsRT5kY ppNP+VieRP33+5+wrblxMPXj+Exusb137NIo+kYopo/mH5NbT5b601SK/iieKH0rEm5maW4FYY0i i5OzSb0FOx/laitKFv8Aml+Xk0Rk/T9nCyKrywzyrDLHzIFJI5OLIwLgMCNu+KaV3/MPyWscMiat bzxzX0elh4WEqrdzAmONyleNeJ3O2KKQFh+b35eXsbTJrMEMAMojlnYRCQQFhIyBvi4r6Z3IHbxx TSOP5j+QgGP6fsaIZVb9+mzQAGQdeo5jbvXbFaQVt+bfkK6m1eK11NJzotrJfXbRAurW8MayySQl a+oFVx069q4rS2H83vy/eRI5tVjtHaD6zILr9yY1LIqrIHoVdvUDKv8AL8XTFaR2ofmN5LsdOfUZ dVhkso5praSeA+sizW8D3EkbGPkA/pxNxB3Y0ArUYopK5Pzp/LqNiG1QBeYRHKMFb/SI7Z2BIHwx yTLyrTapFaHFNM0trm3uraK6tpVmtp0WWGaMhkdHHJWVhsQQag4oVMVdirsVdiqnP9gf66f8TGKu tv8AeeL/AFF/ViqpirB/zM/L6580x2N1YXKW+o6czGP1uXpurFTQlalSCuxAzP0OsGGxIXEuFrNK ctEGpRVfIPka70K+1XWdTnil1XV5WklS25ejGrO0hVC4DGrN3GDV6sZBGMR6Y9/NOl0pxmUifVIo Lz9J+W51yO38y3U9rd3Foq3BimuIYntucnofWPRKqQkpdoyfstU7ZguaElg8sfkTfzQaXFcJPcTN cBYjc3HqNLfwxWc5lYtUSSfV0Q8qH1NvtGmK7sb0Hy/+R1zbNLeatdagl36k0BlNxALe2ohS2Kp2 IiVlU9aKQBtUJ3Zxpfln8nxbXraZPDAddukufViupIrhru2X1la3YsJRLF6/IhdwWKkfs4QEEsdj 8lfkXqMF3NdXDXVpczpLa2kstyPQf6vaxyFIySzSS+kpkkILNuK/CcyZaPKDVNEdVAiwWQX/AJb/ ACbitJdMvZYUt5ZecsT3MwrJCstvUMGrVfWkGx6iv7O0Y6XIeUSylqIDmQltlon5JJ9Y9GV7COKa eO4tjc3EKP6kgkPKIP8AFH6hDJUdRt0yZ0WUVtzYjVQ335LpvJ/5KR3cLLcOb6OdVtFhvLgzRSSy qkRiAfkogeJSlNloD/LkRpMnOknUQBq2U2v5U+SrWK8itrWWKK/spdNukFxMQ9tNFHCynk53CRCh 6jfMdutI9Z/ITyle2qx2N1e6ddCqfW1uJZGEckZhmVVZ+CmWI8WIG/euK2nmn/lL5CsNEfRINMX9 HSXsepPCWY1uIipQ1BHwjhTj0pUd8VtRsPye8hafPZzWVlJA9iYzCEuJgp9KeK5QOvKjD1reN6Hu MVtlelaZZ6VpdnpdkhjsrCCO2toySxWKFAiDk1SaKo3OKEVirsVdirsVU5/sD/XT/iYxV1t/vPF/ qL+rFVTFWm+yflirl+yPlirzX8ztZjsdYWvkg+ZJoLITwaiYTLFGSZg0bkRydOApSp+M9K7qQkvl u50Y+YfrrflzNazadDcTR6lawSFZ1hihkhkhjkjiMkkz8vTEgDKRWvJjilNtVn0mO5R4PIplt59O tpHMlqVnSMgQi3aNUYI8cXw/a+GngMzMOmjONmQBtxcmeUZUASEX5YutLmutJ06PyjPbWkT3bwXd 9A0jwzSMJZJfUkVipmZ35Gu7U7Y5NKIRJ4gSK5LDOZEDhIBZePKnlkAAaVaAAcR+5TYcVXw/lQDK fzGT+cfm2eFDuC6fyx5cnZ2m0y1kaXl6haFCW5tzatRvVt/ngGeY5SKTiieYCFn8jeUp7v61LpcD SEFWTiBG1SDVox8DHbqRkxqsgFcRYnBAm6RZ8s+XTIsh0y25oyyK3pJUMhLKw26gsch48+8svDj3 BMsqZuxV2KuxV2KuxV2KuxV2Kqc/2B/rp/xMYq62/wB54v8AUX9WKqmKtN9k/LFXL9kfLFVG+vre ytmuJyRGtBsKkk9AMVU4tW0+Sw+vmZYrXo0kpCBTXjRidhucVdBq+lzxQSxXcTJdKr255gFw681o Dvuu+Krn1LTkpzuoVrSlZFFeW4798VUhruiEqo1C2JY8VAmjqWorUG/Wkin/AGQ8cVbudb0e2SZ7 i+gjW3r6/KRQU4ip5CtQaDFV1xq+lW1ubie8hjgDCMys6hQ5FeNa9ab/AC3xV36X0nky/XYOSCrj 1UqAWCb7/wAzAfPFVSG/sZpTDDcxSzBeRjR1ZgoPGtAa0rtiqvirsVdirsVdirsVdirsVU5/sD/X T/iYxV1t/vPF/qL+rFVTFWm+yflirl+yPliqE1iya8024t0VWmZGMAkJVfUAqnJgGIHLqQDthjV7 8kG625qUGjWzaNFp13ErJxjadEZipkUhyQ3wsRzHgMTV7KGNXnk7yBDe3l/dzqlxAIYZXE5RrdfR SGCM8CDuEVl5VNfbFKE1PyR+UDT/AFm8+qxzgW9i8n1xlYiJFjghekm9FQHffbl74qjNU8t/ltBb +hevFBDdSzzhPrDjk6JHHOq0bssSKyj5dTk4Y5S5C2EpxjzKl5g8m/lbdmSXVli/ffWJpyLmRQ4Z 3mnLcH3HIMfam3TDHFM8gVlOI5lGw+TPIFsv1dI4kHry3rqZ2qzsVilLktUrz4gg7csjwS7k2Enu /wAvvyyiiubWKcWMztFDcyC4Z5OPMIIh6pela8NunTJDFM9EGce9PPLvlnyP5buDNpDR2rSxiEJ9 YLIVch1orMQWO3xdSPbI8Eu4p4gnd1r2i2srRXF7DFIiPI6s4qqxlQxbwoZF6+OGOKR3AQckRzLj r2iCP1Df24Tlw5GVB8XMx06/zimPhT7injj3uh13RZ1laK+gdYXaOUiRfhdCFYHfsWA+nE4pDoVE 4nqqnU9NUVa7hA2G8i9SxQd/5gR88gYkdE2FOPWtHkkMSXsDSLIISokWvqN9lBvux8BgSuTV9Jk9 T072B/RDNLxlQ8AlCxah248hWvjiq6DU9OuJzBBdQyzheZiSRWfjt8XEGtPiG/viqJxVTn+wP9dP +JjFXW3+88X+ov6sVVMVab7J+WKuX7I+WKt4q7FWMectM0r9H3M9xYXF99daCG5htnkUsEcFGPA7 cabECtT26gq89VdCtdMRYvJN3b6PY3cd1cGaSZRyihlKypUDkvx8at1FKjwUIiGXyxdaFZtb+TtV msLtpTNBEZeXK+ZJCz1ZfUUiCN1NdiE+i7Fnnj+k/j8Fqy4Yz+ofj8BkPl/yB5P1fRhPc6XLbSTE i4tXluBxIZ3WhfgSKTcqgdfll35/LfP7A1/k8dEVz/H6U5f8tvKL24tvqrpBylZo0mlAYzOsjcqN vRkWnyyI1uS7tl+WhVUsuPyx8m3D8pbN2qasvrSgH42cA/F0Bkb78Rrso6/Yp0uM8wsH5V+RxMs3 1AmVU4czLJU/Dxqfi+174fz+WqtH5THd1ujpfIvlqQ3zNbMG1Eym6YSOC3rukklN9uTRg7ZWNVkF b8v0MzghvtzQkX5Y+TY7ua7Wyb15gQzGaU0rIJPhBbb4hkzrspFWwGkxiXFW6zV/yv8AKuowyIIn tZJefqTQueREsolkqG5KS3GlSK0+WHHrskT3rk0kJDu/G61/yq8nGD0I7eWKFiokRJn+JFaRvTJJ JAJmatN/fK8upnkFSLPHghD6QuuPyu8pyac9jFFLbo6lPVjlf1FRgVKqzFqfC1Aeo2I3GUW3IxvI HlRr2e8NlSW4T0pFDuE48eNAgbitBXp4nBaqnl/yT5c8vy+rpVs0DcGiAMkjgI5ViKOzftIDiqe4 qpz/AGB/rp/xMYq62/3ni/1F/ViqpirTfZPyxVy/ZHyxVvFXYqx3UvPGl6dNrMU0ckjaLAlxOsJj kkcMnMokYbnzCkGhHceIxVji/np5Cmna2Zrj02t7mfk0JZXjt5zBtStfVpzUGnwlSaVxVNdX/NLy xpN39XuhOIgOJmERCh+CyLHxbi3Io+23t1phpVn/ACtvyd69tAZLgS3ao8Ceg5JWSRY0NBXr6it8 vfbGlREH5leXZ7u3tI1nMt3ape2pCKVkjkiMoCkMfiotCD3xpUJon5u+VtWtmkhS6jmW2lvGt2iq wiiVXrzUtH8SyKR8VPEjJQgZEAdWMpULXSfmt5dSGTjHNLeRJMxtowrrygUFh6ykxkEsFBBzLGgn fl+vycc6uHx3+xbb/m75SltbedmmV7gqixCMsfUIWqjoTu4FafhiezsgJHcga3GQD3q7/mh5cEFr cos7Wd1FLMsxQJRYi6miOVdt4m+yDTavXB+RnZG1hl+bhQPQtwfmj5WuXdLYzyukcjj9yyqTFbm5 ZAzUHL01P+dMToMg51+DSjVwJofja/uULD82PLl4ZisVyiRFEXknxMzRGUgLXagWnzwz7PnGuSIa uEr5/gW1P+b/AJOjChJJ5JZIjNFGImBIDMgG9KEsn0V370R2dl8kHW4+XWmp/wA2NGt7dZZrS4jJ jnZ0IX4Xt5fRKEg/tP0PhvhHZ8iaBHT7d1OriBZB6/YaTPQfzB8ua5qCafYvKbp43lCvGwHFCAfi 6D7XfKsujnjjxHk2Y9TCRoc2SZit6nP9gf66f8TGKutv954v9Rf1YqqYq032T8sVcv2R8sVbxV2K oLVLS4ksbs6eUg1KWJhBcFV+2B8AckNVa9fbJ4yBIXyYyBo1zYMvl381gxdtTtJGZEQ/CFFY5G6r 6W4ZAOQr+0fDM/xdN/NP4+LiCGfqQr6rY/mvdyX4sW063jZnFm0w+IugPpF+KOfSJAqPt/RtmuNO YmXlzTfMh1+8u9esrMgQrDDfRKvqNRlcxrtX0gd15Ubsa0BxSyoQwgqQigoOKEAbDwGBWxFEKURR QECgHQ0qPwxVoW8AFBGoHSgUeAH6gBhsopQttJ0y1kllt7SKKSaQzSuiKC0hABYmnXbJSySPMoEA OQVJ7KzuIWgngjkhZSpjZQV4t1FD44BIg2CkgFeIIRWka79dh4cf1bYLKabMMRNSikk1JoOvSv44 2Vpb9Xt619JK+PEe/wDzUcbKKc1vbuatEjHfcqD16/fjxFaUrLTdPsYzHZW0duhZnKxqFq0h5Mdv E4ZTlLmbRGIHIInIslOf7A/10/4mMVdbf7zxf6i/qxVUxVpvsn5Yq5fsj5Yq3irsVYzq1n51kn1z 9H3MccNxaqmjlmA9KdV+JivAn4mb+btiqS3en/nEXjW2v7ARRqSjvUOztEVUSgRkFUkarcd2A2o3 UqiRpn5qtawBtTskuIJLk0CnhIgEf1USkozE/DIJKU+0O4xVd+jfzMmSxa4v7ZJ1gIv/AKuSkTS+ pIfgVkdvsGPfkOjbb5k4Z4hH1Cy0zjMnY7IZNP8AzdlvoWuL2xjtQsQlERYGvwNLtw3+JSB7E5eZ 6YDYStpjHPe5jX4tHxxfmcotOUlg8rRwfXWJYRq6SzGUIoTkecbxb1/ZNAK5WTg3+rrX2V+lkBm2 uun6b/Qgza/m8szmO5sDG9GYOSeLemqlUHDYcwxH0e+T4tNXKSKz3/CjbC3/ADOW+Rr27057VTIr IiOoZQpEb92BZtyK7ZXM6ethK2UBlvchCvpX5nyWTs2pW8d/LPGaRmkSQpGwNKxt8RcgmnUjwyYy acHkar8dUcOWuYtda2f5qSBze3llHT1REkG5IaGURs7GPcrKY+gGMpaccgfwR591oiM38RHwQ8sf 5uWl1FaRTWd7bMnBLwqAyusNeU1ePw+pt8IJOSB0xF7g93x6IPjg1sR+zqrIv5shbaOV7EysLxrm aOgjACRC1UBl5ci5kPSmwrt8Jxc5x8XouvNvxcdeur8lGxh/N+0niF3LY3sct1ykEZICQHk7qSyB l6BIyOVK7g9RS2s+wK7FVOf7A/10/wCJjFXW3+88X+ov6sVVMVab7J+WKuX7I+WKuJI6An5U/jir XJv5D+H9cVdyb+Q/h/XFXcm/kP4f1xV3Jv5D+H9cVdyb+Q/h/XFXcm/kP4f1xV3Jv5D+H9cVdyb+ Q/h/XFXcm/kP4f1xV3Jv5D+H9cVdyb+Q/h/XFXcm/kP4f1xV3Jv5D+H9cVdyb+Q/h/XFXcm/kP4f 1xVsMa/ZI+7+uKrJ/sD/AF0/4mMVdbf7zxf6i/qxVUxVhf5ifmD/AIX+p2drBHc6lf8AL0xM4iij RaDm7GnUmgFRmdo9H4tkmohw9VqvCoAXKSt5C88S+YWv7C/s/qOsaVJ6V5Crc4zuVqrexUgj8cjq 9KMdGJuMuSdNqfEsEVKPNM9T85aDpmpHT7uV0kih+s3k6xSNb20RDlHuZwpjhD+k3HmwrTMNy0l1 n85Py40q2E763b3TMUCwWsiSyESL6ganIBVCfExYinzIxTSaj8wvIxMoGvWJMJdZaTp8JiID13/Z qMUUoXH5meSItIk1aHVIr6zilit2NlW5f1pv7tOEQZqtimlNfzW/Lk2ZvP8AEFmIBH6vxPxfh6jR V9MgP9tCOn6xitLL381/IVjeWdteaosCX9nHqFrdyK627QTeoY6ykcVZhBIQrU+z44rSLP5j+QA7 ofMWnho3Mb1uYgAwDEgnlT9g/wCZGKKTywvrPULKG9spluLS4QSQTRmqsjCoIOKq+KuxV2KuxV2K uxV2KuxV2Kqc/wBgf66f8TGKutv954v9Rf1YqqYqxfzn5Jj1+ax1C3ufqOraYzPaXJjWZKHfi8bU ruKg12zL02q8MGJFxlzcbPp+Mgg1KPJb5E8h23leO7mNx9b1DUGEl1OEESClSERATxFWPfHVas5a FUAjTaYYrPMy5pT52k/LX9PyQeYLqa1u5rRVvvSmuIoHh5MkP1j0iEZ42kLRkiqbNt8OYjlhJYPL H5E380GlxXCT3EzXAWI3Nx6jS38MVnOZWLVEkn1dEPKh9Tb7Rpiu7HfL2hfkjNC091q91qKXXrS2 4mNxCtvbsgVbcon+QoKD5cQKioTuzXTfKf5RXGmX9hptzHFb+ZrrncpHeSRS3MyKJGiXk6u9BN8a b0Lb0IFChK4fKH5Hx3p1Eq4nKtG5mnugFSRjMBRm6dAoG9Ke+ZH5TJ3NP5iPeyZ/y7/L3zBpbQSW /wBfgW0ttKNyZZDL6FjI00SCWvL7cnJiD8W3UAZTKBjsWwSB5JNZ/wDOPnkgXVxc6objVJWneSxM srr9VhbkRDHRq7M/Ll4gUA3rFlb0HRNGsNF0m00nT0MdlZRrDAjMzkKvSrMSTihG4q7FXYq7FXYq 7FXYq7FXYqpz/YH+un/Exirrb/eeL/UX9WKqmKtN9k/LFXL9kfLFXnH5iWHmubXWm0jyvp+rwjT6 JqF0kckiyqtyzQ8HdOdZFtyvzcd8UhIvLflnzLbeYDqU/kTT1+ow3EljcxmK2muGEULWokT1Zo45 mkRy7Ny4E7d2KlkN5oNzJc2TxeTrFPrNnDDfwyLC4gIiMfpCVWUMIk4oCq9Af8nMnFDGY3I0Wicp g7DZW8o6bMl5a6RqXlq3t4LCOa8truQC5dJLmQNIRK3PjLLIzs++/wAhvLLixxjxRle6IZJk1IUy pfK3ltQwGmW1HIZ6xKeRClakkb/CxGU+PPvLPwo9yJ0rSrHS7NbOyj9OBSzBakmrnkxJPucjkyGZ spjERFBF5Bk7FXYq7FXYq7FXYq7FXYq7FXYqpz/YH+un/Exirrb/AHni/wBRf1YqqYq032T8sVcv 2R8sVWzzLDBJMwJWNS5A60UVxVLtI11dQmkhMPpPGCRRuQIBoey+OKob/G/lcSXUcl8sTWcrwziQ MtGjcRsdx9kOQten3jMj8rk225tXjw7+SlN+YfkyK1e4/SsLois3FCSx4AGgHiagDxJwjR5Sa4WJ 1OMC7TbTdY0zVIml0+5S5iQlWeM1WoJHXv0ymeOUPqFNsZiXIozIMnYq7FXYq7FXYq7FXYq7FXYq 7FXYqpz/AGB/rp/xMYq62/3ni/1F/ViqpirTfZPyxVy/ZHyxVsgEEEVB6jFUk8teXrrRzdm4vzf/ AFhw0dYUi9NRX4BwJ5Dfvl2XJGVcMeFrxwIuzbCvNn+Jra/vPqHkCz1C3Zp3a5ZopWuByjKPQFXQ vJIzOpUn4ajlgGoyDkTsk4YHoGNafc+eL6L6yn5ZWcc0P7uO3cLBGyTweseQdwpIXgvIg8WBXZmo kvzWX+cWPgY+4J9a6z+aelxJFpnkqyEkod7lYONsjSepNxFTKQtI0Q13BJoKVFKp5JS5m2yMAOS8 ecvzwR0WXyhbyK0cju0b0KOiuVjIM5Dc2j+0D0YbV2yLJVvvOn5yh4lsfJkchMaesss0ahZPRjMp V/WoyiZ3RR/KvKvxbKGQ2Ou/mI2j3k135YiXUoIke0t0vYwtxKzUZBXl6YRd6u2/TbrirE9d/Mb8 39Pn42/kczxFrl1ZWMn7iGRljr6bNR2QA709uuylGr5v/OY3UKv5QhjtgYRcP6qSMWKK0ioFmFBW vxmoWoHxcWOKqK+bPzy+tenJ5Qt1owRWSeNoWUlRyJMqspFGatafs7khsVS/VPPH58vpjLaeUEtb yZylvNtLxCqj82QSsF5/EoDdCdz8Jqqncnm/83zJNFbeUInKBjDLLMsSOVK0r+9fjyXkwG9OQXco eSrLvLOoeZry3J13Sk02ZYrZgUmWUSSyQK9wAq14CKUlBVjWlcUJ1irsVdiqnP8AYH+un/Exirrb /eeL/UX9WKqmKtN9k/LFXL9kfLFUp1Xzb5e0m8FpqV4trMUSSsgYKEkZ1Vi9OIHKMg77beIy7Hp5 zFxFtU80ImiaQw8/eUDIVGpxcVTm0hNFAoWpv3oP4dcn+UydyPHh3uvfPflu0MfOeR0ljjljkihk kUpMJGjIKrvUQvt7Yx0sz0/H4KnPAfj8dzdt598qXFobsX6RwBigeUNHUrEsxpyG9EcffTrglpMg NV+OSjUQIu1s/wCYHlG3lkin1BIpI2CsrBq0YKefT7I57k+B8MI0mQ8gp1EBzKbaXq+m6rbfWtOu FubfkU9VKlSQATQ9+uU5McoGpCi2QmJCwbCLyDJ2KuxV2KuxV2KuxV2KuxV2KuxVTn+wP9dP+JjF XW3+88X+ov6sVVMVab7J+WKuX7I+WKsI87Q6mNUnvJNDtdV0S100SuJERp57lLiq2yMSSo4/ECV4 8uppXLIZZR5EhhLHGXMWl9vY6x9cvmm8j2SyKjyQXa+lSWQFloV5Fujmg/aHhk/zGSq4ix8GF3QW KfNLaEGufKGny30CpZ3ELSQoptkjHIA8iqha8hvsDTtUxGaY6nvT4ce5eYfMEVlb8PJdjdSC6dpr WNoIWhjmjiHrBXdgxYeorDkPsBcPjz/nFfCj3BTOneZ9QM91qHk3TFvJtPacu/GUvdlkH1djzVqE eo3Km/w9KGpjqMgFCRRLDAmyAjYdX846bYWn6M8q20Uc7Syaisc0caQOJ1RmYcgN46k0J360pQ1y mZGybZxiByV/07+Zgj1FjotutxB6C6fbGRSLj4pRcOreqCop6R3+zXvkWSFbXPzcXVklOiwHSz6s UkIZOa8ZSI56+rViU34D5V74qm11q35gLNqkVtpEEvoq7aZKzhElYTKsaOS5+1ESxbbjTpvTFUtt PMf5pSI5l8vW6gu7RusqOpi4sy04y/aBCrT9qtfhpiq2bzL+aTKP+dfhtWHNz+8WYtwDMI0HqIWZ uIrt0rTscUI7W/M3nuCeZdJ8sm7gHAwSSzRxlle3LnkC+zJN8BH3dahSsuNa/MyHVLwJoltcWCCA WoEwjNXkHqkuWJYLG3Xgu4rTtiqp5p1/z/aMq6PoUcyfWCjTvNGwMIeHi4UvFvIGkXh1rQj3VUG8 y/mM97LAnl+KO2hc8rkypJ8Ar8IUSIee6dditWp2xVDad5g/NmRxFc+XolDCpuGkjQKFjX9hZWJL urdelR1GKso8s33mO6tf9zmmrYTJHEeQlSTnIy1lHFOXEI21a/F4DAqaz/YH+un/ABMYq62/3ni/ 1F/ViqpirTfZPyxVy/ZHyxV5V+aV15QOtiz1O/1aK+aOGun2AIjMMztC01WUx/GH4tU78ONK9SqA sNW8nxaRfX9vrut3VodOeBpKFZmVLoRJNBy4BZY5LhCOSjt/lDFChcaP5LtoJpGvdbMbmew1ASSx TU9BI2mklX4+benIrKd9gCOi1VROpXH5fG0stTj1XWYFv4Gt7U24ZHaNZyifaVTyQhvSb9giuxpi qhpY8h3GgQ6pFqurtbXZR4VcjnDIEFxwBdVWgjdQFO1H7gtiqGv5vIOqJes95rC6TLdXF7cTKI4o /UupjIVRCtWUPGxNRXZeu2Ko/U9W/L26FlKuq6qqfVHt7BolqvFZfXIVyp4OtVSrEAfD/LUKoS8P k6xFjC1xrU3qUtpIRLE4UzQxzCSQEjqsIoxHyxVmsPkDRtXt47631rUHjktLW2gliuFqgtV4huSA j1HDMJD1NT7UUq0n5XaawseGp30X1GFLdVjkVUdYzUFkC0rXceBxtV13+WOnXC2KjU79Bp8k8lup m5r++DLwKsCOCq5XitKrscbVDR/lHp0csMg1rVX9J/VYSzq5dxGUDOxTkSObN1oWJYitKNqqXX5X 29wGtzq17HYhQIlSQ+stXlYqHaqhAsoVVC9K+JxtW4Pyr0yGexkGqajIljJayxwyTB42a0na4Xmp Wh5O256+FK42qlL+UenSXV3cjWtVjkvCxlEdwFWr0DHjxozMg4sWqTjao/SPy9ttM1uPVl1S+uJI 2LehPKHiNY3j3UjqefJmG5beu5BCssxVTn+wP9dP+JjFXW3+88X+ov6sVVMVab7J+WKuX7I+WKtN 6RajcSx2oaV8f4YqtIt0BBCKPtMDQfaNan5kY0q0NZBJGBjCQsxlPw0RgvxcvA8Tv7YaKLX+jDt8 C/DWmw2qan78CVGGz06NXiihiUM7SyIqru7k83I8Sa1OFVt9p+l3kS217BFNEzqyQyqpDOnxD4T1 pTFVZorWOJuaRpCgZmqAFAI+Int064Aq70Yak8Fq1Kmg3p0+7FW44440CRqERdlVQAB8gMVXYq7F XYq7FXYq7FXYq7FVOf7A/wBdP+JjFXW3+88X+ov6sVVMVab7J+WKuX7I+WKvKvzNvfLUfmZLfUBq y6rLagWhsTEsRQLMQAzso5U9ZqHf4DTtXLwauWMUACHHy6cTN2R7kLaT/l7qVpeQC/1KeO54yXNy 8dHItoZbxo68Q1DFK4pT9mg95/nZAggDb9n6kHTRIIJO/wCP0rLKy/L28LLBrOpxxOHV4D8KyxwQ maXnGF5N8MDcqipNP8nJfn5d0WP5SPeUE2u+QrD6jN+ltamaX6tLFFKV4yK08Z5/FRR+0Dv0BHhW MtaT/DFI0wHWSOlvPJkdrqF1FJqfr393DYzxwpGrQveS/XqRtRAUbhSg+4cq4Pzsttht+qk/lo77 nf8AXagYfKzvJeW2t6pJpxM8Ls7LG8T2TxGR4nm4FtpQFCAk1J/ZOT/PmvpjbH8rv9RW6rr3kGSb TeV7q6Wf1WaCORSPTZYl9M80avJpHlc8jtVT0GQjrJC9o7m2UtMDW52bs4vJN3qw0m28x65LcGtp 8JZ09V7b1mHIKxqEepHYsR05Us/Pn+bH5Nf5MfzpfNltl+bPlW2txa3bXQmtIYDIxQXDusxRI2/c GTmzcqsFGxqvWgOBI2bcwbBW1D83vK1jbW1xLHdmO7jaWGkXaOc27q1TRSrKT7jpXBSVzfm75QQB mNyELBFcRVBLKrjoTT4JAxr9n9qh2xpVq/mzoMsF3cW9tcSQ2qI6tRV9TlNFCeK8q0D3C70/m8N2 lbi/N3yi94lqzTrJO4W2pEz+orSpErUWrCrP0Ir9O2NKg9Q/Ory7YvqUUlhfGfS39K5j4RD4yxjX iTJ8StKjpyH8h9qtKmV/+avlOxC+vJMrvai8VPTJb06FmFK/aUKSfHoKmgxpUdo3nrRdVv4tPgEq XkqGRY2TYqiK0p5AnaMyIpJpuy064FZFiqnP9gf66f8AExirrb/eeL/UX9WKqmKtN9k/LFXL9kfL FWFecm88/pGWPRNV0mxslt0et4D9aWRnKdw6cP5SRuSVwqlrR+d77RbSxtdU0e7Z42TVp5aP6kbI gFU4faCrKNxQr1xQ1FrfnO80e01HTbnSmk9W4F2sMkNUt45Ui9RXPJKiICWTstafEAKqoaHUPPEV lcXF9rehG2VZZLaX4QoUHmiFDGG4kLQAb0r1NMVRWpz/AJjzXsk+k6vokenJcO0PqN8TByyQrJxF K+myUFd2Fa0+HFUPqd159MotY9a0RGniacRSlAV9QBEe3bjty+JkL8jSnXfFUZ5hHmq/tpLeK50W PT44bYXFtessoEiSOs3rcVoqs/EUHRl67kYqhxqXnNIbe3sNU0cfVYUFzdXEkXx3fxi4VSg6RUXk eKmrnwxVW1LUNftNTsrk6joNgkyrb3YkKmZrkTzSRQB6fZrt2+LmeuKoKxvfzDS+j+ta5o5RZRBc xyN8PqRGH60EQKlPTCv1fbkRWpFFUbFcea7DWJFvtd0ZrK51J3tobkxiRbMCUCNFQRVkrBUjf4lO +xxVRtLjzhdEQWutaS1nbukGpyPJDPIJZByKrxiWMeo1CFK9KClQcVQehjzkNduY5brSXkhig09d WkMRnklY+qSlAxf4l+y3VvHjiqYXV153kXToo9Y0htWrJHeW8UiLE8xYzRqoZJmr6O+4716/aVXw Wfm54DcXWuaXHfTfVXkuIRCq0tnmneMMY2YqYTAwLV4/EaU6qoGym/M6bU5isujJeLbxwJdUTncS ehLyEXEs3ATxryqOoNK8SMVepJy4jl9qg5UNd/nQfqwJWT/YH+un/Exirrb/AHni/wBRf1YqqYq0 32T8sVcv2R8sVeZ+e3/LmPzb6PmOO5nu7y0VaIXESxtILfhSMqf3qzMGJ6AHcEjCqzRL78tm80ac bGS7tr0STwwW8nP0vXKIsok5cypCoqA1ANSAT8WKEHp19+Ttutn9WsbgK8E1pByEpHG6jrIjFn2Z 1Zk5NQe4WhxVamsflDeve6hNBeXZMai4urj1iXjl4lWo7D7arWhFaAjrsVVltZ/lfp3mC60a+tr6 a61K8MSepzeOST1TCIwsLGix0qC29G+jFV+rz/lWmnwWd7BdW1taui28EDGRj9WDoJHVGf05GjSY EmjhKhqFlBVUtN1z8mU0BmksZrazuonhntpTK54XEyyNAfjPL4oVO1fAH7WKqjJ+VFmIZLfS7xfV vprZwHkVo7y0WhakknFjH6xoynh9rftiq21T8qntTeabot9c/Uo4ri0jQyKxa9mVAsSNIGMge4UG q/ecVQmtan+TuqQ6iwe/hmu7qWO6nt45mdpWkaWQItGBDcWZXAK0bY9gqjtXf8nLW1CS6dJIdIpP bpGXrzvlS+Wjq+5PFFBavEEgfDyxVHaJY/lb5jlNhYRzwy3/APpsyM8imZUqjJydmPcjiKNQVHw7 4qyO4/K7ynJpz2MUUtujqU9WOV/UVGBUqrMWp8LUB6jYjcY2lUvvyy8l32pPqNzYl7iQKpCyypGA kaxAKiMqr8CAGg3pgVRb8qvJzJBCbeU2kFSLT1X9Nm426qzb1qv1OM7Hc7muNqqQ/lb5IhaEpp54 W8hliiaWVkDkua8S3/Fh/DG1ZUiKihFFFUAKB2AxVZP9gf66f8TGKutv954v9Rf1YqqYq032T8sV cv2R8sVWyJAWrIqlqAVYCtAajr74qseKykNXSNyCrAsFJ5IeSnfuDuMVUbfTdItmuGgt4Y2u3Ml0 yqoMjMOJL+O22Kt3thpd9D6N5DFcQ81k9OQKylkNVJBxVXIty3I8C1Qa7VqOmKtCO0DFgsYZqlmo tSWpWvz4j7sVQ6aZo6Xst8ttALyYKstxxXmwSvEFuu1cVRBS1JqQhO+9B+19r7++KtqLZQAoRQuy gUFOnT7sVQyaXo0d3NeJbQLdXChJ5gq8nVa0BPh8RxVVS105JJZUiiWSZhJM4VQXdUEYZj3IRQvy 2xVyWunpcvdJFEtzIqo8wChyqcuIJ67c2+/FVb1I/wCYfeMVd6kf8w+8Yq71I/5h94xV3qR/zD7x irYdCaBgT4VxVZP9gf66f8TGKutv954v9Rf1YqqYqkHm3znpPlqCA3glmubxjHZ2luoeWRhStASo oOQrv3zI0+mllJrkOZaM+ojjq+Z5B3lLznpXmSG4Foktvd2TCO9srheEsTbjcAnaqkfRjqNNLFV7 g8iFwaiOS65jmE8eeBJY4nkVZZa+lGWAZuIq3EHc0HWmY7et+t2v1YXXrJ9VKCQT8h6fAioblWnG m9cVXpLE7OqOrNE3CRQQSrFQ1Gp0PFgfkcVbVlZQykMrCqsNwQcVUxd2hRXE0fB3MSNyFGkBKlAa 7tUEUxVVxVbJJHFG8sriOOMFndiAqqBUkk9AMVajuIJTSORXIVXIVgfhevFtuzU2xVczKqlmIVVF WY7AAYq1FLHLGskTrJG4qjqQVIPcEYquxV2KuxV2KuxV2KuxVTn+wP8AXT/iYxV1t/vPF/qL+rFV TFWB/mf5F1DzC+m6jppikvNMZj9VnYokqMVOzLuCpX/PvsNDq447jLlJwdZpjkMZDnFv8uPJWraP farresmJNQ1Vq/VrckxxryLHc9SSfHHW6qMxGEfpj3p0mnlAylL6pdzfnnyA3mLzLpN+L63tVhia AiSLndLxniuhJZvzT05f3HHlQ0UnY5r3OBYbF+Qfm06dDp915zmntY47mJ4WWco4mtI7ePkDNUhH j5UrQdqYraaeUfyq13RPNVrrU3nGW4s/rU8lxpUbSCF5Htkt1tw0sszyCH0Ao5ktxRe4ritqS/k9 52+q6fA3mlY4tOsbawS1gW7ihlitAqLFIsdylEmRAZGWj8ujcdsVtCD8iPMBYpD5rIto7m5uLYBL itu8pYqYlW4CB1Ztz7ClGLMWltXg/J3zW8wdPPd2bZ0LPYxPcGKNZlI4RM1w8vpqqoIyz8qL1riQ QvEEdrX5Q6zrWmWVk3meWSyisHtH5G4YSBvWKH4bhVdXWaPn6gY/ukodziQtobzP+R1/qevXWqaT q0WkB+P1ZYopjMCLN7Tk85m51UOKBaLt0rUlW1fTvyX1W2lup7vzBJqF1eaTcaTNPcG4cgTWsMKu qtOy7SRO5BG/LxAIVtIdZ/I7znpFvMnlDX5pbOYJGNJlllto1co3KcvDLGBwnczKqAb0FGAoVbZR 5J/K/wA26F5ih1XVPNtzrFvG10z2s5kIY3IUKKc+AoRyPwde3grb0vFDsVdirsVdirsVU5/sD/XT /iYxV1t/vPF/qL+rFVTFWm+yflirl+yPlirFvNv5eaZ5m1Sxv7u6uIGsleMxwsoDxuCGUkgla8vi p12r0GKQWPx/kukWpaTdReY9RNvpkzTtbuyn1GZg5bmAKMeCgmh/a/mxW3XH5EeW5LyO5g1LUbP0 5muiLeZUJnaRnMvIoSrUfj8NNgMVtNtB/LhtNsEtpNbv+cWoC+R7WQwKYo68LR1+MGA1LMgpUk9q YrbEobTye2p3dtbapqkKW4nklaN0RCkUguDKgC1YFmVVYddu2boyy8IJjHev1OsAhxEAy/G6itv5 NtONvYahq73SoYmhWVIUZacDyNOJ4I1eIr8qk5K8p3IjSBGA2BlbMNK/MHyhYaJBb28lzNBpyR2n 90WkpGojRmC/zmgBHfwzCyaPJKZJrfdyYaiEY0L22Rcv5l+Xo4fWYTGJnYRMqD40Ro0aTcig5S9D v8J2yA0Uya/HVkdTFcv5keXms5r3jcC1hSFzL6YPL1i4CqoJYlfSau3bB+SndbWv5mNX0Uz+aPlb 0vVVp3T4q8YiSCgcmqg16Rk16fjh/I5PJfzUFe6/MTy7b3bWreu8qsqt6cfMVYhaCh3ozAGn0VGR jo5kXsk6iINIe9/M/wAvW88kEazTywtKsihOH9xXkVL8Qa8GA+WTjoZkXsg6mIWx/mn5ellCxxXD xl1T1BHX7RKfZBJ+1xFOprUdDidBMdyBqosxzCcl2KuxV2Kqc/2B/rp/xMYq62/3ni/1F/Viqpir TfZPyxVy/ZHyxVh/nnT/AMzLq9tD5R1G0s7LhwvUuRWTkJkfnGfTkFTGjR77fET1AxSlnlzSfzkt tRtX1PVLObS0ErS20pEk/L0ZVhV5Uhj5L6jRlqb/AAnc91dmUaZB5wY6ZNq09osqJONWt7MN6DsT +4MPqqZdh9qrDLImPCQRv0YEGxXJPMrZLPQgrX01qRxJoOlKU+WGytKctjZTKqy28cgUsVDIpoXB ViKjaocg/M4RMjkUGIdbWFjbW629vBHFAgCrGqgCgxlMk2SoiAqG3gIoY0I3FCo7mp+84LK0tktb WRo2khRmiYPGSoJVgCAw8CAx+/ESIWgpppmnRzSzpbRiWbiJXCirBFKrX5KSMkZyqrXhCuYoiSSi kkgk0G5FKH6KDI2lowQE1Ma1NaniO/XGytNC2txSkSbUI+Efs9Pu7Y8RRSpgS7FXYq7FVOf7A/10 /wCJjFVO3uLf6vF+9T7C/tDwxVU+s2/+/U/4IYq01zb8T+9Tp/MMVctzb8R+9Tp/MMVb+s2/+/U/ 4IYq76zb/wC/U/4IYq76zb/79T/ghirvrNv/AL9T/ghirvrNv/v1P+CGKu+s2/8Av1P+CGKu+s2/ +/U/4IYq76zb/wC/U/4IYq76zb/79T/ghirvrNv/AL9T/ghirvrNv/v1P+CGKu+s2/8Av1P+CGKu +s2/+/U/4IYq76zb/wC/U/4IYq76zb/79T/ghirvrNv/AL9T/ghirvrNv/v1P+CGKrJp4WVQsikl 0oAQT9sYq//Z - - - - uuid:178ca91c-4446-47fe-87e7-cc201ed2746d - xmp.did:b132cbc3-f97a-b241-8ad1-65f31666f2b2 - uuid:5D20892493BFDB11914A8590D31508C8 - proof:pdf - - uuid:d1c078a0-2746-42b2-b0d1-25aedff8fb1e - xmp.did:1b6690ed-28a8-c141-9479-b6a9cf6be651 - uuid:5D20892493BFDB11914A8590D31508C8 - proof:pdf - - - - - saved - xmp.iid:b132cbc3-f97a-b241-8ad1-65f31666f2b2 - 2018-07-22T15:02:38-07:00 - Adobe Illustrator CC 22.1 (Windows) - / - - - - Document - Print - False - False - 1 - - 9.998823 - 14.680556 - Inches - - - - - SegoeUI-Light - Segoe UI - Light - Open Type - Version 5.54 - False - segoeuil.ttf - - - SegoeUI-Italic - Segoe UI - Italic - Open Type - Version 5.30 - False - segoeuii.ttf - - - SegoeUI-Semilight - Segoe UI - Semilight - Open Type - Version 5.54 - False - segoeuisl.ttf - - - SegoeUI - Segoe UI - Regular - Open Type - Version 5.55 - False - segoeui.ttf - - - SegoeUI-Bold - Segoe UI - Bold - Open Type - Version 5.54 - False - segoeuib.ttf - - - SegoeUI-SemiboldItalic - Segoe UI - Semibold Italic - Open Type - Version 5.30 - False - seguisbi.ttf - - - SegoeUI-Semibold - Segoe UI - Semibold - Open Type - Version 5.54 - False - seguisb.ttf - - - SegoeUI-SemilightItalic - Segoe UI - Semilight Italic - Open Type - Version 5.30 - False - seguisli.ttf - - - - - - Cyan - Magenta - Yellow - Black - ms-blue-dark - - - - - - Default Swatch Group - 0 - - - - White - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 0.000000 - - - Black - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 100.000000 - - - CMYK Red - CMYK - PROCESS - 0.000000 - 100.000000 - 100.000000 - 0.000000 - - - CMYK Yellow - CMYK - PROCESS - 0.000000 - 0.000000 - 100.000000 - 0.000000 - - - CMYK Green - CMYK - PROCESS - 100.000000 - 0.000000 - 100.000000 - 0.000000 - - - CMYK Cyan - CMYK - PROCESS - 100.000000 - 0.000000 - 0.000000 - 0.000000 - - - CMYK Blue - CMYK - PROCESS - 100.000000 - 100.000000 - 0.000000 - 0.000000 - - - CMYK Magenta - CMYK - PROCESS - 0.000000 - 100.000000 - 0.000000 - 0.000000 - - - C=15 M=100 Y=90 K=10 - CMYK - PROCESS - 15.000000 - 100.000000 - 90.000000 - 10.000000 - - - C=0 M=90 Y=85 K=0 - CMYK - PROCESS - 0.000000 - 90.000000 - 85.000000 - 0.000000 - - - C=0 M=80 Y=95 K=0 - CMYK - PROCESS - 0.000000 - 80.000000 - 95.000000 - 0.000000 - - - C=0 M=50 Y=100 K=0 - CMYK - PROCESS - 0.000000 - 50.000000 - 100.000000 - 0.000000 - - - C=0 M=35 Y=85 K=0 - CMYK - PROCESS - 0.000000 - 35.000000 - 85.000000 - 0.000000 - - - C=5 M=0 Y=90 K=0 - CMYK - PROCESS - 5.000000 - 0.000000 - 90.000000 - 0.000000 - - - C=20 M=0 Y=100 K=0 - CMYK - PROCESS - 20.000000 - 0.000000 - 100.000000 - 0.000000 - - - C=50 M=0 Y=100 K=0 - CMYK - PROCESS - 50.000000 - 0.000000 - 100.000000 - 0.000000 - - - C=75 M=0 Y=100 K=0 - CMYK - PROCESS - 75.000000 - 0.000000 - 100.000000 - 0.000000 - - - C=85 M=10 Y=100 K=10 - CMYK - PROCESS - 85.000000 - 10.000000 - 100.000000 - 10.000000 - - - C=90 M=30 Y=95 K=30 - CMYK - PROCESS - 90.000000 - 30.000000 - 95.000000 - 30.000000 - - - C=75 M=0 Y=75 K=0 - CMYK - PROCESS - 75.000000 - 0.000000 - 75.000000 - 0.000000 - - - C=80 M=10 Y=45 K=0 - CMYK - PROCESS - 80.000000 - 10.000000 - 45.000000 - 0.000000 - - - C=70 M=15 Y=0 K=0 - CMYK - PROCESS - 70.000000 - 15.000000 - 0.000000 - 0.000000 - - - C=85 M=50 Y=0 K=0 - CMYK - PROCESS - 85.000000 - 50.000000 - 0.000000 - 0.000000 - - - C=100 M=95 Y=5 K=0 - CMYK - PROCESS - 100.000000 - 95.000000 - 5.000000 - 0.000000 - - - C=100 M=100 Y=25 K=25 - CMYK - PROCESS - 100.000000 - 100.000000 - 25.000000 - 25.000000 - - - C=75 M=100 Y=0 K=0 - CMYK - PROCESS - 75.000000 - 100.000000 - 0.000000 - 0.000000 - - - C=50 M=100 Y=0 K=0 - CMYK - PROCESS - 50.000000 - 100.000000 - 0.000000 - 0.000000 - - - C=35 M=100 Y=35 K=10 - CMYK - PROCESS - 35.000000 - 100.000000 - 35.000000 - 10.000000 - - - C=10 M=100 Y=50 K=0 - CMYK - PROCESS - 10.000000 - 100.000000 - 50.000000 - 0.000000 - - - C=0 M=95 Y=20 K=0 - CMYK - PROCESS - 0.000000 - 95.000000 - 20.000000 - 0.000000 - - - C=25 M=25 Y=40 K=0 - CMYK - PROCESS - 25.000000 - 25.000000 - 40.000000 - 0.000000 - - - C=40 M=45 Y=50 K=5 - CMYK - PROCESS - 40.000000 - 45.000000 - 50.000000 - 5.000000 - - - C=50 M=50 Y=60 K=25 - CMYK - PROCESS - 50.000000 - 50.000000 - 60.000000 - 25.000000 - - - C=55 M=60 Y=65 K=40 - CMYK - PROCESS - 55.000000 - 60.000000 - 65.000000 - 40.000000 - - - C=25 M=40 Y=65 K=0 - CMYK - PROCESS - 25.000000 - 40.000000 - 65.000000 - 0.000000 - - - C=30 M=50 Y=75 K=10 - CMYK - PROCESS - 30.000000 - 50.000000 - 75.000000 - 10.000000 - - - C=35 M=60 Y=80 K=25 - CMYK - PROCESS - 35.000000 - 60.000000 - 80.000000 - 25.000000 - - - C=40 M=65 Y=90 K=35 - CMYK - PROCESS - 40.000000 - 65.000000 - 90.000000 - 35.000000 - - - C=40 M=70 Y=100 K=50 - CMYK - PROCESS - 40.000000 - 70.000000 - 100.000000 - 50.000000 - - - C=50 M=70 Y=80 K=70 - CMYK - PROCESS - 50.000000 - 70.000000 - 80.000000 - 70.000000 - - - ms-blue-dark - SPOT - 100.000000 - RGB - 0 - 120 - 215 - - - R=10 G=10 B=10 - PROCESS - 100.000000 - CMYK - 74.135953 - 67.489123 - 66.359955 - 85.912865 - - - - - - Grays - 1 - - - - C=0 M=0 Y=0 K=100 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 100.000000 - - - C=0 M=0 Y=0 K=90 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 89.999400 - - - C=0 M=0 Y=0 K=80 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 79.998800 - - - C=0 M=0 Y=0 K=70 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 69.999700 - - - C=0 M=0 Y=0 K=60 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 59.999100 - - - C=0 M=0 Y=0 K=50 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 50.000000 - - - C=0 M=0 Y=0 K=40 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 39.999400 - - - C=0 M=0 Y=0 K=30 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 29.998800 - - - C=0 M=0 Y=0 K=20 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 19.999700 - - - C=0 M=0 Y=0 K=10 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 9.999100 - - - C=0 M=0 Y=0 K=5 - CMYK - PROCESS - 0.000000 - 0.000000 - 0.000000 - 4.998800 - - - - - - Brights - 1 - - - - C=0 M=100 Y=100 K=0 - CMYK - PROCESS - 0.000000 - 100.000000 - 100.000000 - 0.000000 - - - C=0 M=75 Y=100 K=0 - CMYK - PROCESS - 0.000000 - 75.000000 - 100.000000 - 0.000000 - - - C=0 M=10 Y=95 K=0 - CMYK - PROCESS - 0.000000 - 10.000000 - 95.000000 - 0.000000 - - - C=85 M=10 Y=100 K=0 - CMYK - PROCESS - 85.000000 - 10.000000 - 100.000000 - 0.000000 - - - C=100 M=90 Y=0 K=0 - CMYK - PROCESS - 100.000000 - 90.000000 - 0.000000 - 0.000000 - - - C=60 M=90 Y=0 K=0 - CMYK - PROCESS - 60.000000 - 90.000000 - 0.003100 - 0.003100 - - - - - - - Adobe PDF library 10.01 - - - - - - - - - - - - - - - - - - - - - - - - - -endstream endobj 3 0 obj <> endobj 15 0 obj <>/Resources<>/ExtGState<>/Font<>/ProcSet[/PDF/Text]/Properties<>>>/Thumb 269 0 R/TrimBox[0.0 0.0 719.915 1057.0]/Type/Page>> endobj 264 0 obj <>stream -HW[o~_qRjI ̓\54\~s9Nݦrfrξ?7g/ϭy 5ۃcn3\va_͋7W懛ߖNv)^i65Ei׋f{o lߛ?,\31U$6~fjOC?pS{k/ڼ^|?ڰtե#>ɰr_> ]qGU~gO:峴SiΤKg^,7HљA m6ɇP~#p{k0xc|dXNJ8X+?F1|/^csw{/<㠇E2GcMo˕+ě㈠:"}94z<JK`î/JIte8Vo^o۟.vfSZo/vd%MzJd/4G!#Y5e#7 f6N2 y r4AlxbDsuys\&ڇ7))NNO"n+L5ͥl-F2&ڹZ6V/Yr9D\fp$v³g,w6SJa/N`<Ѷfz"iw7qBPY7GzH.W'sQm-+Ƃb*(P?xo/cnіioхOv7UNװգNG;8| - S!r -=>z-V;a^.isAU36wWxOǏ.[$WQ Ψ-#McZƐih sFNCLl@Ĉe0Lz5GwqĽ%fobȪ'>{I3rXs#zyaKgd o<7*Ԯ@̛Ѣ2!XHdy$VBUfU+'&4 qJqx-[X 0$ -N3:*Yڰj51堖C#L^ݱ#ST}N$=bEW,`O, =5c@DQOJb (t -g GXnngT'!wj2 K+%,ȩAF QL+1%$6H8/ Bk59“@!JTGud19wV'i'։u)Vm%QB"IsǒH*o JcibjX$Lw4ytvӠGtia` mTƵ,˕b(!+I $ƫS( f R/sw3[BQۺP]='Q- +E($WU/3kp3dz嚧Ј 53_)^yI$,HqN\8 %e.):=b&b&Trhcsp&gM?2.2m IJSmmNa!WiBN`@lO,EnEjfWJ5ЊwTBT@#)4u͡jl.D$Rq19ꄁ$NLPjKK_Mr $(G R/م)ZX@CUY,/pmrV,1Sɻ.IaxڶYpz;DrR8+l%"H ^:G%cxcAJfM9xi%}EvYVzdJIONNl˽sJ.0, uaLZR)@rd2;-!W&Or=rT7q3Ĕ;񶷨)?*9.v=Ф֨a_hlKW_)/Lr.%&gE!zz}ezmJVͮ_|,ivpekVzV'I <ƫDiu`=oInDW ZBu7*# SZcuI3HEJ!Y֔S 5/|6FjLΧjj݇4 =9=uY[PHȔ%2*{u?mFE~ڜiΖªz+] iC#k(`&UxGW-ŭz;\2LJ -S!' ,Â4 2&DUVea#5l=_@>cp^C(KkL0񏂱^/LY\=,7~g]"vs\R -q\0q\γtV?ɩ 8O2rovyqYh9\.as}}'Uܶ D{$g, ~tzq|N&a:o)[J&۷2[u>|`b%.NQ4^и5[s;}9?l #l1ޙBcsqATe?xdi6L_x xevv^C i qcir=--mA~JvsbZ=y'{Kpy ( tFeS= YǕ5Rw%ߔQ֗h7lvXŵRWP %tWe%C!ƮvXn`f$*Ap{ч1n8XBl;@ ~Rk[,C LH9pG%ZA'~][.fAל|y+"e(Z:)(*(PPPЍ -7u'aA"X*}Z  >{|xAya@vpO%$!^>stream -8;ZDo9=CT<&;K",1VsT3`q5:;GM/$?\r6Bne'nI'`!CtZSA+)N"=*^nb'GVbA]XD[ -(g.'F1QlCrk2t*^8VSS(briu_DZ404f.`L/NW%3__[YNFg=mX/TCr`L?tBb:8J$+cUZIK1@P[Aar5QGmbrn-*#c#T$J&_ZkLG:CWJ23RJ-4jU%FMkN8V`T%1")4LTto18jJ -q1`E!e3j,%GSYPX,C5cU1EF[*a0B9C$umVb[I\L_4oRsd@G@re]DU!RI"N')0g*c> -DslYrKX9_7p#UCWKmLE@I53qCq$HTWJu&9$F8!WlTP5o61S/W9&UD;>hcTA4>*Wt7 ->+rO+C.3N"cZ:H$LoO:$XjojFA`u"GMF4T/nIqMfI-b&Yj#?,UH..RjkKA9s^2[F6 -Hfd:@LK$/f?ts0N)rk";FN%%N&AOar*1D/o9Xp;a!`?s`ao<(!.HA6Fj$Y/K#U;)m -7*#"bs65Y?]+U0_s#k$$6*l(&O:t(]qg"VU -cc=\q>d2 -endstream endobj 270 0 obj [/Indexed/DeviceRGB 255 271 0 R] endobj 271 0 obj <>stream -8;X]O>EqN@%''O_@%e@?J;%+8(9e>X=MR6S?i^YgA3=].HDXF.R$lIL@"pJ+EP(%0 -b]6ajmNZn*!='OQZeQ^Y*,=]?C.B+\Ulg9dhD*"iC[;*=3`oP1[!S^)?1)IZ4dup` -E1r!/,*0[*9.aFIR2&b-C#soRZ7Dl%MLY\.?d>Mn -6%Q2oYfNRF$$+ON<+]RUJmC0InDZ4OTs0S!saG>GGKUlQ*Q?45:CI&4J'_2j$XKrcYp0n+Xl_nU*O( -l[$6Nn+Z_Nq0]s7hs]`XX1nZ8&94a\~> -endstream endobj 262 0 obj <> endobj 272 0 obj [/View/Design] endobj 273 0 obj <>>> endobj 254 0 obj <> endobj 255 0 obj <> endobj 256 0 obj <> endobj 257 0 obj <> endobj 258 0 obj <> endobj 259 0 obj <> endobj 260 0 obj <> endobj 261 0 obj <> endobj 281 0 obj <> endobj 282 0 obj <>stream -HlxTg>2D;tI8{Qu]@06^  Nph(!3”@]{B!7}w};kH OM. }dRQxFޭO&59*oin Gg[Tŕhn,lYRIelTsz>O -E+2~ϥ'D'&D^\h a B AC"@@2B̀tȀL a&̆Yp6Cah@B~Z#p$:p@]p4A_ñ菍-]q'D'aN@SqN  0x pHb61b3l-0%G I) -[C6S1 C#z8^A Tu4afbfcY8=т^s1qyv ;OpS}gO_7tҷt/W`Q:F:ET 3t t~KtU R\p1.̓Yk:̼C'-}z#O٣>/lʆ)J6`#(6ȁe -Y5v-+GbzL=PO%)ZQϪe&| -ʦ,H9#<9|.|!_%|)_/|_W)=_?k:okp]W W7/|/on;y"ab!FQb#|+81^Lap -pHRE+C(b))))R)ieP&eQ6LE)((CE/$d(b/⑘.D0ݴ[y1ƐM^ Kf0M{ɾ}woF /K2-BY*̆90ȧbXK!-eV@&UTjXka P 9lͰ6;`'삏 vhٰ>OS >/`+-pa8GYji]Uyݼ+$pup5_W&<7Of|<7Y_˳yKQ9uh` "V577-([680仰zЋ X:??X>?_`l)h1L&TI1&L l1 [`6V`[lvN v\ƿ_aw|c{`O셽>M -StQ:Fb8 c ,$tF^7MY%oD$z#{򾬖a( b*SʲZ$[wۼc5j3L8C:`"La2c(3ÌÍ O?7~aihdl2^1Fknk(kdYޅ)| _ʗ|_)$YW֓ɲ~g1Fƫ85_70ooi\YDc0 !,'P"^԰|##MV5ڰl ﱵlC[8 DC"l#^ȁδ Z6LBQTA4flCsiͧЎ>ZJh9\մ4P5T)V>H9J5C -#H:LiSR)j([cZhY²8KZʊjXk%X5DU۪c%YuzVUjjDUKVuTJSuݧj -n/=DOK*KNw*??r|_~ gYr#yr\ ? "X.K2\P-JJejڨj:8vqV\rb/$9%_E?qN 3GW7 ߈f%ޛP=&v^μYJb)3N̴pgQ2GTgGFV9t͈횫-`5Z lM`4/[8fjV6N1Z V -XpwK DGŚMеc뫇Ǵb޾yqVnJ߯},ݫg??{ܮ]:tء}m[d5HoiKIJzjī8K1aPwT:~'33' ;Rڮ1iNϞQtRM"=s#WdǑsXNck<1)KQ'cҢҊϧ3CRF򜼡Vf4MwFV@zXH[S-,*'|%x'?byђ.f="tVnWdM!dS|5:7dC񮷙w$nwE{ܧ?-M8v&q.]%Ђ,]Bb_JYBJC!qBRFYa.QT&б -ܚE]E]_dqLr3===a/2\6D+آ͆$fYJ\^x508ﶠqȍIU˃!z!b_sB ^CVI4֫U6vctwI yJ|q)Y7H&]&RKޣ'p‰"8CoUFSSSjIjLNL:L 4M'5bMӪMiҨX>ނMo`{?m"(˲bPJ0ZspT f/:Z-uv,(Mک?֕'R@t 51$^ERUY G6GS[mPw=7*aY$C\T 5"hDb DOq@FzOr2lAY Q.C<8\-.DŞP{Q#TR6%SSR/{) NS斠ML_&DvA:?-o|nӯ*rAS;s$Y-@nIڂ_(o"nlmMlWg/V<(ྚA my#CJZtXyT)EDH&2!jaW$zUFM2 MTLǀ|*(Xab+ndWAD\&u^2Hf*rb"8Fp@f݃pVARa_ a3\% $>E&ņ\}0!5 -QPLA",s؅x/ľ:Ilx$=k$R24~lDn9ۍh!08?wyhZ3V+jdB{9& ^~2!iCLQ0kyN|+V.,k|vWa0`­G7%HfY6qLb$H`b4joC i,tܕ6gPC8͡[`j.MfNNJNj-&lͲ396*A)Es\N \Ė`i\\CQfZ߭^U/ =kwoG.2Xȸ^}K2'to4>ݪabiēK):V$,&vfY,W$Rzaav6-?? |ϷH8Z^JWyCI`Ҭ/#UѩYsL3JC`&F.'KLѬc_-*c<,ܖL:]gLNXFAXbX0U ,tT$yrK:vLbmB!N |b԰lpa' \R Zet17fYT}f n,38㗾gIl*uNe&=TtbdW4gm:u@7>ؼ7MdBp'wĠ!d)Ѧg_>HuIsR❧;* d/p 6A멎F}g[XPU`ɦRm[M@rXIp,f[l^pfCP.)3aMxśxo' }}:^N:@#ػrGYaif.ѩ0joݺh{ nѬ^8Ds I !`a9SX$/Q' -=]m~D$dyԽ7z]MΛO8 -mz1zUT\go/}v-zkWj@}0ppgI+"YdcXN]v Apk|KTvmJS}}A5&?ckʰl2u] {[+L?̞zW"khol>RCu+_8y[ؽmoEbޒgTXF G~Z\(zUu]u{/DA1|@DOD%Qji+;V[cTm4ɠFӔttFc$jVSmi!+\|{8g)o%O:{)drׁ"&(3<$g0C -%";HJ㊓""bUrB@1>&ҕe)"ua |SVUua>]{zq]K8]b߹ǐiCzd/Tmym߅3A6(VLTx+NikeFECu+2/Dvգ۴)WmM|S .})_bs#g],:RV#_a/uGڰk'+Jʄ5Qx IW=ݾ1|x4bV$dsDG۞^@mΧ`ml$.Qaᦷaz#:yـgFu6_Ϭ+:q͈ tUF2?2MȈ4r9^{މUY7!;Z;A1,~ƭ'Nx<[nvVYaGCTeQfoV*Z Mkaї~h\H1Ie˵T&F|4C -iZ -rޤV(LV,kgˎ"/mNlMm%e 5-'d"u0Ti?:M:*QK*ֺ$ -TH1 sq5OPd%%Tl -G_9Q Rϫ;¢΢|1'7QiN Pe;دv`1P:!qcvc zNS -^W#+=,i8G밯yHiT\:ܙNZb㞗qPhy1}{J+^TO=^\T#EcVg:/#d+Ώ3~`a R_{QN':Ӥ@Wr;r`4s+, t4Qx/AE _c\h{!W Jq?p@{0:A;Y Sk@ br 8,P7D4ƉV:,ϝT!ukutf}n\:*Wt'~g}Gs5`=#u˚ 2#5ud7VԨXHޡG\ |<1q8y)xHDˣe4R@H*3m\#ޞI䑟Szj` -Ɂn1! fi`r_½ ,MP澨{S@_ -UƯ==Gר =>Mc|MpAhPO4U@m|9瓱7r4{unpJDbޯ0U>}XoL3Zl*尗1O=yӅr{Ri=@^k>S0>>>>>׽d_zGuq]q{of@EqI] &J Q#XVQI@kl+m ąDc$HGmE 'ZEB.5Խ7?k's>c-{ksiw.}?33F9k;f5B]QY4ZIÜTi(@ >ib@ 'ch Ω4zxw`_ [E!Q* /3* ?F僾~FEFj-gւegx>Fض}7Akp'd6Wa#h߂m N5yFD8^7vֈuܵvg 9 r#`g1zv - VѝK`X2:L@_Z~΋j'8jѴ~HW;rZK z510X8%p3 dII:67>-Bl8|dP'ZI(a F𙡴^A})\54SxiA!E9Tu]Ƚ|!xbi"-T= ~_FBUȞ;KewQ^dwmb^gei a9&mNܥW>bdJ -N6j`^ukMG}e2BGo&"F=fWC `~ f_FP[َ -GFLP߁k@-ڏav> 5BըCNBx>@Lk~{-A+w=|<\y nk5r'Э96C>yN-e6jtJALB-4FJ:wl>)g«"*~G֣V=tyŦAE#iB1ޢрbdl2# \2)WڄϣB9{?74O^esUěI`8JiF='ަG4 U)Lq嘧E-sk' '4kz]4mޮYN/E-3x?|$_a<]SM5ЙAX é9]㯣K@Z 4ـPwZwdZ|W7ώro琓_P8*#[Ip6dԥ=yW[e@̣Zw:+p*},M.}M]؋yv:^yg9:yo#w˨`sS8;'djܭ#rtsvQS<( t q+s^Fc'+gЃ8I -jZI kI8I׆[@7#frٴךBly&Tccu`i_8>? \<վ>X^`/2f$XVE2h?d9M*jdngᯕ M _~c5S <; Uߌp&fT5r'ei̴S i#}kʴZ-.~]>Os51`'Ƹ_=]׆o=lc]`!ɗ]gӟ%O/c WÅzw耖{ctB#㏈;i]mE-|>dZ( @(WG/&6a]UԂ,!mp -i@*AcROɓW|NrM-2˞*M?_DğsYLob;O"9m7vl<bd[Lgo۫Ýj-%ȺE V"k:'†R6 Fmya;~wٶtght4w6D(G >3{_?kv!eU3ђhuП4GDҝ;NHBBB=N qz8\&3Nx?G Cqb{5\>ȭkJtYiOg;M4&:Sdc_bÕ* -+>0=I*vQƵiIW+NqD?ckLȚܨ贞/]F q엞Q$x NRE+ui_hJ$<ۮ?ՙr,>dӶ:>;>kԵi X2&)C2N/vqxA4,ȳzyN5-ty䴖mIU_>V ?ϩc9135*u#d'v2T&_!ߤ a3'e:梨@pwb .?"'wɥvā@=y|%a[kcKdIt,{<5IvOhs7a.yK.o\y 6O?\~.`d;y1,I|mn=g%4h/^}5 o!}\o4@nvX<`~:?zI}ܭr~tnn 7/֌gj;V.'fN+AS1LiUfd:iC-p@Vھx:!|o ico^[(,[?ޮMA]vcz8$guY:=N3';^.rKQ^kV0.[-upR;$%&s}]z_ _ 3u<frl:6˜ϙ[{&S_I˰\N:P&_YC%CM/?:<Y -+WQ؎~`)1ǝ^I{M/K/^dζ gIgrÒnυ>L0SKa\`a&N^Ft$wH,wHgGUȺrqlm%㻠twML2񿈵`㵒mIfʨS^$&dμW-#,z;eGs</ɦΏ>z=gI6sQzgW{婆gd^s{ا۷Z~MNgtrqOT'cu~"':a5Tuu^p?v:hku~UbSUgw#}:dNݜUrx^>1)24yl4>Rڔ6\qy#%j_U{r欒=23+Im[wāLsISL83;{lKQ#l2v/}L yEDMSEIX" AAj>$@B(4$%E4U]!m#Zˬy3s3Fs֏oKwA/a;b[#ߡ|vm%uhG=_9k9bi{ߵq*ХtmЯ]Cv6aoTӗCgYYyQP!W1>95oo=bM#pv*̙{8 (36,?+l;G?*XF2 CsM]-JqfV8KSڐO1-7~7}tE)Zy8R;Jy( v -i`hB{wPF9XA@tR<(w{(`&m{UkӓTƟLI%BMX=ir+r }ًącL:kt}A^D| @+kn -\+{%W`\-ǚT賮X2}s}o>ICr*rsxBn=[x(o~g^=Q$^5^tGA8W^X pk<f\qd y<xr@[ ח0cds-|#&3xyZFevYG<'*@9PV 6u43!b-3 FL++iegdfY ʦR-CƠq.уƻTmvҾ>ob}/zGVM=t֭4n~i%x]ݸKKmȱm;+ v> endobj 283 0 obj <>stream -Hy\T=3aqEDfdpc}ںDE `5IV?iR|jbL4qCDEaע;H{wν}= aB¨1/uLjFf~Sf)GR;}(-kzƟK"l%3R#zDu!Aj#uԌ^R/j3S)H`|`42g5ix,59&*2g/YR&{( XC|fϢ4Ҕ`"O18wt>.F@u W}wCIr hTʮRXU}ӴȔcZgZo/XkxGט K嘺GJ52X3UUO23&]h6~IDZ Fh DmLۣj*FN=Zwֻ}AHZ`G#tD;;:9F:82k8 s6uj6v.dg:pmvpvs}:*pr]pUD'GDEgʉɉuŶ5ڇkO?7z̞pOOQR[S_W]WSWmuQ.5-56/ [x[4]D'}L| ^+D R~bh-`%Xex :V 6=#|O)V3| __X5M$<屛 IH$ -.2H%2>"/"4b!lIT\djSK>8"qLzTޤ'EE mjDPcz{復fS3ʰ2"jN/Ԋ5OcjGЧOjOWg3#uԅ%uzN_Qغb]JRz -}G}/? 4~Yu–6d+۲xg;mmvM}k%o؅vw89 xݼpg 哜ǧ4O -7,+l,u9˝t>qV9_8CKmi6nFn}M]`u;^w{^P~qnȽu:D0#tN֛6K,}E2]+g%\e|m.|WWz&y='NN卼41Mo>9lm}__`?ןzYU[z[]>GXS}Wjlkmhƶmjil6hlM6ͦ ilͱ6[hls[lK_Gi A4PFiQ4XGiMI4TFiͤY4\Gi-ETJi -eVJZEi u6F6f*-vA;i=~:@#tq:A'3tG1>_oS:O[}A_HH?^KzE w}10r9.̆+pEĕ -[ʎ\s ɵ8ks q0\snȍ17܌#88c8888S88388s88 9s ܊[U[|] W*\pn- w.܃#x O)<^+x o-Cay  VX +c(XVXka@ :!auaclMF`$Fa4`,a<&`"&a2`*a:f`&fa6`.a>`!as,l-6a{v.aw=>y˽Jo[qA8PqQ8XqNI88u8?t.Aw=>Aa !0p#a10xaL)0t3ă90|X abXKa,VjXka >M` lmvNa}Aoa8Gw\uWt\Ni8gLqy8B\R\q4l`*Jbm/_K>Rwwewww@d`bBMqK^Οy 2m7.-v;y=K}A>ćc|OI>ŧ vܞ;pGw]s wrF=6?^Mӷ}O?Џ܉;s*3do+r n2bM]ݪtНmʼ-[A=cz\OI~ѳzWooi[͟H/rL_$y/E\ʋy /e#~O)?_+~oIsŮ6&d;~o|s.q.ą0.MDHDIHI$H$IHIdHdIHIHIs)i!-6VI{ t.UIw!=v.Ehb]>WI e !2Tp!#e12Vx eL)2Ut}~p?]{{]Kv).եt2]v9.|M9SdlcrMhm ZWi}m 6&TiFjFkjk&j&kjkfjfkjkj6b-R[ikmmQ;ig]vS{io}:P`Cu:RGhcu :Q'dSuN:SgloOyGGQ];| Yp`fH Tw !0 "hjQB[z4h[9m"!|P>3IOOg4WJ\Zlu،7F4pvc2|7; Vg[-:uuuuuu:EX5Lt9{-#tdfP-&ְcz@sX+'D\$.&$%´[mB}l?aۏ!#n=FhhqnmYY???!z@@ ExFgv򡲙3JKO -L\4iǏ}o -Fwxևxy:h`Pq˹.IdΜLG&!>0^N,ࠨݭ)L[qpѤ۽Y jAᥟ^aa.CGh {<*y7T+iq.SGMLP6W~'BmeyDn$es7CN ~šiv -09"d\;B0b=GtjG=a-K's@:ꀄQ3;h A(XM O [SLwZ$Ŵo>M{Zа SR Y)'z^Ъ%Ftm2D}b\憹=F {uE;Z.3xZN3ݴRA?^W5DŤ [<*WnLz?kah|{ck4YaްY8=n5ƚTzc\P|h50hrC\fA3ZkYK|Ղ mY4zv8X>H 'q́4]ˤ<O z@bQ8J6hq$IŝLy1J s,/ɞ?cpXVm|n!lN5GUziE* zhuz#Oi{kփACz(j!] Q#֞l5Y7h, F5 ԿU塶ux -oRsXXL=~ؔN>g93HIBfyiroSdV<+gGM'D٘NU{i]th25=Qb_Z=9}m>n]Xo8都5~t1dSQ*|@sOJ}spZd77lSCUsS's ~Zjt?){G tv]?xݭF6NSSnE7WUҕ2ϒIYDˬuj_5֨iWkpg_z[JeɊCki-HS6Z(@x m<``` %)MGm QJ -%3 C$3A$mPٕL S{{w;!T vGn^⮁u㵲&kKZ5 \ބ ߴSYGճ:Ai?E)+Cqpѭ~`t߾ZC{_*=?)8hb@"# uZ?HEga} .3ʀ,2>HW$ -g_ r`A\E\Vbm-!o`2EA||oEJ P8xzPDƙ}/K}Oq[~C.i{ Ixᛵ;)ziKf vR(EvblQ 6F2 hZi%1> luzmUdwFQ }XH'Ųϓ9N'&rc@7:TB7)BUQqAАG +C{fqՙN7c 3a[&Go = jܷmjԚ8Ff=ܱ)'FY[15BN4=+`f:3S4QWw%F}V_nyܭ>h - /7՗ԥ_sfbb&N2RYIb=KBӆw[8eLtq -FdiH\?Gn~P/R|~CMZWaְy$利UD~O*>HkU".)fHßOYT961dϓR1ڥgbsyq}.̄,&ʨGUL>rk2KZ -*es(Λ6m!d+Zg~($- $K[ؗi3k%Q,ą -b|aaYH/q[k0=Ӡ^^N[@砠4|L7IgfJ"67 OHBƠ`7O+G[1k oHa#8YAg*Cpa^;y雏[ªMڰwnfuu@=C۸GM?x -؍>w6 M1[߂@'~Xɰ6RW?S{`d+ζzq}R}]J0c2)?X caӂ7ķŘ%$ *^XV/CHCÌaVx^-QUg?{7w܆W0HIAB&`Gl$PRD-T@€(m5 V"E(RHʣcRNjeTPܽBc3w7q;};e3bO,wYJ/?zߚ}>}K2#qS~VE:؎AFXs]dG}F{D$4ru3lW^kt2TZ|Y%8V -{\rw冕/-^v3r>1;垥^'_ܭXr0; p'+onq< z5:lrpBX-- \ M#G !P( -O~-[0T+ٻrj]nw@&Q/Sُ4twY]\|$6B]]cu E‚٣ks4;X`ΛWI{;މmlf9>y؁ӛbO{`ͦzNA/-ԛ[oVhƉ f!g- z]0pg49M*U|6U{dSutȹ^J.+3B)#:b2<Ή%& E^k -N3IbP2kJ De6pЃcU1K7TUʍNXH \xuPS L(U(iTE.OVu ~,۬c͠vrk3v 0b -WX[Ҥnգ({$3*8ge: ^g͝Z˂Ӗ 97lCY^ʾlqsL:{jif-pE -U@p< -.cnǞ_'u?83O]uOIum?7iSêfn3[M?2OuնB V05FxE'&BF}^_T636uQ]u~OuxĻ7C]+ thRw3`f@Ϣ7/we -ɽ5ytpO[{ER[>%xN~^Q~9 %C>5w|r2H}ח+tx˫ 5 __=X7.MvaZ^ Vh}hu4ͤ aj)OΦNGFZ cm9}R@+৊QFO=$2g|"f\XuzV[\j4[zF| 񿡱0ZUT}B-Rdjanm όrZXcWXyrר'~r8!FQt,[ajobðJĺH<xvbZ͎05M}CT5J#tUvEܻh|Pu[nUs&0+ʫ 9Mr<C:ΦDW*T=jQ{'vQI1r>;K"})tU"sEҰBsPkϡmb҃tjybgx뼫I}mTLo_zb:݋za QOazkSnjn~u_*eJT -xfD~`/R^%njuUmlSQ>_Ey46J~Ep8§0ԧpjl}J=53⌅z56e&?}UU'puT -cWCK- -jU jVUK{7pROH*<|)/>OBgКtX A LSa!mEy<{i7BՔ oFe~ ~Vkzթ)5z4ސ۱5cvKse5K[mJ_}zMk.ZdDvO;F_}yplzP76W0zD41dl^Kćo=wwソ RHQ R/!-5<@NLJ+/"" X PD($<e$P~%9?>sݻwٳ5UbzE6Vk0&ׂ9 ?pL(7Gi>gd uC2)c~RD Fd("gw(@+Qm?ib'\G΁u;efEB>%4* ؿ)pNJw$?Bss\|"4"Ұa{ݑr\^qLke=Tmt0\=)M\!a)kMRmh{xRV0TrP JΑ!kT58jE -P ʭNJVr7G+~P Yp C6Pe++׵{Ў]޺hurk]?ke఻ae Y)e=}Ywtdm]AZ:cХYݏBc!(iaЇ\AiPrc  -S4;E`nWt{v  s!jl Y?ѕKQ= -1ݎ$;\v:cQK7iCms}9聚} -M6s'"o"JҹM{6oūlYH8x;",0.{'7aԪYU,i } 5m3bOQ1]}T?4zL{_@!45{mIgB#_Jt.GC[{qKȳݼ}85{' 뺹>4D6tvDenNwIiTΚUMXCކ<$ߢut'7YS:ER[Xm1)U!؏z?n>I>r= wI)Z5McW8Pi 1 9`03V<6YG 1qFDz.ZzV@G,%yt cԮ~NZ -"qk2(HV\U`,QBe—YF@]N!DB-2sثEv77l}=ӱB̽+OՉ'lbo }~R/J/{Jy;`>CF-V@݀d~L'sE8 .ɇ >lC昍3h&/Δ*Q9{u0J"SxWWp~"4я|݇~q8 -ea߽ZCs'sep<ֽ: 1(iy&V|C}hkfI|V:m)ȥXk5ʷ+XS+_w 9 fÆDZÍC;|#}Mm &%k&c/M`M.8{ +̮rC}k>ssI.LvP4e΅11ek %᛻5hY.T6J;)[S*]x}<~>djE*ͼM~-5[,='=m?XJһHH4x3CoHg}?W*p(}! .j[9ؒgd (Ri!}νdVxg_mSo&v ]I;S*ѩyUbV1[>'MyVC޽輕vXd[ho21*4G&߬<t97"3ӽ=b*{a}SM& ی}W$7vJF͡}Č}o4> [k#Cjكc2cQo7fW0:IQ:^8>yK X%J=8GCk֩%Z>\+/~L0GPkw@%o;)g }y[͙;.JWL]EtLGq^"Ǭ# -%iT_ʞ}y#WȉNrwh1B>k' e{d*:ip8,,gA$`5n aN#G8,Y+rYl]we=VD J?rfLV''v-N5TEW/?p-[F! ΒJ)kP&-G/ oR2ϭMvP>Μ3S.Zp)[:,gu-3ƙ:ewLcӐo mKS/uekI`\G:~TF!Ov.riH%}u8XOb'~[蟮~ޔ:0v9G[/< Z:Qni ']Oo_""QIiA,9s3ϣ|Sh֎{/#[Oơ KD[Q_j~CQq|DeUG@Lԓ|^9'67HN|K;Y.$cE~ay4ȥ\x2h"1@ /x ~{xrWJs&qԋE}"'hD]tv?d' 䕩EȫæӗX;(f05xu3gyّty9ZS4<ɷ -|(#3ꉽoӶj_CW1?cC^&UUg߻ܛp BX -S -J#%R)/ A; -TV %1 В ʀP%RU@Rʖ{F;7Ϳg_]Ti>#ۑQ+߭G)WB 'o7`3m6?G>S+xVw7yؖ37+gRue|Ji)^..sdis :a@Ӭ-КbF9 6vc rL ?|ws<~)oz y?6&8hu5k*tVV"Yz:De:,#Tin"e=LO2ZJ -@8;H^,w2D2Gu (tl} OKsln*$Ic&YІrGNIWרn/Fr]qB(?苐0v:KޘT q~KIbwyco: [ݛUH{"yVgm?Kv:ƬXNBJ4 CE#)ŚXuK <x\%ŎE.`XKEpUuս`Sƚ)OzuD^9/b^k*omfUR|_<)xڗuvxb&ɌݓkpD:#I }]ι5wuaq7:V#{2>e}B:mvnp^p2wzu" }}sBV1bn> ULkal:"oH4&B.T΋*Ht^f>@@{4xʞ\ m`c{J6 '`<5p*y;r(:!CO{܂pN9P7r١ 280 vD/0&ad - - W=, :InPc <p ftu(YWu -?V89ʾ  Y`'9CKho Fs K>c̃8~-oNK $lIx$)/D$Ya2 y45`e -(B(23j)PPZbGYR:C˯{W"2Z_|~{v?/ŀk Av1eGNJ_fS ;Cs! g -_Qp)O4Tަ4u9 - oT"kd(+ij]E5+uR:>E䃔BαTol$.%Qy$#~Hxzx1exwo G H3_' f$*B\3 oEg^v$=woX-<9Bi)VQFϩh ?u颀 [akcƽPs]Zaq4a~zY?TJ%~;(G8b9 M[F{weg!Rb>ʳ|m 6GArzR\ @; -i-t-mT۩ -c = }N31`OF#XgFi"eN,i#y$"1y~2;U ]WwgG t%tY)G+DǕs~ Y NstV -mMfwX~ֵ\Bsq?7T_Fȑ~I=;q~h~(}'hf3bOn[oa`N.>b/{ol)lyUɅO ?^SUxj/+}Y%]&LE)yRTz'<>Iz7]tkZs먡LEl`C[짛[żv7YUBi;wf \v)ިRYGC,asqƺ) -8~(lAAqw~ꋏa{Vx:uaL'8s=Ϭg:϶Ƅ6Ny+M/Wn5ك 6|'ۜ%&A}o{8"r?k7ÅHǽ(j$g01D68q#JD"H$D"H$D"H$D"H$D"H$D"H$D"H$D"H$D"H$D"_ˆ7-*ekWk}<bŲKUW yvdU^Vm`H9Hº ŶoCt? Ii?UI+WӼ iZڴ`͒>-<޴o3Y{_JI}S3Ʊ!ؾE^GIm~B7"#Flo6nt;[o4nэl[0nYL,&c^a-blHXj_g)vu]Ut)bpO L8ͫz:-_YkGYn@h&y4+#~|oW6?5XݪЯ7w`}j|öOxcjcc> endobj 284 0 obj <>stream -H}tWǿy&/L3ÄaBbEdF nU=cmVX]e[z!-*2$3{'Tc9{߽}s3w@|z#65 N:?P<~${^tb ЍOεNВY9Ic~C7=:e-z) >$S} -o^[`+fށ#pɻd ey[5|u: xg5Ȟ$7AR&HaD$D?____=uUc| x\ٯVܦy> ymR(pcfwȕaa#NAj:TMQǩ buzT-S jҬZSi Zk[/XB,VKe%ÒgYc`hUg5XZAvVe&[9Nn6n>A!Q)Y%[mdVdv=2sZnE1111!ow񗒏K>-qq!>xgs3ݜ2ѕ*p5[XP\[_k~KTX9\0MF/Wg>v/Mi[͜h.nW*UJ#RCUMMVSPorڨ> ub~Z䗮k{Z3~XR-3, -O vx_uR+bNH~K~_N+y2cʯR^CۑX=%vtpCÜe͍-4/5vk\a޴ȴдTz=֔vi8aH3&D&f>I뺒gZ6}~w9f:rSv$G6P3rByW&7mgM~~m7Xr ~6m+Z~*sy?'YOx=};Iz 3(,,xG?uCvc9Vb#b+DX F&WlVB>p1&"cN"N ay>d42\ďXi D10 9|@!bb,g؆",۸8HCiIhW(ӫpMFRDhHEEC4~Goh,N(oiAoR:eP&eD8,;-GP"_k8& qRuA8+J9q^ (߉%qY7X7D\?B\JTE↸)nmqG4hEx G'X<N,ZKLc= f66{rnfc@`Pvܞ9;[iUZ6܅+Gs7)ϠXŽW܇_܏㸿n.AnNhLA<x -9 -^x  ? -$pDpF'/ -DAQHEDQQL%DIQJeDYQNDEQIT*>GbXꢆ)j4Q[a^x*5xo- o=#|O)>_+|o-XH$ DQW;I#vH#2^4b'L -<*H08(WqQq*A%QqL'2TQy@_۩2UqҝT>tv:,FTjPME)P]գO)էs5/KJ!5Ԅ)5ԂZR+Z=UϨ5}\r.;Wl窓Co vBuNԙ~r9u'<X8H`bz)=׻]gl流]r f6Zǎxj'؉vl0;Nma#Lig(;F9vgc|.vo XlA[ElQ[.m [Җm[֖m[.ù O0{.Ź}&|ڧbƟs7/_qCn7`n͹w܊܍sɽ7܏Dst Ӑr方ͥu-tk=@#'tN)zNizt>#>O,s;#k򦲩fj Sicڛ 2M 7&ĘXę5&ͤ&d3zaL1w]gGyf^pK&]A\L./eWpUj^k9:NDNS97pNק?<x8yLinYw=t/uՕ`p{%@'# (ݥҖK!ۥ}-nKx5Yw H ,h88 \ |8}] ^W]{I^JHbHRHZ8P -49es匜 rQr|-W\~gÂ`l0.LV&+)L 'Y~_7O~?M%%_]'ԗQ@i !4pA#i14x@iM)4tA3iͦ94|Z@ i-%rZA+i5z@imB[imvnC{ita:BGt>St> }BgtB<]7H_%LwAW+'}C9"zIJ5;20r).̊˲a>.–a\+pEJñ9pUI)i\kpMřŵ9p]7FܘpSn ~~ܒ[qky|om;|܀< 6 >< -16clͰ9o[6{[b+lcll#vb7='].wW+Uj?8p88 -GpAa !0p#a10xaL)0t3ă90|X a,%rX+a5zal[alvn{ap]㮅CpQ8ǭXk6'p:8 gp>.\p9P*<P!J+_RS_%̹1s9 q>q.뜏|ޙ\tTQ*NY'׭6 niU7z-v;y=׭x?|>8!܆r;ۇ-gtM:=]G<~;pGĝMR-U ޵l[{>,Mz٠UlMYrdlu7wlݲG>/rQ9&儜tr.8*Yştm2T&Mkx>/^j#.r!?%+U߶ljF\¯\[Vmd#loyMw{}'S?_EKc\M)Sڔ1d(Sx&`B61cMЄ0STlM)6զta*pSDHeM5q&$&T1UM5dMI5i&dꦆij<{޲mc-/m}eKckؚʹYͶul][ַ lC6VPRUcD5UTsUFJ -RQ¥DHDIHI$HeI*RUI$KJKTRSjIdImɖ:RWY&3w'y?%攋]\10 ,,!2yGx7MЦ%%iBҦm -)Pi4LiI2dN -M۳ḷn~w7_5FOgAjahz:6FM:Σ&MJt!]D4Eb..rh7]Mеt}Fn.0 -BBzt}>A{`h"HB -vn~j^X ih:xsX7&5HswJۥsHÈy{H9"+-#NzKzS="m'7< yxË|/w{}RZjG|1%_>>>E<d[tKDUT))TZLWf(~eRJH (JX "q;Nws78Dpʽ^3p^sc8"^+w~r  -WY_8yr ?EFK/]~%¯ GzY[ȓLȕAgOeM CWCP߄+Ȥ>>|pUp]T  n r"An'戹Ȱ -1 y[E V( -rEx2"^ j=_y=Gݢʄ".`pX7|؂c@ J -6Y0<쵾hpP!MbǟʞW#RI<}Rf^fȡׅ[w1HEK1x}LR 0\U{{%::O^LSK LwjT}̟ lO^VKu7z4bVm.ظ#nCaإN5' --'aL -/EMf:T2`qy[M,LyXd2utrY-;̑afhŃـWaB)X3vXW /#iKo6moVmS7(:rldtǾXb+hIH$2Z'r%4.HM(l?|W{Ty>P@YTlhcIOvH5 -ZE+MbPQIJԢU|h1>PcxDLz=4ylC7 -9;3w߽72Buڿ~Wc1*)=&ҵD2FG~p61^i1hC2ʼ$) ҆Ih7D`0cWM-INϨ3dgS?<nj2M 3Ć%I_1ʒi6x)8pVc /$B=Α,].89?/TJOT VE&F䑓hAö2;';!/%x1^}#Sr&SFN)YLaak-1q){E <;m3ƌN>$ȟv_C9L -y~mu'xnT9WuU?6uDQmx"5 ܤo4Ie -fm87LܜômQJ(t:.>7}dzz87/` y.rx]ݯW}S˿.>ްtkޟ5s^WYـ"7`}JɧDA:avK4f;j6`k GP4Xpv9%Ф03c֬ݎ+ػ6Y~㫋~5kiRl~")wW\QEUu!vtَQX"e(nMLL3dsQ:JCOi@wm9ڵ&s2N珞9I9y{ -ag5 @e?("Ŋxx tFc&M~TĥJPC`o܄goLga㹎v>.uPosPsWgo^t IJ l-^7(^D{VƬ"4iOlӀ֮$\[(tyoǧ+7;\eӫ0L_!QmGłG8je<ălT4fV@!]AutAkC!)t`AO6 W޴NRS^`ʋQ-R%Bd։?0:'ʆC -ۯq5x+.L\nۙw7w>^QJ*|xy7ݹnR8vˁT{\vI -M[,""8-~kxp s="+{xjv3,À{*J-035'd7)<)js;'11kKIBΐt9}VW_ˠ=kehT%DڙQ!g/3&~Hqn:UxU+T5~q_}rҋG>Z3 WE!wsM)4D"â1T -t$YN &#D*5P̀L~WKܨ9ڼstTתTcӿi-_Vׂzq v9WY)/pN OBXs 7FE-ߩ*Ȥ7PSt}61w&uqryNEuDc>@Y>mnu ?,~aI pcc*BKf*}llv{UgLxeaV)Vga sԇWr Y$2,|mQ.Džт RlygOK#&m ll(KpIE -GC@ ^e?XOA[+׭n+?ЃOQɳ9fB#efvfvS)D6 |@WL|@;D4?ckK^a#ðWuZn~(j#$3BlV]zk02E>/?/J+o%QU9d? -IpxMF=N|L*MFSuhY/ج2?[:!Vlife9IV u]!CM'5)، HV;܀Z1t&i)0 PR^?y}WsϹy:V쵋d3rIW(R&Ѿ\b~́K4yn5N u7?NK!ސXi6oqi:"ɌHp,u~\ͷ͒^BXe;4HzTBrZ -t%H©r͔r{3%J.97JBZ3?lƝlyѮ,58M2sJN<¾R$%ߣztRUQ/i#l@kN9+Gf97=ڥͅ9PkBll'J1s&Jg0 Y"xi?[ 8"N)Be1 -ws>ּzJ5q]nt{EMYkSc[csj}T5e$P߬]p h dM -w28o -.sۂ&ZbI7~Z.cLR'œO'I]3vS!u/59/9Nq}&b[yyA慹4 ׳T|- -YܗXm򛎙\d}ӳRYb풓zdB'qV<;I]t-[kԨOP;<(9nCh=Q?wBO-65 ؆ɓm54Z AﳩaR.b 8ZlFa0QrkyR5;'i<KW`Uclތ_kM еuR{Xau`0r%@ldm?}:D޲[+/(ΩCF_5иOo|px؝C/`7I)oBƩڗQ^*c2O?a5>A㤿%O~^c}̒%bf~J\ߏ:dr|PY';]>3$i|QKܩ=H:`|[2VsS g!Z+4_FeZOblb׻3% '^L1= hGipF5r P;Au1u.t.? ->'UA'rvqlp9gw/jN{'8QpoȚ9ȧg9bUqD잲cht4F$sA1qf, *ùts\͙tGut~zW+&z `eX3z7]e>{ՐK ];/5?W@38=g3/cۗRxxڋ2 -~ޣ?y~ y'<t_O}+ޠ)s@I/` @  -@x|<\_ܫ B p$:/|wt}0ff'u|=/_SByg&mbf*D>C[;&)tM9T -ȇ^O_ߙ9.6WGឡud䝄u>7]}Dz&7/u9tﰶPVRî v%kBp1 ouג?!o 1r1"2))ɔgM>F]f]],CIzkE5wDtƾ=.Pg/ܱS}ӓD ﺑ`tC/>Ѻ!Ⱥ&ǔ|.s5ο#K/GN,TO3~_XєQ=c=fZz+||o4vI݃9{]t9U3;:i7V&nTyMߕ1O? z_mo^s;;͹lzք6=A60ֱ`^ƟKAYF<4])C^/#z}5Ih S\Qnֵ`F91_cR{ -40CrWcv˳o;dƗwr2qy3޻ ͹r8ΞsP"A␚ `[PMi@()ШRHZK<,Z3T`tlPu^n cw{v/lflVLe> i좏T]Xcg0{ewHw)s[|IXyta>( fPv3,)J7Ft)ީ7o˭{a=NsDG=qg!:E2cTZ㗊d.:{4]{4ȌmJڻrKf=&!/d#ˤ/`mE7ߑTc>#__Ca)6L_q}У+cM6ߑ ~ MHׂj ܥhN{?DՖj^ߩl/{wcFLٛMT"KpBbf䦵BrU}yi${÷XNܩpwskQ9.[6Eq&dB,sૌqܭJ@Zv*ddhww\R y{X۹TVX}v8? ͖h -ketDrN<&S6B#*+~]6pw*o*J5UB{5h_[z^ -m -mL*hk{B{Q -z|F{cʬݎmf{/Ǽcڊ#koƗmƆsXi|5!ϚCσQ~o-?ky%k+0g9'nfw$?鎖;422x֋WAM*!FR:s^&mT/<N6_ _4uS_cx۹?$M1Wjq,9|_ I7ZԚ0$b vw!7Wy3Pz.SW3xvY2 iA㹊;w=}W·ґbN>_9 _12ҝ(tD>xv5øCiGvlFYgcOȯ,]Ax{C.D,cJ_k|4<7.iu. -Wu*5ڕuQnfԶks%\yY(ƞ{gx;ܩ\=pFCG'7Ji ̿ Y1d*nVߍllGOixil;}^Fa>[-I-2=Am9m}븸9+l/j -oJ(4|C~:zp!9'l%__o?c<4F|;XLW -&Eߕ@q[GkoOIwkyEwS#m#O>IQϲ3yzexL_O;ԐrW:i>ײԜݩr h~\g&^tbrID,zȑsr WS#@2}Nk/IG/vR!=\v}|"^{K}r=51?ӽ̞fC_<=%#@ O?63-ԔybMndh1IH-9_ɃyydL9ėNJbSi3j4NE*+ Sa2yܣ+}$L_༁ t^ֺ̓fy^Cw<9hG/vY拺&Xr;g4gԱ{&ϱDM\Y>w.7& -y/L9~wF?xVҾ\8/  -N% R0$E+ DQK 4' -6CkE)j}00K/)(VrsɗHޙ={GK}T4'N)or،a;v$"c6SURބ?*:7Ѧ7V=}h;9RCs |.8ߤVK9s66؃>oσF*59;NYpzs&'@(nޕ_VACw@V4XK,(QJi- 9{_[<)mOM7Mg"?SmxZi-ޜ) _|b<4|A˼xQbj5ERI{ks e%GΖo"/QyOF^|:_505۟80wO"Q鹘sƴt}ϝ#7\%f-f37 ruAԺ$lWuaO -:|Eޓṕ _Pw/ 톲z&ͶXio|,H/wܮp(͵@jdZWRܧqL5VC`A+C~_t>e7`bC% Iw/=B8#eE"ct[rc#]eK(Ӵ3^}K?<%_*ʯb*7:%&#_ֶ+̀ƟM-C<5o1aNoYslHg W0~OyM֦+2(Sڽh{e\6(Ol1^:\IW]lp -ZdJt+ClZ3~{;d6v!ۇla-2ƮEwQ:)Jns(_ҹ|ֶ,vOR$9ߥ.rev;1GTccYRhO#'h\lX$FNV;;c,֔C|SqK丟p^%F/%P{Sdsɡݓs'AbeO~kdFp0y͝y?1p7qA1zzeqRފlLrnc )q*SFgO1=rKfțD `KGjڕOFzK~8ߴouRfZ&cgP#Λq%Rƹ.U~!oXm5~Rf.Im,|u8ec'wHZ6\-"RzBs:俓WX/=pm>͑g#LNyg<9)pnM|PKnrg:R|.w8G1g\ \ֹa2/R#]M~AwR[+rL ũK {Ovm7{9Y?]v8tt)ғ6qRg;\5'Yg_?WMR;>1L -I?GmZۥݯ(odW<=j߶c~ȅH65vim8?6|G+yR$WE%k Z置~rƸhwדXM2b65Wt#-D[N=[n|Q̒[,O] 9rqD'|HJRwcv#)Jyߟ_H SwIA2rrKr]ھJAG.6t~U)ZSTN"9]%%䰎W(:ZM\J5/YB?IH -|t">8'C>B$6{wCN{h K^/]5s_@@rH.104pS?ل!\JP SE7c/MݓjmS vaMڋ1]dX -7{Z]KM4ٜpH} ؼ W8d#gM7"nK}2r%bB{_!k( zq(|0 \ǃ~WY]|K[d$ $M -%)`$<’"}! $@Xe+Vdm0 (X2Xt( 0Xʌt`ؾ{/!Z0?n2w]{=Cb)V݂Vr60~u3sf7N -j9 ĕ~ QO Tcu:aoCF! T{Qwis1'q$]hqe®.m[/QYGJRn㡏#W^>yZ&p7/M˵h,_z=@|dx 9NįHiǠAa66\$x&*RC\P50@GP :FJɁO}4t{Mn#B 8A\ny1*< )#WZ' l8@.dO2Zw-ϯ -, ~(rʻNp.~~ep`>]QA=3t~ނdd@^;&r l@>a m܀|ȆӰ>SX Գ韅tG"u~5Cmp9kAzww)J߈ߌ?o6iULj2cCB2a,aI;y\:XdQF>RC5)u=S&~q2#凤x#&!rtr7$3|y)E^s㎔Xw?,?vdGxicN?j޽zIxW|)҃1^q $I Oc16)JI2 c%;s ne~ V%P/XO{=>K;UAJ콀gSERfwӾ>~'_ [ˠ_4d~CdGdrj|Q,vߐjcq#â 1򡳻j\y{Z=j̡@ٛwTFTGIw:wo|ԫ1_uitjırNPlXV:w]x\9>hpr~>B{s,4{7OJUnC5]\w3JZ뤪YTk"GՑ29ȻibOt'hK,Yn^%B7!67D.C*K" 6lvVH @ɒf+-OJ/J`B)ioo'mIIkr,ݓ ?jh+#(p~Jȁ^Z&>}RRޗN<?gĚÜ:h(N;UoaoB;jٝ!TJ!kS!NdFuYrd>kg=sV$I4uLCR}7iBʍk -$1sfg k#!cwydH{KҢ$v՚(Qu*F:3WPg0;ܖ8ҷkuYSĞvdeψ:r׻l ٥e#U>*"0_wu sȭ}ޙʒm.I>yrO\AZ7~y~SԤNݽ;A7U2Oyuy0/9z -IUan,w< m_ǟh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4Fh4>"Cc^vOL2^l#j, -IKb 6zlDwђi5hJݠnJK9-OFt[ .z8>0sydaѴOfz:7I7.hR"? -&3a̢n ZL>KM ZZǐ?yng~ܡƱVG۸[j&1tF7.x)xx]gE+Q=F -1smfj+[}fYĩ?d_%N]b ^ QP(%H(5Qa[fL|qFl -ajt贆p3CE"),h`C֠JMPjD  ߹`g.R sY_Ĕf> endobj 285 0 obj <>stream -Hl XGyUhP5^+  xERQuxjT&1kl/ʑOZwWb -u@e[|y(UEiRI1؀GAB9Ouyl.6MEgu+W8&/Ն;^r%+RK3t7 UՆr/LJX?6l[_k3 .]]s]rmsI먹j6K h|3vQh&n= }>BC4}UFhdNF`a 17757u4u5i^>ApS鑻ݼSa3r5mpHGJBB/W///{Nwo -Ѻܺzj77vjd?ۛח%x`eh5Kk ; 'ԆP-gX g+;4JiTwn\:w}lTa|ӨG&j_xoԵUGwZ9S+s3fHG%iMx fb_οTG|+}x$ci_EW{W }jGQ/ba-}/%UN"'vA1,UF&eV>U6", FuͰ u3|{1 ~N  Bh(SPg,;` PX"\X a%C$@$B2@ -A*̇tX YdC.Bȇ<C!"?aE?4 !C3qN&@pNF @<-q*N'+NY80\!a*`$Fa4Z0`[8tv;-aG|;PL$LL4]bW1_CWtC 3p4@#ԁ u4 c&fa6`..=b*)> :D__0}E__oY+#tq:AetNi:CgQh:GTA]Kt* -]kt]ť -\;33փdXoևy2/k ^g`{y!l2\PJ06`#(1fcX|rKex6MddX "FQb4Dܒ&E#~w=zT=WOeIzZ=Uϩjbi氹l QΉ1b,Y<\|^ y_%/rpjjkZ? =oUM -}?x w|V1 -+81^L$1Y(b.f(~8HhP *>G@DɔBF)2heReSBʣ|*B*Eob-D#GO@<D}p <ȓx2O<ߜW xU379͙o,[,$n@kۤ @m]YkmQ6QZa -VT-.[k{fΜsf̙|>_|>/h+L fx0Û.[B, Ű2X+`%Vށ5P a>l,ȆMl#>OEsh 9  `7i=mOg9Y{apP.Cr9| +8"Ųl.[Ȗ2Mr̐d̒KelPRZa8̑m*m$\ -Vj@Fr܀ЃQ1q (ߓˍr@n$L/?ɏ'b#`*-JZͱwh4L ls vsv;v."?X=N쉽7>o_xmvnڃE88{> `1ޏ? %}7-GJP*I%q>'3|y;ė -_k\luE\?/%}žj_k dQ q0&DxUf ~c=h ʭ0C[[XZY[OX0I&V*/M\ E̚#{?'i3 n=k=gpk5m1Ҡqxe+RJ9*B*Rs|ʣ' -i mrB/bHkųb*j*ZlNЙA; /SWeJUz Ih6͡ס=4ӛ-&h1-4At1:Vxu&.d{r.{G KQN#_0]õGGv!1U)UH,ȃn]eUBs<4FJIGtNi:Cg tQu(EuUy]tc9999ZhR[:Lky9;9qD:D;1N; N$;)N}5iY'kMWPPuSU*PJ(P=ԝzipS9jIF7ITVנ2~߾frg~F&"fM`0dQ]3/f2BMD0.GH^ѠEwۧww-kΝ!}mrZggeHOk٢yM}F OINJLԋ(1<̒ !MuK\=^?ʛYq OsEL7(P%r]LݥkzL~)B7,ռޥen߳#妽q>_+S˘ۻ[zޗR劢@Wr`mxY\SA2Yma -O'"JaWąNmfv4Bb\gBnr"eCe&e%rz.>ob` *LjAq7TE8QZr"&"0C<\jɅ m -0Cݼ# Lތ%eezMt!IuAuAxݼRWTzҫ+Ʈ_qk*aStQ 񆶻mp´C%6G!KBJƦ|)n ݨ4W7ԑ0{ƫ5 bcs ' l6؀m$sIH-M*H(r-]ڎVQd[E:5bڢc6:MEca~DŽ6,}|^\p7i- - 0C虈Lnsmyqnb&K[2FS8N32gJ^R0hv$"BCHn({-Ž7f2DO3 '$K=pR#x֤ɤ%w0C3D*Y/@Ұw0 sR"JtUf8W|zށ< - t\~܀gH)&%{3P9W-wa4GQ a>\[j$)XE;XxrWWEE\zDطm+<( ƬXʢj`hj$tASp"T;Ȗf?vM&ThC6uUM CUtgxTݾr{ڷ4D66o,uǮ]_މYJ$O>qAWo[ȉ*6m]1Y3 J nr%ܔRɸ4;Hd(L:&R{yƤ!Иoh'Q6T}سd*0 7o^>Yl6*ֻ۪w XBeᕂCehGPϳ,_q-O<_!BY!VT>6DO"}r@<KpT&~{_UBXݍӳ\j7wI&sPjCb :4ؠrۛ}/sw/iIqI~l)d8*ύԋoo>t=Z7 Wm؁c̈́F)jM[/݌wTQߝ-zz06ԹA%8V-*ɖ ELڃPPv%ø@l<-&Mǖǹ'KJ©S*)EJqd/<'gj*?檤IE*ʕkKbElQ6Rڒ5ٚc8BZ41I| - .O\k -\L~{,`h[w%2^s;}\=IbpE=/*;oښZHڔJ~p.b.9>8z=~hr;`!4(~ Ȃb"%Y -9WGz0SUV.K!b"PupJ.}ihhٹcVW]/<KC0p.bbkF> 7sr벧=8FTΊ1 [K6['1E  HL(S-2^ T'662ҫJIwǺ^;Gwd閊թENdhaxxGxB%; k!l}ޝ{j(%P;'lUUv߹;×CAAVQqDTDW"*1T5.qk -BRbquk,ckRcLkkMZvKtN̽#5N{s}3dv v"Xh)DJP &#PQӵ%bΙ/[wyΜ,ػ"9ilb_UmkǬ_g+ޘZݗUޘ+?Uzt}V? 6ȕt" &-eUt#ìf?ֺݬ9vQ_S -cF;i#J~5-,y{ȥVZ3\D[#~6|~:AFx916Xrm -Ի&Yᗽƾ(fa1HqXx<C&M*)?/NEO4?hVYY>hB_ʢhuqdӐ}{ d_XԏJPtΈϷŻFf/lR3vT*\u @jO<[uR̡f-5]vWSB5j$V%ESֳ[L]r> -6ͳ-eTR6bhmq7ݺNr;b~^wm4PLUb?M"&=.nDkv1uuB9a;BI \4POjeJ׬,jDf穃sgu]5M\~|+=*3q:nua SV#ǣΉꆭlCx6MH@yr\q~+huc&S9q:xd ޻z 0n*{ `#]WgZp5:" -<@h -q -3+?D=5˺a}FX,!vhuf繟GE75辻8N; tb8\_apdԟlӜskmJw[\YoI kE:aCUZ Y*]bD#"fzbC+2tQ -znG>yf.ty -y [lv܍WkPK3ޢ /kh~yyM -g(/792*]g\PvG=AvXm }$J;1YtRW|[iN&pM6zP'pYN<:WuXWfȞ=֏4󬓭cM4Eb]UO(+q޷0[ZTcUSY~{KA~ְ| -Ma8w;bMrgyu^ѽa+my`5!989ƴ΃y 薻so_ҟ[)υsO gû\TR|3cVuX4+9 3IO™%YO=7_ܭ«_:>Ldģk2:w9NE: A# T,F`0X U@"P&18êEPBLR"q2w;ݗOg|~9k紝K=`#/{ Cy% -=%@ȃwBzvphX2P  z8.Zs>B[N[Θ\"2?EOMѝ:HH{:뒜_GK>Ӄe罅yoa޻y -tyWwޗ{L̫/:x'eNZ?wKذ_0.#)t!.#4Z*3Q0=+4mlUpFDz̑~~%c&ߠ K&cɝȧNI-^żq#]j\P+"\zß!Ok۔9<wr>CLbbnhh #tkWi~SA%R+S8+/BY)dB;:K7'-CݡrʇoyAcQ ^/OnZOnFR L#Jep{9T⾇g*= -~+ p~cٷST;[ -~gR - -~g#A%a -;6A[Ȃb*M̷e rK`,amiJ*NeKcx%= y ɪPI-ca^MZվɷiAi7E"iMN%^_ᝲ1A$|Knn!CCz!Gxo,;5fb,A.䬮$ol.wg;XwFs[/ X}{jLU<y&ӽWVw&K!ٺ> k7![S% r7ߞZÎqj2b2D @ƪ!}ouPۅv^+,gDY>jҘ#v$m FQSEХQ*h)E=cAGTF+inMQ%{}nn1k}kssg}v22ymTk"G -pc swůj#ĉ-N-⫒>G6-6(Sqs$lCT;-w;]{w@K`у =˃A8O)GR*r"$e`~ c0J-q@,W߳ NĹw~7}X'E[]x{D{[A l[ "Ȧ@ -B'p : 9@ pinTkZ=za^CV^ͦü43誙O_zqEZ@fH;B. m&2_A/LQ3[ pSh{7SĩNmp&mt{KN;dz@§wjrk=wR*9E{3p :`sr@3~CسF}jO56tO|="'%L-"ZX8Z -|1:,^WgN~ksh=!P2p)$rg ]}c%[ɾjJV[<"7+ 6v`z5 pњvM~%Rh۠7 qP|2` ->`wQ_JMr{4#N RB3}pN]3>C~o2=ܿג:AgQo\aFg?FSOzKy?wH>+Mv 2 |Hs v|)6yq>5 yAОsʸOWDoy}oKgop/*\H -#P}p817b1H|AVUhj5"xu1#G0l '4 ?f&0:43YLK"r߱&fn>RG]9c}>k:@?(̧9%'ô; /ޅ,6Mc|gߜ+_ơyyi?ѫ_7fx}N.TGi~]0o0' M&߇_;7-1OY< PMY(b ¤ѻ'5Ētw&U፡UcvP_A:=Z;?K@#j;Pۼ!]H_7q|X*gbUR7Oכ(x@]R$? -cݞ|ֶsi{Oob~,#qo3I[z4UW8_B ]s)_/Gn(r\]Gm HS_Uo/-{e|G~zI/91wt1kW.♲.m'RRf!8B$MKQcpI5Jnmǀp;D7 Hͅj8o&h1E2OyuL#q<NɠL6k5yy!CnLij4WQɼ@+ K7eꤦ'[nFS.oUi:f9:cnw+.YtNVX}" zD@wms.%΅=lR)o? 1zZۅ!6a) u$ÀÐs=Btp9̩ -'g~ь\- -w%ڸ?pV7*StEl˞U][tsЊ^3 -xߐ\@_֮:7re*-5lɫEº[ݱfM_eXJ`N3+:ɨ9nxr*^:# M~c&oVjGܣlSЏBR⯟OG1 {:?|ߕKE$yH۽C}H^j};IDu歰W59t?YB'q~QBͲM(fi=%ӈu#m3Oi>ᔜ;|uRa;z\kZh@,pKj\ʄVTC -ȗbO)$W#+}z5c/װgJ8;>"v:{{"w#wNoVET'wc5$.u{*ΊN3tB{gcy[)^mN)%GR/M}mucn81'!6ޥ|̻䷩4_>b~[E)^mZ:NGϰCXBo*)85iRN!m*cFwF}|_1mٻ13n n֮дMvӻm>.f28 7uoQDVzQ!6XZɊ/ث}zN)g%ʹ[KM~K!~LϰV[F m,6AuIpb@}Pveg[S_VJ~3~ NF R9FY6֢p0!N3c߅Հx+JXM)_E9Gd%I(v&MdyC @ @ @ @ @ @ (3BkD%QM#S8)z-S!DtEtw -}NT7FK"7EuF,!KʣqQ]U룺V{iqI[| A{^_K}`^ x7&kk5fe9+3;:?(1Fj$$\6Ivv5J\;. λKweuΥ:n%M~ .weC+ZE*jr9Yvէ;YZ.Z; flRI{pc#s'AUΥx1+&k¬g!*h J>6]=8>{O`7tWm2I۱]Ҷ/Lb<u\h,+˗^`e͘kSSmLk/`yomYYZXK%V*Y:: cñ́ì=N Cm8@AIJh6) #ԝ2ݏYXǰXWX M -7W@Eo+@fk5^;0!o`bP%NN웕`JlͿ/%rZs6(I=c-q9&^VLĤ\5#KӲQ%YDHi>=I==ls:svg_͙:Xꔝ|bTJcB1!ZUXׄJPg`Y( IaFSCJ{XH=3}0V:K2Cs 9+T+k2gQUɐ-{OHsyJwnQ 3fJi0evaziyz+#_f"=,b8i pr PD -΀ ' A@AJ99> endobj 286 0 obj <>stream -Hl\G?Qh /gbEwzKv(6b..Qc9=X Eλ7{wg激 9` y|cCZ@plt?E)zv%a،N{4 *clp]FS~{#d6W8;D&e%AO]&4KZH,p - ]i@dIKyKb}G5J*ʶ7DSZLiB|9)p`Ȕ8xd]GgKv~":EqEmu||64h -GʦR! 2SghooH5d ; Oə&?-c4rY[k6IR_]nQnnGJ;ܴ6]j ϵcEP{Mt{}p_OoGFflit5n)F?bV&4h -5=`74j||||||\13u `UX\~!ȿ(׹ַ_ K|<,ea!ðDXcm(3oWD|\sb@MXͦ5UVGU 'TזH~ŎXUNUzUZU*r W*/W}ݼ]^]~ƹB- ;2!_p͓ھʩ$!R֖u+ƦH_(풴GƢ7фgnEoߨ.I_)KDS\ԪTWy5SƼa}:77FIkqR; I=*`32X (+]6Ͱr8 -7- ~]NIA AP8%pB);?@\a=D]+ -"!b! !,I0!RgH HLX+ ِ% <8р 9 -/q$8UtB8}pb |D1ILSoe$Q0P(Q8E()(b((,@D4R((2(ʢlʡGLt1Cl1G?CH~Ÿ~:x8>#| a8GpR^3fvnc^5 -Ni8gF_u|-oxKx湼|=oۈi=m@c0fM$oCw|ơD|7߃ DLz6>!b#L#1M)6C6 H0[P5m,lI[h+0s0[acklm;ag]v ЇK/80o58#tq:A'q`Cq>Op8!Ni:CguyCޔ5V4)"U4yWޓe +@qePPu:/-m1f&F@ X00 06ʍ3Ə -cό猟c_47^05LElot/+J eLdllF7KD_6^1&i\Qc0 !,'P"^$X^#MֲuF텷z%MMDSL+҅#~itlAD=E3h6Mл4w\*X6=|E|V/NdٚNY}Nx3Np@8/ޯ _^d#Fhc5*jĴeI:K=Wg2Czb[ҧWTػWAݻuҹS[jI6KIN$ī8K1cFXt|N$7TkmW1NIIt vv3t-Кf͂G౻n~V0ԯ)EN^tLfQzE4H-_tPg:Vei2NSn3 -z@Y.U+A~_Q[׍w"VubkF]c"J*gWhr -dr<8Am2|$71m-e^h7)??!8v&q.]Ln3<7Yty ȕVk -;vq( -V'rl24֧4xr T@+wyF]3x;y _bˢ+FPY]FiƝPlTZV]@D롤dC#{?d-w|Aw(45i^'hw+:cl76SI[}@Iek t$D__غ%6P[P`]|Uy" SmuޏI7f?jRg&,t狾WfJ`{33{ckcﲘZ<0g]n%܆BP)D*jq没)4"Vh┤\zF6B R-c!$ž/w g$TWQ,i@.r+'*** U"Q` AEog)}aQۀXFѭPBS` VM{2Art+yD\ 0څ5udܦ"n,>uG?Ec)p #I@]- Frun"; nE\(b;*r6Bz~ymyn Y@;9!dF -ϒϟL^pOKX!  75m1`nA7Pp#Y(`˂q}KUXhU"iqO,eȄE0U^Or#$VXLdBvjQ_/ u^F76c҆A*n3dD{jlƸK~D(S QNөQЏi,1 t&B?<դqW,Wt -9g3f)guY|@.H6 u/ B٤vDURl'A6IM ibO&q;KH1<G1Ql%κ)DLHTh@ӗE!fuD#Ys[BJKgOz쥧L704<bC( C"+\XZU2;oc#-P#x˔2!{ϴyW` (q`_rN:1-` Pom  "< CCJRtBͤh'H8c4ӘFⶶU -ڤBDfpZ;tbj:m/]ZO!y|8%Èe RR%̄Z`0c0rnZ4-JTf=4f a:Npn2$Oc\_PRFӯ<>ƀW|L|A.0rXnL\B&[\5֢34Y*DN-(2JKvT(Ajs2'zYfwIYћ_>9gsPvꖃ+W| Λftϛwa+_ٿmGw9;\ Ռ ޒsL.=p&;Bְ*3 A* ҩ0utѳ"k.Yqr+^6W"nKW !Q6شjdj&I(HDN(,œq΃E8:[Ps^`/Sdb*Ki,Xָn: !*vG0p,YN'V\ٜVͦT1s:Nȥ%4!>u;h~LP Xݧ~%ILktE8ZG/k{~RAˌ+zx!Gg"h_x3Yo=9dBِ SVs*;=tDC)[ؾ;ǗؓWA/OXdkl.KK -OMK/[Shͱ/ 鬉~2KIJšm-ZAD/11#9ɦUT~ׁi8:lA^c˱|-9}{wц+ܤ^+"Q\9?_#hC -(9KX8"?a jt%u'—D66dE`2P3fعϝ6!\h-NJХl022'oO~a:?FY7~S`\tyv_1&~N8 ~'5e%S̳PI8:P"! N;ej 9@hٯ;3hxV[M߂]+|V6aLݒiݒ$vIeI.ykus̽v4CʚqZ}͜}JOԙ3&Z(/l/}^u0PlK =E`B!whb ~4E/Y+qK{Ribww - ڧFqūͮ˕$]AH -YbeCv@ h!'Z=,L&牆sGfJw9ބH"T bPT)CY *Dl -DJd --PR" BEEfjkC&2HAY 9}N7w}9r;e -5#K&*.7[1ǺEMf҂g } );pj9|[9H'# V_TäHmi#gLcjc>nV9emYng*8goJTGZjfG0IuyC#E$j`,]\㘬 V _rFODIg!"+|.<": "#'`u %-3k(/0ԋrjg"7T&^f5=0詆</utsLg#*`kU:M7%2 FycچNfeF.c/vb$:Հ(U_5t`Jz'آ{쳗b3nzpW/5-Dnt?Q):3}}c\2*)r>fjoלs8ߦroWǑM:ϣS+7݃\9{QJ[(%E7dK,97#ٿEwƸY7PFw p@{b=$KJ̅sR"䘭Q?O0܏wcȡ/BVo>q[tҝuÜG{K617P£ NjJy83,?lǯ'U 3+l^&&ům/>~z~o5_[3.Jm -˾ݜ z/#MrTb$>Vc37ˈihq~VjR  CKNGJ'8I6o1ycɓW~gw3qHj?W1~ؙ~tjZ{=Zp/*5ǯ'OOM{3mA>֗S++2E&=؜rC9*kfN1G|w0CS $v}pM>}=Sv_qATv%^#Edhıc|S!q#tm:%y#=RbýlW]fo؉CQ)CguT,=]Dk4(+;> ź8M$ -$]l4أ=vCQF52&Kkw׫Gߗաdr9፸F -|~#xnADZ:,u3bV^E4t4C~}}36Zg79ƭ.P%zyK+ f;LVb=c@bcDȌ}D1yXJ| ߇wx֞8 s3rƽ^ߺ6L#Ԍ -([l^x-nk3$7,QAK~8,5npZːø;Ř{"w N"T»ǫra|~OXz@y"##a?aRяnF/&xw1ë`$2_"WYo>Q;rPʝDSZ4F[yOZuVLf"˛|o -cо΁pu)#6%ߗ+_۽jkӽ:dwj2@NӹϣG y\@'~%R-vD§\QS̵0E`'-(Di|DEJb^9?2"_dg9w0[`<Ff E -NP/{4k!easڗeļ (I-[ / -:sFMh8GėKNav)uo=+s{y!Ʃs߉LdwTMش̮!7tsz?Z]2|o7 -CznZ~Џn^ zKݦ31kq>Wsg8?E< ݩ9%k[賁'Z{;~h8kn-;e kiD;Ets=vPRPO jNuݎ:>6y9v0yj~ġ ܿ153+p5lǡ7[,jN|Υ0CWjľ"_ms~PL{ GC3XbKs43a3EJO=9~s A=+Y0d?]2YB2E(tםE$"T{ ?ʬ.2OO rc{ ƍmtNn0nl}Ɩ'`X77vރ`=.f}vqc-q6 c1;P0c| \>X.qmc77 ƍ aǃC4h W ԘV`-HC#!;`ge)wlwWDlpd5?{ڜAa>M0kaWaݠ_ F@U\jy86`5}|~(BE|J^}LPf - .;q-Qgh }oM*i4]dۦvg:KeJ'.#u? UwڧP;12w<W$/c70Na^ug,=P!wR>ֺ6l1Ty2*3.iBN@[T3)"ߤn!+S\C2 +`e>e+j{/nxur3oT|F&q(wa&@; R_9_".D]ݖ&+5*zӕj탨GQlYԷɣUWWS{RL[ɛ "CЗ3sBDHCFKq7@4a^*S`o1abZ7w\l}4vE? ;U/ -b#]ysF3Z_P^~-0~ry7P_k4}&DmkSOA qz eKMȮJ]+O84<$Ї7\Lq6ἳ^gSe8FDlĻ0N#e+u Ы|uG)A&rjٚWcz03{?2ؚF؛GG7ӟkՈjZ G|MT,1r[!(բc,Wh -Ϗ| *$/C|D㹡ZYcD1czǠGY#<O736O|VNm+D<ceo1úfw-5yi˝[8k|zsk90L?kyYDmK*E[7]Uu«( Bb gf|3KmgFeEj+3FoQLN'½$TP/S$/9篕C4EB/m{@h,9ǞlԸnTfj,2^4u"0KW͐*mV/E j]WytG?L_+T -!8D+n 3Vsh|J3ycLGKׁz}lspcQ;s %_r4뇙4V+FA&vyIWksg0^cg|@I6-~&oUb]F4?)O5Hž{2sbαΎgr-X&WHwC~1>ķ: -r$ O!Hw p ~rMGQ7*p?pV9O47~A.NDlBo#fKX`| xq?n|sZc -~˿c3`E~%tM~H(G:PZ4BykB!JDIu<r#g@sOe8֍Ax/ʍ\*yŚ]SyrCqMfi' = {*KQ~ I˳d*Om1J]Jr;>c"%u>L1%~DtO2uOCL~Y^qjf1~]@3 @Cܧ ]*a\vDORKjkr6QIb[KT(Ө%*Pus T-T%{Vo#*O)hƥԂSGgYDK!?r#i6CkS\n]!qzcl/Eh2Ts ._|"֙<ʷ Fm̥ҋpD@ w%jX` Tr"2e{ݬ-eTCkUw*5^Sny= (:U+2Cfɛ6g}2X;*`%2ߣIwag/zީ[!YeOPNB9˜!{5jupOcS<^(p "/9 d&Cn7x>hNj(n&A)J `4u t=c0b=֡]@~/?CY`z =b~w'`H|i̦~P,0" -s)\HwA^]j w0A?6\QCm0wſz| u4/b <ȱ0(y"Q| 楔\/1CID/^GzLMcsncEek֔6gd"ƠHI?班ng8~gmt3W5:t̙v5 x.]Ԅgh}f/U|'hgLj+-; .}8nJFX&`_hf0 x- Əw)K;1qC@0x0FGQ8e/zZ"#u u<T;'[hrz#oo\>_jm/wxOn>`tuJ8D'-'r7vy`xY6 yLżCfἃy c\ 卆=ߑ)Q}a3jأ2z -#=}𬁰LJՖ_==Ds ɨ+J E|BzT_>#'̾\"f!~iRA.s',ely -`'hՈczI߄.S*쵛Oß~b|j4W>^=XSG&QKy_uÕb(qSII2ij"dpqG+r -wvKu5Jl 岴=@i]mYi0(B@|H4E.^Ex Ԙ/(?A03HG73O#Gو.{,@j\ZFt]o[}65!MyںyjO?]a<^` \a@%klς&9Ov}p;ux6Zԣٯ>xwf7~bnщv{> VCo|3r v#g;B읒{AC%[} Y-Wg_-.OM rz3 ql4fc5A|<[SLqW|{έéw -VU|{>:*;$WyEY~Y~7Yy CCi_ɋWA0LG.9:OCU+!64 y{;XO=[.< -W<(^pI]"|]T( -BP( -BP( -BP( -BP( -BP( -BP(FtM!Jiiվ+;TBWnhNSPudA{ -GӋht?JQA3fFwtAs֡ }A(8l̪k,tv+o,gs|&6 yhHps]C1ݝMz1ݛqS=۩uF6RF>Lrl_ vsGw}/t i.RP(K6y7ml'5>ِ'[֡9b͐w5-0r^5Y5͉NGbRh;o7moMnsmmۦc(mcFMFM{.]m0G -endstream endobj 276 0 obj <> endobj 287 0 obj <>stream -HyTW~)Qa `\c5n v[3.1&㉎ǙA9Q5;㊈ -QDE5gμ>wv xBA1="V_ܒRrC 1!%)6R͑;+]q=1=gmg@d/jHKN= n-C;e. !Ǟsg;LoܮʴܴXu$@@xa w;9Av {@7 S!Bj! ( -(5h6lPs1uossh.DDf -uu+t}HSSZN_Qz}^ ㆝ ݣdjǞvZ^vZoOx]ÌG麩mpr*xy呙m&f064O1̫-Eo[-,%2ԒlIuҬXZYOYZZ’Rla΅ íõSDM殛ZbmKS491X ֘XTTw54IӚFtsu9odZF/AAL =lUuMlUͫ%*xcQ3Rή14B]r[Yʉ- ]|S>LD*nPUJQ Vv DsyyU ;?.5vIfvEo[ٝpvI]gW=)ٕsvJ7+㋡Npq:rv΁! bٽt)U5jTb/}Lk鏯 uj`X7{]peV s&j@cҞmwRg3<աijfjjSS%fC먉,WV9u<^_[ -bw^TW W%H{,rG+VV.p=2d+n7j([鵁 gV6xMc1ۘe| Ʒj^L -ǕW.vOQzUsi;VA":jߞAAG|#w_,~~_;姾ZOjcc[c-o>ᅦ~Ȁ+ T~" -*ak.,/`rj׆5gpn_` x -p6 -)%IHcp)8 g<9P _%!j,,ȄlȅE`~X#qN)8^eB -b0}30nC` fa6 c4-C v}eǙpTTЌ8 gcЊa`!.O~.nP U;}vnOibvC0;Žc8;NS/ `gYVα._ -ʮ o uvde+gYTVɪ]vUv=`=bY{S=g {ɜ51I 1"ғH <ɋɇ|H~Om()LԖ -$BfPG\KS rDV -ԅԍS8EݓHM}MQ_G_xK %CoQ,QKmHh0 n  a4Fл@#i%qb8@U-VX)Vw{bX#ޗI/AtX:"IǥIsKx&DD3]"wĩBFf. s83!8 NvۥHp wBp) 8(k)+]v{ao}8`CqqHq q8'Ddi8g=+e98|\ z,2\+p%ո:\p#nX܌[p+nw.S|KCh( [3FP Q4XGiMI4TF);4#F?LE'Csiͧb9uH ܦ%rZA+i5z@ifS05M-ij:gƦijTMUK;Nn{螺辺zzA#tGzjqz'Iziz3,=[zz^KRL/+JVQoұzb2LsDimژGybgigzN]+uԃzR/M}/4 CǐO!i `,W${ V*a 6&2MV( `;쀝 v `?8(#pqp)8 "p2\U5!uI ) -i)܍{p/x x1G>(@E(GeUVM*HeW*Dy*ʩr*ʫ*T*\E*ڥ*J:ʪrc[x3_7|Yp!q1p)q#.܄r3n-s9\pp.:\+pu7܆;p}x<'sx/7ޡ6"VX .*у^(hЇ~X&` a0`(a8F`$Fa48u0b&b=LdLTiY 0s!a>`!a1`)a#,b3l-=l!51~g9~_WΞaϴgٳ9\l#vb7='b?p 8h#n1@[>O3/+htN@Wݡ^@_a A0PaQ0XaLI0TāY0\a,E5,%PKa,VjXka 6Va?S&0#p$88p"N843p&r:\˵]pѭVvF.?1>',n[{4u^`[5:jMvhƺqnmuαs^r^+y57Fěy omwNŻy>r+s\1W5s07-:IYOEoΤt:D st?܆]~PGt[sRs\t eTuxY*d^l/+쥲Z6F$elm]vNݲG>ºkXsnva}8EnnyOIg Ewp'y')_y &B6Ch:K3;|^ė`Xq1 '/%|9_}rWK@'l_7-{j^*Wu8 'tsq*z0q`!ze3p&p6*<|…6p1."\Ÿ Kp9@b> P>}YW*)?)G1rB9RN+g9rAHF;juB]._7 |(Kw.܍*q}?׎|ѱ'WO-I壄$${O$Og3A1{҆%?iG$Fx6@l| &6D %X| #O¬#T6tWk(ߔ?oY|KMl/&˵lr_撿dn,˕TE7|ҕM#I|WD/'ߗ!Dn tsJo4t CáGba#ᙀB~ȍ#B\Qa;\?@4]%Y^9Hzb_2Be^;IQp.ß_oDV1W-=RoI `!lAÍki탓yO5̇ōiVBID.b:CL8`\J#~*l% mMiy8Sx/k"͠!!=@4DJ:O a#{ĩH1"JfU---?mY(L R.E1@J NVC!{lKL B@dzʄblgV1ѣFH 2tAO~~}\Ru3 O:>>>]6c,ZOuDn&Aw)N8l^5RfY1$d1IrhR#U@CJSJ|\%] OPM8` 1v{.Y$w -a2԰"v=!&C3J 6& &$g:ԎN瓜P%5.>bU!*E32H(Q\ T)^Pڤ fv9 1yfPDzӺPDMFї#Ƞv8,fKN0 -bY~I?D -az"|\sצ R*&$Hr0PS\!!*eQ[0)nJ5 -ǝPB ,=#[Vb -ZA%h+0\u ljISDrBF,SAmSch=!g+4jSĨn64, Nnb1wq'RQ] ՞a|gAPz\^e[;kZ.Tejc8~ޗw{wxuw_+SbAb MA!&HZ@h"+ -& mF-)(R(E9vڪ=˳;<|c`j208^FD-/2) =[4U -C>_aWK^!>bfA2[`f-ڨD%4 }Q惊R^*(Hl -Hf[m c ,Fe"AƢ`Hk/FahxamӞu*ڢ\@z"˓+y-)L> W5CS\ڔ6JFo,;$K+TRhrCZdQSL1nKWE*JP0Y'*&&^d#vIÍ08)/k걊/m]l0Gx3_ -h䄿KZR2KJԙ0H=6F*K*Tpk}]$٦.25</_rhk|{GJfsfg杻NnHUZG$)iHRF;eWUո*JD~* 5۰j$fD.9)/]gi)gzuoZm}]wkOao=ws:׹[֡ A-rcy(9f3(ށ瀊1ͥӉt($ǠB[qiz` wfAP|xKaV0wCcuKen՝tSnسf)M$Vp.7YLvápzVe[#C zofG}YӱQvp‡R -jCb*я (7WQ0X^zXت7bpT<F}ؑPj!!4 -BpJp&4K͛rqM.Y7P.8 )b W]}}Z:' -}8t3?ل/YlՍ]ν~V;>Y`^moyosE"B-ZƲ BSʀ;F*\J'i. 5w2vdLI,RZ $ڬ5ƺ1w2ܻeG]>@uJ߾?{D 3G43d9H *yޢ(AvN.]xPQ4 R}G slߺԉ=c3Y"*`Fj},8O2>|rY|Q&6stH $T Pƽބca(8\$FMh(jm Ldȹm"vs_Z9~Vn/n?сM$HF9uzyd  `;@ r%e^Ճ=Gt* MEH)Be9-kA.mW0}Ľ{ֵsn_̃șwo|Pnתfvh609xɠ 1 -!\-WȆ# -z޹l$;< iINڸ<ǀǓ1PalɶDQ-a+|},.? YVme۱ ZtDDDPt!ƴhL0Xlj4R'uMC:Fʹ~.U2s<޽|sتmoUϞjCkӚ72$yGӒ|͛mpކļDN! N{wOLD5BgKiɾi@FiVhS+o@C{@!fɋC -s|㿝-:SWH1;xu(`4Ci:n-v5J9wt^%rʹu{ʒ5K{(j)[3?j#ٍ,{ D;p셣& 9l(7~VՃK}NEYa-:" h~rd)y ~z#J]1gf3?)- Xr H, -dD { 7. :G3FxFS䊠INz4PϤLR>+ÝSw&=d%It"Ϥx}ftHgωEg?[wju]Oyz{?鱲EHz=V #Sv癈$ -x0'<[SV?׭5:03N[mB_8W/Dț܌AM-RR x$+-l.fD+kVbZʭfenΫcƠŌh`Lń76:m;v/<w-:}Y|rͩn\)e(. w|BOEX[@[*sf1v=rQO[gY k.@YB{ ii>*1l'e,/>T0T7b8wG de[ !-E(cR)R7(_F$*}bkY^lR{nиy5H/[ tnpIloʄsg֧7[y?:οb W-گ>!j+nR*=6m$Tdr 3ѫs#ǰ ) H-d|\H)N!Z`of y*Г 9jb j56QjV bUTX{樽4?͙qy(ٜ@:iֱ|jṞdKinCiGqjELEVU.Fur&YZ5UE~\$mt]$8t9qC8nYG,_},Pdw d -ua -Z삼j*jQ)4Ǵl9"rAcLsݰWGλ& ~ǂsr =j>LrԥvSTdWՂX.GkiT`jbx8?v#\ -YFs!+,֑w<s6rX8~2D@-[*7D.B>|>Ec-& &,ۨ@dihm/DXb2n#z~ϸqYo1֠6zf T!#LML>ԂuUF]>pFq/hj mQ#1׫/ܓ1x?Q'*`qEqkM5%{ -jh%V&ZY\9c~f}C+JRY"_,xn^o'1s_|ŜMe/_'Ah߆>\21hnho~o>jEM1|(kg0={GCgT1ٮ^Hb3]\>@GΛg#FGu(7k|ֵ1ق|g8Γ%gZJ46x>H5sՌs?wE} mUR7r6ڑCg|Mx?LSA/\5NPXs-Zk\eKU;|^~{u7UrZ1(j0_SPw;gUϡ3nF,)]!xxpϜװ\/bvvktc=H^D .P2:J. &bpzKY:6Gaذh} .{[Yt9;q|8c޻ĻLJkR4`J5;C5l3vm[I8YsY쫚TG' 6JU 2hvfʎƹK]Alj͗ϯjr&?#%OynDӠ7=AʑC!g΂f Nj-ox,<Apʷ`#7ς-`}A K̩p tPsО@W@fl5Sr8^0=g92Awx}uZƽsr/wz~Υמz8]8x>βpGtk6-۝_ w8A?j_t~C|ʾtM\Q淙=ΓtEwѪ/1Bџܟ7oCh6բW' Foϋ{c/l WP`#?5t8yph_ ~mss|aߗh>L>X?Q&쟅.ZW(mU|7NKA9Sls|iPDk>ݚM <^i [' M r.zoTyky'JNə}v^ ~P:E[.(1Xnh.5ro-^?eS;-Mh<:x5Lol.cv_N4^cF͋)q_.ԊOq3 ռnե5Ue9.ׇ=anhcyj3$gww,'nš6[MM_BLU_th? ]V"do2Z fb3m>w爇%W5l,tJSVӤ_NSnU_/e5٢z4^&NȥWP[k6{f׼Xq'ߔ^.Ns˧Ш%R>M@/Y_iy;Xivjײ67R"yչy4_3"/יZI|ȝ۳ܵXb?*FɅLub%i#fRQj]ŦG:ejtwtH8Ϡdj{fゼc?N<.CUM6p+XOуHU^ 1eۋXSvmkC͕Ⱦye,nYH.]Ha?77؇RĂ^(kn玗d"uYjVgZu_oo3S&3Ry,'&tViӓ+} ~vC\{ -_\9j<5bܑ4 n'la 7r^y't`oNJ\ r}=4}=k,vc>6wy搳^sL vԸ -2Ϊ{}YDY#5օ)FȄ(0ZͰ2Z !MhVw;ET`+JU*^X{}J_o;Zqv u}3M"g\<&9m>1"Nj1tjJ: 5/l{l~ -s}}4tVg3c*gY|.3t>/H >rɭ6_-9A9B']*r1e4q4`vF{ KId4ɚSMDV\m+e@İ-jx@ێ{TE){)߼XcJm 6)X/q2W+<+R7dg,l͜"6;>ɪU'~:k?78Ρ}Rʐ+3N^ _&v{9סU}:L)FS2'>C?oJگPs_A|EhJ)NlNF;"$b..5k̤zbڞ3NT6AjTn{fThX/5m!=U#9/q?|< ZߥYJq*)fWl;CIWڕz7h?36;IM!k>9 F!(eؼ*f9 -;4,!Kyi]rbiU3@zP>$WF[PI]|/Y:{(5*&=#rq Hsk{yDf=6sB"{:ɜkYƁ[Ͳ@LO#. -hZIIv^=UD}2ýC~w 7]x\,'x ?:wA?tf:<, i %+kttҶɻ)G}tM UiA9Gk~oq3`k:;ߜH)JTuwN/.m2(9f,vJ=zZ7/KgbsdS)2ЬZs\h#5ljKYϔ5Ɵ\gL#YA_ u+'ZYqMf=+=nGdñ~P5u%v Rxk#4Xz tՌ`R8k[oy^TS}Яcy٧γ dK%otOlBJl˼fhIOB>#VJ͌? ]MSAjhh nI/{iܥ"c~ ۙ_&~ -`Δ +q]ãDln"7vN~OS"ZewAv" o#o_&EĀ_͑ҜdL u~x{o b|ߝMacLs+˙X+_K͟R.{䀍R*KTv?F|[)V,t&f1ydݹ۠gI|ayd#[eLKQ+7w MM[* C3d:t9^+; #5Ƌdrzic`)(͑`(U`;FCI׶{ꎉ],C#~ity 4) %չ8 穕ec)Ɖ") )Jw-ٵVcgEYf:bFK&IPUh$/bO"E+GI%auM"/1/3o8ʾ$:|1r]oJڭ<&euJ\m2PɵV/1O@KjLo*3ʧ^cNcmgs:#ج[L#~n&b~Y`nL&\$/>G%bI& ($HwW(Ԫd5J6ږyR;:> SȷDz=L n)24}j*$[$s x=k.C'WdX -#YfXeUFV0j1gۍ5,QфmR3nBZtZM,+{lvbb`O-{+юrVAwVGn9loOTS8G%L4 Wҭ?3ډ9_Yw (^6{%s˹,/:~zD_Wh_4\T/!r8d;SjkAk|mx#׃FglRv,FwGnFtZsPãS^M}t$zh"t }ykǽvc(;3p&Bקv<]?nlG/:nNp"qHݚso8 X;vHmIQh>Q/3|}^6Znqb/NQֳU|Q\i}iыRhG eX#J'i_`WD:moTlÅ2J\늘+ixzO1 +v(kuc%yUy;1>Y7*:. -x]̙2'&W -TYtj V+!.ȃTHhE֨@KXmҭЍ sI39Ȅb ט)TfȇdSG.>M WR OXEgk|݁r -`u4KtY7=JYiPH]؏y - u9>*G Oa2->,%3[ C:V%%2`O`>'+alq -?9 XqV'zC<|,󴹃1W6=aa8޴jm [W芖DBJ&xma -ƒE~JnTĩ^s`<5)icLN<}Xgu5ۛG8EG沷ӮkU#Mka[mȉ5庱|}ZnG1w! X;qa>kh6Wq> _>sq5O7zK)]z -vs[䳔l0] -nJb](n`ѷq_.}/+t -dN`&g9q#VVRXBهxRb?߬/P{r?_+I6ʕN`-'|J2Ĺ6e.ޫ—7#xl$QCӑWͳǴCoSwp}ݖs8Pʓ{~i~ш;C[2 V=P/#ƞbl>.&b]BXTr50B02}9JD*Pu{~x16[:ͽi`Oj/Zj%JIJÍ/(hź}x+Uꧥk:vY|LIw`Ӱ#uat13j_0pn ~ JG~9؇f;뢙7~KL;nTl؏$'U -+ pgݓ^O)-GEP&lQGkMęy 59[.SRĉ̹>Cel+-UQ/PS\X,b_֔JdȐӇR=aw!Ew{,]y98M{b$%y -Wc$p \q (@ @ @ @ @ @ @ @ @ (!闔M=d%R(vIWb%;m7k"PdrZ\V!.Slh'\fqY@UaYqJ-GWpmsx͍NE?LEs!=JZZzjn!hCjS@eStT{f+:O\g,b+S90-4 -!7g O3א>_d|K5h3{q5@g̍q{Y5ۛ1okQo@Wo ,yh zO`%ʠr);?z̸Ϣغmw̿-(6lD،iiGضqX_"\ un:}8>ʳ+xUVǝ^ciqDr(//C?_pf:+:%+~eP>up`hG2O4X/EX3U5czV۬0PY1N؎`Ao+?_)G/Zdۓ6{k۝r_0AWOӫVsWxfrOzV*K] -Kϣ~K]6wnWVC6LM`Wwvʽ<s=oxRxܳ=|mG<4ÓU`%$Cl)fw#[c#]",9`$y+r=bIVE^*3ٕ;ٝfl= r4sM'd'Y5a9)6{C&9d &9T9#-/KsrΑeֱNOgi@N`R`b ;0! d<Ԁ;` 9@LK QPKç <+gi4\4 0웙 -endstream endobj 275 0 obj <> endobj 288 0 obj <>stream -H{tWǿ޳{9Y#y؈wJ*HUTy=X99ZؾN{'nHz֤}y@ h䴔 ^d)=hS*w;` @r险)T2,~ffwd6#%#-2P?=+sVsxh7]iY-c\ -[XVQg^:_uBztza3$ I#4Mt6qc8y*;t: txk6ɞ$7AE2q"\}~~~;ox^y\ohkp'ʷӔi5=ttu{^Q*VW"{}3ZЭ'5T&#uPݯUKkjZ:4uպk8m6^jikl3-0syy9ӼʼEg1X,KkjttX-)4K]uu A!Qi9kUXJXjXzXf.HgTPT]~ZUsO`cq&G{(Gt6H yZ'2^`hgL6V -ESTV%WI~U_rb/;_WRPjjxuz@I^W4H~h+ӲmV_` $syyy |$KMLlW`7AKk7˄H4+wv%v_}q\c]Sl3Mrqs>rV9B\ii)ϔ)YNpJMަsg*?MeĶ ~>ǯFffٲmYL [mmmm-6і*OrWU2ihi5zunLW6nGu@T^{J7Uw(]jU wוNUK\je~en,ZNk《nݸݜ-_Q^]^Qjwi+wL xwX$`>4zj rh}[[Lvc-ԁFᴈi1K|C):QgD-Es'/ZC߈C[^FASGŏ'qL'IqJgt 8'yqAⒸ,%~WU]?]qM"RqCrQ!*MUZԈ[ⶸ#~w=Q+N<M<ODx*Q4 p2Xzl`#+lb7vgVþ­ Pn*klf eVJZE[9ù#Gp']8 UA܍8_ܓ{qo]]3]rxN0q_yAr]ʉ<_y'PxcaXao-mrB9RN+g9X9\PJ%'1G-oX7p<Ϲy_sgM WoW[#fijkgDDDDDDH""b " TUz"=Sǡ8 p48p2N8 p68\?.\yZ+0SPZ< 5kqH&1q [0 b2`*n4܎w.̰:Yi&͢4> -\p -*5(vn=al<a1Yfg}a_!9,GrBN)9-g䬜rA.%,W\rCn--wl{>z8=DtGzz'z:AO =Sҳ=W'ya/CԏHh0J(Ih44Hh2M@h:͠4fK4h>-Lh1- -ZIh5S -m6Jh;vKh?t:J8tN:K<]t.J:ݠtnD?ҟ/7H3SeReS;20rG21(kစ-w]qA8paqQ8XqNI -= ]+tzB/ }/0  q000F( c`,0&$ S`*$43`&̂0B"̃$ `!$"X K`),V*X k`-`#lͰ6;`'ݰ+ܕ8.}y %' 8 p60 \ɸERQS -)¦2*|omǘN|9hvN;g*sʹŗu'IVETQULW%TI%mې/1RjN 7f[yoӭûx7ὼ>ȇ0| ;7-g=iO=KOw 3B;?_JܙpWƴUUGQ{2P`UJ8"CepwMq7+dL2I&* Rt!3epTe|EUsMfsNEk:ˉ/l_k~o?gN T l^OjY9ʑDO =2 ;G\AH%$,J_BWkp+K t{:,e 1X,,![ +dlj':%@kILLdN -کM4 L'ɔNI2œLSܳ+{Gs==( Yl6þJ]l.S<6-` ʂlbVV*RVB-c5l9[fl%[V5ճ5ul=t500EY38Fq8Vg-~66ΒP -w\P`̇T"XKNŶdiz6X eP/%xY8l;v ˲^RT2ZX `5:X a#4A"`@!q hV mItBl`B^pơzNrbww7%MDmW6;`'d v×anOG| %_???C<:dO\I/3,=G_:N_kuDߤo[|k_ -G$"><8_o00qO 3yrz~)W~ēȁCxJ<\%EdD3YEyŋkȑ.!K<-dJC2? oz_CM"DX35 3oȧ!]Y NJG*ȰyO$VDr9,i62R^*-!_\%@{&Ӟ&?A넠O~D_d'#ar!=("^BɁ&'ZQM^s"nS&&$AȌIqRBSxDSG'#ZZμՙB0ΩӪ>8`<İC$'J8p+P^p& -!"^-ީIӈ(`:~-H gL':hihf>/EY &/ZW>^)y?iWQ$RZ ގ6qvMQN)waD1זԨýЬ,[Cbt£<҅[v$8${L*YgS%k`Z09`NȨNzQI3/W9N4wel).2u뒋ɗRz!]. PM. G76DS4" XdEa|%?OE>K}Hi׳B@+N8A0y2$ge^Cg'zM5#DNڋ -2.Sú3Űgtff/r`y)=F|n(?x)m#)>3`! /(J q .4 -*rrzemGu!ܦ-K:grKyf}hĩ4lgcqQZe Ӳ:Cs~*xp˪?=#LahU( a-ьMH+ -k9I.[Xsk亳 Z_ѻt[_^]S&UkW#ΡpuRUF5-Ukq(v$_^ +xMJK)}l%I406g 2T+K1K*bC($7 Xc!Kbj+U=;_WXn.hLӈ8_]KLC&5*ܠ'5sx.I}hQe"<"Lb$,?BRQOܢ;K(Wu8*T6&Rf34(cQ!Ar{<@0S9pO_ݹ޻Ʀ} ljʛxjl߃>n+\tvʿT5_ȎTSa5!B4x|I%ɖ9NJ?VxfL[ƨ$jr8iمo% 'N̝$?NO{ۦ;cNEubR61BJP=ifOy"#4GE _ajoCڑHߚK=O\{qݺ7=bR9{;/,]|6zOG2ӛj~x~ޛ;><34,ȁd_apPEHbH#Zae2?>)^zty锵_;O5=QF݉l.,} 04Yu G|"3-. l ,lV6BZ>2nt0󺝡VK$ \, [p59uZnmޚԼ kw{q/qsc͞)LFRNՒֽ?Q׏|j_&Pp{Mf]=y3f5&8)NKN{zj7yƷLB*ԓDCA3T8[WsbIhw(z }4r2z2d쁆7>O7%'q3&xEq{x)'wrK]^wCC@DEi=c5Z3jikRGJ#:֩&5vL:4mt҉LZmrK{ -qp~~?/-)Rta1dIM"%oSߋ\$efT(4$(iK$dW=8yZZC~r81/N#war p -=-@+i|q*辘0˅IW8'ͨDda2q(xcpOgוm[ݿ)G{.u?/8YX]DtÅ,@! KY_`HG ^K(iϞz-g?o EeeδE]%-]{n5o.شؑ5+6gf6*Q^ŋy9Ƃa z|~8C >näa[GjW9z5'8O+q?kv+?uh::RUb8mI @sqp,.R0شT\VAS -t)lF`mƂ=#(`p-!\ofxY[Yg/c{ArqC]K{u3hFe֘L`#!)4eo+%$2݃Owq?>]>73WsXX}YzZⲞ*}uĖKzjXfSle!HIxMڣbVKZVaJ &>*%+Z*K{vmvv4^sMGfp@`ngNX9RV9Y@˴ +j]H -]j@#MTB-fO9զ=<<x+ޤMvpf PSCJt)ɣΡkzA`< \x=y*{Px9 -v-VҤ*(T0đReh" +?fMqzȫcn9 ~#݀p <I+S;?Kc\bXt{bTTDư&Ĥ+1 -p^mHFl!B3Hb"@ԩ9e*_Vc x[2uf=kjUN˨Zנ|g9{rB΂|Cp{U\/`UzYM,󳬒osuP+SB:Ѳ$|/"JŤDz *bŤ=IN$q.PMm5W={`ZSٞ+]{K_ھrwmǛnZշ ȆיjvfTg-/:s*8sM058"0ᔠ/zQYDhbg:!CO~<,ϙܶ wDo-I}L^Ibw2srƖ{Хt!C{F;xhNm-1/s3M9vv9"3.i$f<|!bZ->]*l.9JL)sIYiɦ؜EE%IyPyxwsf%$ԘRϯ<|"\Y)ȤǐhhwӺaMRÍ? 9*׭J@@;“Oڃ{N_ɜAN1$X+9W _QiR<~R@ __x:/_vUł6#.۔S(AhAw KRFtȺ?^/`X Ik0J=P d$:0/t(!0NI+N$|!i+ozI9?jB&G,LJlPܳӢȱnm0C-Z gHzZ4ja0bfʋ3 t垲sN2F̫K]U(J!Gʏ'cbga -ڈ{h%f@U:yk+}09͵.gr)7yOgJw=AP8vְ)e+;# Xi ZY$%QaHXN[A;,NFBRPBwkx/$tosϹog%5˪92ʀefܯCnKlDVuB -uyP,'9}ϭ}h$cyC?#ю%̗PKwFT[&{w!ȷ ޅ*GwL1jk>PO; Wfj5ZD-E28j(Mg0uBrjDk\b)0Ϲ+js̳U{1X䣖.8=xCj`'Ƌޢs_dFİ(Bw8G|-<;h,v"YNG/.ԇk!Tkn1eMau9#c~Z{vya?a_tbUtb|K-A]j]2p~s9Z7~Y!\?$>~/(g᳀ܺ%n"C9]נ=cd8RuݬI93m[YO@CJ(с>.~fl4z>ks/0f̹oӿn2zү"sjd|أ˅~+>G7Ƥą+#0FM6hlp`M̋1#t`ZL.D=8M19 b-?֗9oNa} -s|IU Ù-2?e?crY/|~N[֑&6Ϯ1k=Y[㱰&h/dCԧx[_)(ikv[{O'soIΑ5c;ixӮC9u]2Ϣ7Yr؝y9dY{@7S(E3&s2fr9T}sY,H}wy5#Sõ}^;) ~m Dl bEn+C3{I&qBߐXS﹨f_15" n -y_o:N`J6dy/y){؈(uWbl)k%vs-Q%Sq\7{-\.u'DwˑD|ɡNo1';vI #">D{ae~L>}||T!׼{dFksJ{߆UqLm^Gj_4# ǠGj_l4s.'@'wR#6"oC}Wr8074Пgly8eO iDujǰ_L_mr쯥ǭnE%m&_7_ٯa3o9[GGstͫDW=H,y*.׳TUHo{ &_}TOan!zI ($ -#D@jdEPԇYݭ\UnVWDqCޮ##\|~}G>{"eUZAE0Q}7B8bt%p^."R+}( m>PG]=bG.Գ5縗8D grȜKS݄iJPn/] <5b=*}G_o""w$cD*/"nJ0r7G=bC `u9hɟB U>FFUv(e惲]eC%uwfrL/l -8t|S`SXJ37TǙ2:ۘJa1W>&b礪mD`Lr5nϡ u̟-vԮqH~>vO5R_BZ)޲|XF˽߶3Y0{"N<2?oN6b:jHq#Q%(b:=P^'H\]%(zJOoΞ '8=gp'tg{ j}L nN&}vX`]C\ͻg+ile-P`~ z{0u4kUEPwXT5+^-Z;ˌ]7}flA۲?oj8ޥ:cJ~Wu7^ao8{b -&B$$@j#a eeX@q:Z7P(bDHle@Z*0CLKi-#T(sŏOôo?~w߹vEfdckx!:!~QGkPiiL=j7.!rLK?NbT&-'MJr;?kl!nAi${W̲u"꽭$/v60[8aҟ~9=h!9j{B232l!UZ~VGo7H,qL~]]ZzuWVJQz&[2n>W_MRD})J$>旒v_`.ܓ2x:^|9*ڭr{KNՌͯ{RX!ȧ]/?FM>zt {}|CA/rNK:laק<N#;u<\铒گ1` Y4JESLjvKi=ۻgcGL/ j:֘%\lgȔ=a1{_JfjȍIRvpfBi[q/}\8DHrrHCTýtkJȋYթ@.(^JxT+hWoPߦIUK2enVx;#nwn/oyw+x=ulsHꛠz^v)6wLdg.3V߄/^/5 PyY&WY|L0"W|5gGs]3|ӆ,mx&?e12̴̏C/uۂnDkԽԳmI0L&:&?>%wlŹ>+qy1;r`Ė <$FJ.h\ ߨKdUbgOr-ޣ8U{'K_ǹHJܗ{OD6ݎ;VD5(nm娍졊v -S/yѿz[wc>˚Rg%MO8.<.R2~q_jsg,Q Vn!qw ;naJ St۟i8<^OҎǷ{ep&̒73+S`R|oI }i7_|It$gTOa՘ kyF.NXcw[Rg Ȃ."Eq7'#5T~KRGN,yO=gUٳ"yC;QjF-̷%Dz@J# ̕#wgu\]oΝCnEF9>͹$HW+ W-m05|Gj;yTji*;XP@G=DF8M. -u)7a/A5N^zolmƵgOޫ!l\(^HRJ#r#"|Sm+O+[&]ڤMLӛ wqRo^R6#.4FnSC00Xul[426H!'iǑw34'2h?EM2̇O.\ > - B -6H`n|ӶUjW=iDcزUmԎ4k؞)YlipJJ;J[r3La -zlӑ?!=v^%ݾUg_lG5uf9Sm1wi66\Hn14cOOzm1:64ڮ]ou?!MEc7՟MS}1Yp1 -c#Z=Rg|^Ը2ZS>WӰkC 4~OF_q_괯GEѲ:Mu py|mbq݋G0y0z{vIru>x ̇s^w5IRO|~W#Izyzh?EqP~\_^x ;y;lVH,,-1^?dHZ'.vPUDT61SKo!v>-}F'ɤ>:;d)w?M]H{'To'Hl)^3F2x@QՖ'~VM:jM>X˹!ZcNuiOS7I -ֳ]1 44u@# Gl -o!N{1.6jsGx:1gcznnKѳ<#FIږ8nf-]&WqGQhkƼ)z;$'\<8^<1bk7 KK^BxCa ?n ȿGiA,|;c^~tct y3L8C0Q&7E ǤҾ&Fa޷G8>w6`F{N!Q(?)u]˳Hp(01#d|Nmڮ} ]lF1rUg {qULbRe.&yX(SuGGލ3dAV jGl͚ڬ&z}b6!t66\2|xk2l\7e(ΪGO37~f\1ȿF1jEƖI0|gs(9I|Fo>1>p݌b"ęyU_AoSIq"=jmD w pi6NtaS.r vͱ߮dr>jY䢟0AP?hy2k>Ȟ%^yλ^8C,oaA,&F6v -':5IJ05k #zMU]jzzs;t\3>N8) -{oT-r(`>94$쇊VsL3==ғq=UݪAUultwNwIs֩5ǩu>WAm @~OqB-y廼(u7O ꡱq(;DT!AAsݱD&zzo㤷§|˨^DZPu#L<>KNy:9'aEO7_F.f/'eߛ&6\ӏ*10E!!dJa[RV~-F/P YW]- 7Tt`g)G-+gi~Wʣ8a8 -Zvs` uZh͗spu; -.a|% 7~v⿤ t=hܧ$R$ CIb,ki$-AⒺt46|Q&TV$GTְFmS֚SJf*whֵs;y{kAlQ!OlI(x{ntfDfjX+clqLIU`7Z~̗S`5{i-#IX jݝ95&H6>_5a+gQB@/[%)A+^vy|E~1RD_Abٜs[˩O¤3]Ub[W͇x+[I{k|[l RBbSpoR$ /@נmS\{Xke>ȷ )^k -g{Z=$q(R~1UsV( -F2d9r"rPg!΍jX·P>gxO7>Df JKO*}r_N=̉`LBfq_eG΂ elkncG(kzF%{QWS>9ߓb?r(Br5[jOWϼ) $Ж[*h@Z~׭\Z/Y;ÃP yv1ڷv ;X;F넬[!f69ė"e.Y'*dkX ("";i'eJW6 >UI.2e"~ [feQ2ږAŶFl3KiQlɏ\CԷ#ېe Rջ^u݌5ސv0V=xa y+_k>M4ZkqĴVXv4D*,C2.-}zyN⌰{"j|&BgA>9%v*0ʉWnLZGa H.K,G>U9~{ɽ^ڑێ3j[.Sw)MJ rBvZ!w9ߝ0YTr4?ʤ5qhzR;yA9G5 >;}o~Fk;Iߗۡސ K'XN0[fۙY,NTs{s8Œo<-Ut4YtX҃qnzq,`^$5¿N\ςpM4>ID`S mJ2V{Rn_O~U?x_uKXcO9Ԣ_n3x>WDJ#D>71g"7{FGDZ Q'Kiմd%.pHd6qKBu,b@JUN2Q#Bц!f ^z my_3 7J!~ 0> endobj 289 0 obj <>stream -HiTW~)A FԈD Ҡ(BD\FQ'1ccFk%"B(=g>w^ԭ׀@Ic'uAt8s h4#rnNnq7;s%,h -5k4k55z}ZC jm!tu.f&Yj]\ݚq=yvӏӟП;+}y(O'Siy\&_+&E+VJ2LIVruR7ߠ } c acFTAժMF}j69ی{_ˌg׌uipsžȮ^tӒJ.qIim[mmњfbdϳ6TXH\AdJ@t_ P1I,.\\%T \8A[L(Tv`U><Br#䤗e|E)7ˏ#( NW,J^) A0ѐd6,2'B0ENظiN*' s=S"`'|+J<N[?N06Ԗ`:-s Z`x䨁v:G!vÝsD\?Z4VtBD!v@kO>\m-ηγZ-Vu5ǚemeͰ3iUEΪU\@Uտ'[ f=7^Prc}ʵ%z2Uw֬pFkj kTզWLrz1șF5<;^l}~~֋S޼6A>%|w7v1m c~Ab=j0>cVkq-nWïyoZ;#^Ŀ1ޱ/m6ڹ)g~OW:^>;a%`#܁"a7a|D&M& -{#Sp>`&t8 AKq/`BCi PMoI-M4R'Ƌ{bhk:xWFT*~Je1tB:)NKgDwh -`J09sg|ăӲ]v$x-]K(ŵVZ]kd;l#vb7='b?p 80#p$88`"N2+432˫lsq^IzZq .eWJ\q u7F܄q nmwNSԠA4PFiQ4XGiMI4TFҌ f4~4_PU -V!*Tp"U!UXQEU1U\T%TIUJVe>UVWTyUAUTU%U31 omxx+>w >g_K| w;?G)d MH*I C::|*Yܔ)/| -PAuB:PS:.PSER!*LE(,S gD%s9(4TSH2U}IE_ReN5&EQ4P-Mu.գyG (VU&ܤԈSSJHͨ9ԊZSItɐLu6̆ƹn7m&!n3?G#ENϝbc6'l=iO=kh/T{^W5{ް7mM6f[MMmmfc[ֶmkl{vͶIRS$Zb( - -J7ԖZRGJ=/ $V|_/ΖLH60圜}p es.A!aV _/ qa.E\Kqi.e -\+qexHK)-ZJ(S -ʣOTHETL%TJeTNTIUTM5TKh5Hh3mIh7:H0t :I4Kg=:K<]t~Cow]#=>O -]k)}FOg =g^KzE e; \21s=܀=nȊ5܈sn͸9܊[sn=w`?܉3rݸ; 0(܋c7r܏9ȃx0<)_N\=7G 6܁g =!<3x/%ޢDu$d]X QFaclM6[aklm;av@]v=1{a Xqa<&`q!8p#q18xqN)8t3q9NYq:00S0030p."\Kp).l\nin;3&$ S`*L0f, s  R  2 `.̃"X K`),lX9 + VB>@!A1@)A9T@%TA5@-հ:X`#lͰ6;`'ݰ> p: p 8 ങafYfc1sqJ,",,2, -*UZo][ǭ뾣]r?+|m -'www;ʗ}ž}n[w͉qzN*s6(W6y]^t"#|q>'w g1OST^ȧ鼈3,>s<>|!_KJ _W5|-_S};MﲉO,Ezl@dY+&ư6D!J&;.$U "1XvT1TL`SJ1$&27eސAGb}&+beUqG1q*TP[8#Reն~ <"V`%^X_Wxy] .`Љ -A/.8oT'Q-^99le-1XKba[EX~,e*C!0u55p0 ǛxCU}(S2hθzE3){-%kffJ9(Z3hL*Gâ-CrTcVr\gDk,bq#&/:('Ӭ訜MtVNgXSR)9E<ϚΞPKefW(_*_'/j*s,r5K*_«٬,^bˬwR&|LJ:+?(?2nbfA~C$\eZoE!2P&fE{Dv)\rP]R:~PtO*:}lȽ^uFGB3US Ut>L vPjt"1nDdB)b(ҝ =iW( l3h< i?pʧ%9X! :*LMZoQ|A& !A^TzW!kg&7@h!w -s5~z_o_(aIL*=G#zD4B( @hkRg{<19t#gH]3ƨyNp̡*t2Sf |!Fz}zzLѽ[<3;u|SI۵MlӺU ͝O:O4{I|cYQZ LiA[]xWjt:v՘y -pZԘD0]!%٫&>lF'o:ȹV sV=K>jᰩQ K#~<[$M/%^zfw_ޟʎ`f1ޕ5K*4n$S!UmH@Ef$UgP5O\BsHN?"ϩڈ:{`ґtu 7a@DA' 4ů:cw]2@1Q׭|5e\1Ti^S./_vZRԂ)>كmefh;!5GANpfMdkҝݹk9;S? ю.ǙJ:uTI[$&23Eqyv5kW }Z!#V$K[4#I糫 ͯ={0<#uk}6aDFO՚Hwǝt/H'&:a_CO'IQ_OuǥdEȊVLzDuٚIzy'SAؘN{@AjM4;v]w-{5Vg!>}=(+|<ֻ;]w f8^kcP<1xy8ll]ȒȤ!P\jTU6mqVi۔$P[$ܢUSD4%Q*J3;j=sgkHR#aRcCqܽVoօ-JYCϖK ]1J3\:W_xISy[)FL2[vWKc+dcT$g𿙽>ÊǺ>+)7IӳD/ -tQ'sݚua|F{j -xoKR)ꡗ-vPmYisW$˥e,˖{ Uz.Eޝv!betǶxf,h"}m YUVL[ܒmJ pvYq;Yb&jIϐK]J]hW}mŭ. 䵕ŭD{2mѼƱkIcXݶx-#9/J]Etr^{tG[x/])4w5_UYo3w,FB젠ӥݧZȄ'pjhƂS{rxWOf9{3=w^griII ݯtp灹:yS*5YCPX˻+IW~f᷂̅8mH5 X؜ !f]z&gV1;v{rs2{>gJ"~e]y(ăLfJLO5j6A ϪXҒ/= -H*Ґ=ǝ[))}Wxco0%2jNq%lOHl (1[p1.Vs1&>I -C_`R{$ Ä\\I8M4Âa=fedZ[LPU`BYDah4)L28}3g|kF̣s9sǹ\d7fqcfXUD(<Ϗ -GO'sD\ȕzn " j'mBJ6-NMoYlm! *ԛ0}uN_3$a9qz9|E>4ʭ,"2,"݇x|f/AqE9Ӆ?c!_Ar8x - -+WxS -#xt@#8r0L9uއ_nNQ~q.:?r6\vP!qk Ȣek]\dAf,\yVQ(U -* -HHFB[I*^ThjJ]S6a9pO7|eulz~{o}rf`\`F^HΞS 1.q3).`Lʮ0t!N[3g0P 28X4YXE[Ju0|mү7yŒؗi,vNEFP-$@ 4/#֜SejWZh2k{ 1 &i;vݍdFA~TAH̙ "%l<۞]s/v+:m<ᙝu̚?zIA:*{$Q!D3PH`8``FmF`ۇYЇZ)|!X0sj,E)~2ģjhdcd T`^|8ƟV {7zuٞ=zz]m>zsi^Ju1fS -t E{PqiԮ.I墐0R3Et;0-fS1 I793Z `  nHFд'q-5w^={}͏?:4s_5#fZs}M v9q}dA;lZ7@Ŏvcӭv1 7\OTLcxhc:J]fd>ذzB݃M˻~n_ЙryT+T=kC7@AG->U 6Qz[\YU]:R~OR|EFo9YL"I[cɓʈR]g[Ee,}6kN(J -jkڃjA`q$ݧ2zYo5Џtm|x2. +/tF!)BĴF(\ %Fy'|9,ݕ{ZV(;~MVg;桞Db2J:7" TRxA^Ёt5klh&!rKogYcjZ2>b+,ͣ(|CGiep"xcEh7:_)?=;: -h~z~;@קns}9'0}_y9 0p T4loϑ~ח͈ONuljM3Bdέb,a!aRz mzsE~6֐|D3ᢑd)?#@N.\Fuy\ ,d6;pPF*^ыJOcV"_2) -4Ly'O*> -U#i7N4FD H 4n . MsFMUs09˭9_8n[XՑΛ7WO~aPݘ(,3-)#hymڦ12=a}5yxu{6<uo ꧴4ރ{Ny&yoXyѣ˲-9aʤl+ *v 2Z,-vbW;b@G)7PaeF{JйѯF9]8JJU ΛYzH]"*hUfg\(y /!,d1^x&#U3ћ|qf!`W D_ʫs{ t"TDʴ2f!%tH cYXƌqSC6a␾DDGy lk8uLgqδs}Ž~{9|waipZ*4dbo^㨹nw,rxY fY-Z9ؔf,`' ccq1UU1$}m¦Yh*eTbo63MS4f_ -_MtW*$?]ͭ?EvK񩹏Ӱ˹f}/XfQA tsFx:'Uy>33<:c'S\kM,rZR̋znڱMA9B*ฆ=,2ĿC_-;|ww^vĒ~)ojwcD)_y1|s}h"^ʒ%j7P#d:jEb2"#^/2+_06'@5HqEmQؚG鲉"K!X㺃"fpd/ϢT)5 -ịyϩ]t-{Z.) v~*8k*Ja\*E_#RHtQrJB {Y*nvȾB!/;q?^5i5AJN,%51LarVnٳI4sT]זk,"&%`}OK|O@\N;D nӐ}x.*UY㬐-u -OD~R$Zk[:)*Tb33O*5Ej|s63u x,yjFuƭ1wPCl )TB3lf9Q?hg(5x<6QEf=u4hZJ6 -{Tgt,a} <&>] Fh+|Q+Zh+c|f`|lKcc]-kcuYo8|.4*QuNb;-Pz=|=@vT!^WiǵGWqZ-sv5M m6]*{~ʄfNL~_u |%bk[TlC|Qp o_96y2F0_kO=GkqCI -z6M".08 /BjF;DOW3VsnvΘsxN`C^`?Y~AFK9<6,Z~P1Χs{Џ^zÜ"T2,V}y^VQ'x̧M/X[qVw)`7&^:i|OŒ94,o+^ JN`IIˬ:kX cםaY -}p/P1:ox>|>1O ?X7 - G}g@_η%:X=>X$/Dp/T.Tc}7:"dm\Tq.Br;TA2`ފMꌵH@לRJ7ϛxg"ӓ< $MC|El^q9~F6 ̆O>M8GqN7Q kYZQ |qX¬Lt3Ngh/uMbLIE|}8Aq<%;8gzjDV8sР HʫW40>3[y)pgFssԳ{^0\):zJSC.p}mrs8yHݓ#娯Ɲ o%>pwu -=&Y\vnkjqDNyq9QJq^\,d97^ໄ <SUgBMg5|^꤇''psD@.r>ʛ}eNc:|.Pz8vx`(x|z}.0o݇yc"v3"fӌC?B/_`糪֬?c#Kl/(vG؝ȑGZ<זWs!:CcaชO r~ZR07rts}WK<:@pttY:4L3OkZfԢL\}?zDkhiʝj v2\1\ 9jWk]{ ޝwV/6vS~hwm58>Ľ -DѫCYr-Tne -TgU2$Cw/z1v!_ 1b1uRy+~|XQg/oߠ)r-j2|w|ìt= A˔G:>{LwPoL[BEʔX0QEJeU~-JHaB7 jjE>UUVBiȐuad)fVl -FdYpC!^Ϲ/T}s999?H{Tڟo}_ՠKR#ͳQ^r~DkDԄպQ#3迣<,UIa~o:Gv?Z+ב߱6E.wÜ3ISCqȣeN}gƋt+ͭr X681=h-IF_H]_vl2y=_[7Ph>19%:(9!)h6himB_$v."[~)Wt9GS{M.ywpɾ,9b:N#g3Yu}UDI.Fi]|4{2 kė V֒YpA#9L2n{WsvpKܸ~:usg˒ [_Ɩ8J'1=xAqh8sQk7)GW{W;q5 -"6ؒ,bJ. 3oVxrXH,pg5J(ʒkR% kƨ bKDbJR4O'ciİqtC9z';yYcXB&`c.t[aN .%VZ:,OdJ^$^W8:5NdT{Q$MڃDSXfz @1wtT"G2vL}<}7ꝑTp.{g?;od%/qS{} -з;<<QB\> = -doCn?ZgV> U -?nBt] UD|+2Ba - ?>'5Ja>gJ=uliQj[6p :oF961*F`~eBJ48XC8W@a8WY@cq?a5s?wAB8=J⠿$0ǿ@V'vxy|S`cBz|boUp _r л;W x[k"N?/5~Ųٮ$\)$5k ӸE̺VPL(uz位RE.USDe#wv;cy=qthֻ}˨ G.+u=f΋C4;eOm:O^t_ O+;$\/t6{t$oc'3ºNpw$OPSTN-qaYalc=RyW\puu[OV`<㾂.㋒ gob㰗qQVgYT[$/6|w咋O/=);(ܜxWJYcrdu5WwǝY[%f@߈w7X&[0o~o7Gc'lOW #ah_2o)^e$q<֩XRcuMho2\m}\ ]PF\(? Rg.{ÿ y tZ$k00L*PYn|[VRBOZ3LB>є58mC74W2L8`;~՜> .pG&8EoW@ {-ismo2r,_!ťS1_k.OH%\ۿ=N纭}k>u[FIsVZ9D|vV٦m@_u" &gh[[wQtvE%{鼖7E4ms!l_vE5RVޗp󈑶Gۦ 'x4߆mgI_Sy=:w$Uo3: U>O}l/ps}{w_;%F=&h){J }+J'g# -`L*x߭!:R~{췋IdS!5>j{N󡴍dgC,6T{;ݥ ,11;+h:$LI/Sv\֮'Gyk?} {hL@#|)ČwƜ(nٽ&m5Tϥ4o7]jU⃳]s&$z:4xW؜(l%x!5(;ÓA,gqʆgR'w?"{m޸_qy{lk`^7HNbI$e!?V^J=e]gx|ZIɁSܣg*35U<]أH8Pj&*"Ӎ})2BX%)ӜPG'CǑ2:1=ڕCُ$~^ $5r51MC{WU\ww%Q?(J)mhC ҠQ(@b(hlSƊ0MAig UQXuƊ֎ViѾ~goxg9{ٽ{`9Iާ/.+)uʻVx/6 -k dqa5Lỉ)F9Ɨ(p@Zy7Ş%me7μڑIMgF#G'2'} vJߜ2 UDvd ۼlKDzȗn e;F΂?6HsWA|^oJiW'+r] ϐ]Γ]vj-?0Rlo|i7BZKRl:dMFvb/f+ '$YɪWHOuL]jWdONR07'csO|a7\2p#Wi;VOZxۍ(~K`#&J_ sY0'~wVzV:tE'75h9mGvJ)*>$yVngؙ=qvhy/dXHMM!H[ B:^M| "r ]Cӕ&>d:t&KM3W;KЍ?J9'OsN+M9]5H pg{ y',g?kE#gm3YwtMC8氯7l0+vwRHB&BM.km< )fo&)5_הx̿wI + -Fbݲp׊~~#ztA:ژ\>@ :MΞ,&!65 ;Ȗvdvh歶Kqa[2`" Q3n]0M9Eq>:o]tLs|Mg`{dH~GG:9_Yo;Ajm?ڨJ/C nڮNldw>2zKO}9>n .K,[qJ`GnoޟRH!vc'_uΝU@s>8,cb) qN;rh -oi#&q ~ -=C 3N+'.9Eۨ?o^4`k2r=vBQ|px - -wﯗ9z^ 1EMvKo& Jl AoE4ϻTmW_psxz9ۙ;&`ϛ.t.طWGeƸr'++14 o!6m.X[9vEF^${sD?OUg3;Ӷ5ƥ B>><#ϋP* ي -L -oE"{)zIȞӱy<= ,z͉hd5;YvS]Q>Z2?Qד`=|wjFA="k2{([i]ufD#G#eľ#e@. P>?ܐ -sYő<]=2wϵ%!]'Z(e|x e IjS@M0O?y(>1ⱏ6}֥ 9Xt'춬ѻ:X)ObJ♩̕IFmӐE Nj/%eyCMĻ+[iRn|*)( WЦ^~ec, P ao3y0/ye/b7˅v8o;w7}(u_w5@9&a6Q.IF˒LI#$].=ʥ_÷RZ*Edd%QG,Zg^b3HwB&,Q.DHH%R\Qm\RA_$;r6<>-5d'Eg2q.ӁAN7!MfxV?zX"̭2 Yr|4x[NA\ -=V;>$&˙_5iI\kz^鹰zɥ^oJeR6k̗}tDJ(YN$S RVT-N*ATMV+aq,2ՙUDCI¼tt˩iZa{ybZݟ{u]u_}}|{ve* XWe11{$V&OcI$ e`XTOtMXn=kn݇cr^`Fzȳă8ǽz -^zZ -VNi -1drNfRe>v=+Tʹ^`,'&]A[`W&eT>CarI{O&'06Jwud32$oD]`+ YRRelI1~/A)i\C9 5}(>.R -M-T>]=~K*iZƿ50G~Jy(tyeӳd@qXkፙ-m7װ UuXe>9arr(FU-i'Gr8{kh$a8{T[Hquy38vW *C~kYW87Gd}QZX#cI-1x~x㩏j.G6Vz ֡8KkTh*PqW[}|oTC*R.1##s}J'[g]y"gJeRfHt|Юv$[F3jRӰCT(E)mSE -hw<(;̓ZlÛPsj%YB>< -^)EVJZ4=a,Y'Cq2]prL`^ C|z/&2{S`0,S:=iuN<A:,C#IϘ`h͇[`*wiG.hmh~6> -`&<O@dx6RVt0_'"`=Lq(8^υpN - p!ކmPsa+٪V6|Z,8LY)M}wvia]?bn/ Ly:JW$;;*GֿtL1ޖ$H Z[F8/GŒKFr`{Kb{y]~> ],A㠴ǣaL$N DmFҎ%ZAB/`@ND{r%HE -q[{NBe=ۚd(z{{51#vQ_3>fOdm@ ]-:./+ހcNu98bK`~A5Я{}n}e3xؽ`#_GӪD"јxd5?c-I4{-3h8/0QNS$鈦w0Aʣe%,rIs J,OJiR]!Zo QVz o˾$ij:dy%&XFCnp.L yB#uU&ZQ2c5c2}GgKKl7 q+y]Vwmo~Q`ywRry -{ч{ȺC9@;hoFOsnK<1@6+pNuؽf䒋?"u>ymskK<ϙIA`̖kb7$Nf$j2[sZt>gt3DK Y|w"-8NH7^{=C|DחI9C<5ZHWKF|i g%)tUΡҭs#~薨y{L49XULQQdPW1 kn^ro[!+F:֏3D?$+{@kЏ<ę(VB} Tqg`]*q&4>[iWg${0?6KAٮkͮn{8'YQt&3`}2p$Ig;{{iq._jBK9=.}JYp9>f -|/ʺN]gnpscPrAb)xYYu^ͫ|5>W}LцoQV=gK% V)C8_̷$\7P8UCn7ߞg2rYmңYϯe3h6:(hDORhOzJAs-I ttrHOÚ|ܵw_QVYnSMowUrӈJal8{/ ,,%H h.M(~<7*Lf\E&3I>$3ԙNK cmFδuɌbK՘NGܳmlss޳;gg&&H?9{Wñ pg.d xWH#%Xz#In; $AAAAAAAAAAAAAAAAAAAA#aÏ!$Ȇ0r| 0.j\ w% ]2Ŏ6Hzד^>?MzLz4asnxz`wg,jj 0[adbڋ!t -[`C`FDԏu?~m -i؄B'p~`/ԋc *ƕZkEF~8fw'oǜgeP}i x/GVwb܋2$^( [wĞڊLO5)S2ᔩJʔq2r0pB?z_]wzKMׄ~,ЋB ='3BO =%'(f=,) _qcB (eir/s TCnڳK>K/e0ʎ(wwM |eJ'?8Z.VѦ7)@8M)M_\: $X=B3ʵLܚhMYg.juRo5y>3[>6aR5?]l|5c͚]DZ^:r fS-ܪ+É_`O2U䪬W+4j]_^4|B'*I"ff$|L)7j\iaT׈IV\),Ҍ ~v [YlMV/'}jpc6&vzk: Y:WO g+}ڍiE}l%2i۶MKӏkuŖbLRP:JK5>sc8'oqւ'K׌`k>;kci<37|DKjuikԙ w)*cAjWܔC,8\TRԩC=xyc:KlwcUdSԿblU꼹Io{Yxm^9*oSkcQB;ì ߘߔzEXdzXD3D!58ۜlz9X&`voc8~;3Q"QWubClF NTUdĵ:P]$* g521Y W,UHRtRŝiwd:mNYIseM F,Ar_v{G¬,o?+GdR2T/ы"=^=Gwvݦ:hW4lVqìUg,cuc֔tʁUN7{6Y<X3eݪZhhfs_aYk !j~ /#B⇼:[^jV[֋8řu5>2t)ַa%∈#\ҾNC|hjwY3lē~DYuQ3i1C 3< RK׬d gstd R*q" -"#x/}~-~_K"? ?OI~/c30?ħAcſI<(U 6 -endstream endobj 268 0 obj <> endobj 266 0 obj [/ICCBased 290 0 R] endobj 267 0 obj [/Separation/ms-blue-dark 291 0 R<>] endobj 291 0 obj [/ICCBased 292 0 R] endobj 292 0 obj <>stream -HyTSwoɞc [5laQIBHADED2mtFOE.c}08׎8GNg9w߽'0 ֠Jb  - 2y.-;!KZ ^i"L0- @8(r;q7Ly&Qq4j|9 -V)gB0iW8#8wթ8_٥ʨQQj@&A)/g>'Kt;\ ӥ$պFZUn(4T%)뫔0C&Zi8bxEB;Pӓ̹A om?W= -x-[0}y)7ta>jT7@tܛ`q2ʀ&6ZLĄ?_yxg)˔zçLU*uSkSeO4?׸c. R ߁-25 S>ӣVd`rn~Y&+`;A4 A9=-tl`;~p Gp| [`L`< "A YA+Cb(R,*T2B- -ꇆnQt}MA0alSx k&^>0|>_',G!"F$H:R!zFQd?r 9\A&G rQ hE]a4zBgE#H *B=0HIpp0MxJ$D1D, VĭKĻYdE"EI2EBGt4MzNr!YK ?%_&#(0J:EAiQ(()ӔWT6U@P+!~mD eԴ!hӦh/']B/ҏӿ?a0nhF!X8܌kc&5S6lIa2cKMA!E#ƒdV(kel }}Cq9 -N')].uJr - wG xR^[oƜchg`>b$*~ :Eb~,m,-ݖ,Y¬*6X[ݱF=3뭷Y~dó ti zf6~`{v.Ng#{}}jc1X6fm;'_9 r:8q:˜O:ϸ8uJqnv=MmR 4 -n3ܣkGݯz=[==<=GTB(/S,]6*-W:#7*e^YDY}UjAyT`#D="b{ų+ʯ:!kJ4Gmt}uC%K7YVfFY .=b?SƕƩȺy چ k5%4m7lqlioZlG+Zz͹mzy]?uuw|"űNwW&e֥ﺱ*|j5kyݭǯg^ykEklD_p߶7Dmo꿻1ml{Mś nLl<9O[$h՛BdҞ@iءG&vVǥ8nRĩ7u\ЭD-u`ֲK³8%yhYѹJº;.! -zpg_XQKFAǿ=ȼ:ɹ8ʷ6˶5̵5͵6ζ7ϸ9к<Ѿ?DINU\dlvۀ܊ݖޢ)߯6DScs 2F[p(@Xr4Pm8Ww)Km -endstream endobj 290 0 obj <>stream -HuTKtKKJI,t(݋4K%ҹH4J#Ғ(H -wqyy~3̙g<3Y9El -@ ]!O-@\+BVKK :OX~WCaiHKL0qY `5ck -X]x= 8 XĿ׽>.f#aPn D^{y8  dp H st:Y׬cxc IV?S!:_9[YbQP~+rA -ShHht^ '0߅™kYXY9Yqqpl'WzEE$%D>,^|t*K)%/`\ҫ:&D [7dplDa5|mb4,yy{e5 3⚅,t+whlA   m k -xYUH&%Ȥ -qO'Mz3KT@v[NUnn^\o]abTrtlmE]e~U+jאZ:zaqi5};CS[\_ۆwCaQ1;>L$Lz}4:%8M7l̎Χ/}XT^]X>\Ym[n!ycskkƶʷ;v{pIs0Xݯ3s󝋒&$WWW*)!$$%!e$cHNOAKIMEq ƕ;KLw@YX;ؚ8^+DspfKOTCPpJ%D=++O%$*8IZ\Z^UK_wL"dx]}>9=;s_G8/̹N!Gz[<=2|B}PQzlH0Wc(Een|Pds::5&89yFT"od䳔i/ZK^&gd:fgQl kJХeJ*+篍kj5U[ZUh0|em6]B@`PpH?QM1Msψ*iϛ.Z [JYZ)X-]R޸Ѻپw?@?5 ǖ'vNg -W3gLC#u!MMMEvAms˔FVNA̝GLwA̬,llؿsݛnͽ+!B²" 'R&k?3?4+:6oT\ұڿ6VʝoF?LT;:>::>:;eqvx^sawݥʕ'_EFO\DKLtAnFF)F|ԭ6\`@z?m+F;LwiAhy͖)Mgw~_ @ZH_XA,"F)%/*9aZ:Q,\B^_AU񡒀2 -*'[j o5[uR1uh`fm$1xJgBdrltlyyEe$feg-g#`dGbwj0TOC9; ܨݿxz6zx8IP=A!.aAxۑϊ}bG-ޒēx`G/Ԝq_O?0"۬խЮ˯ǰı²µŶȷ͸ӹۺ 0@RfzƏǦȾ *GcЀџҿ'LsٛFsM6+1MZ:{T?~ò~i~L}~cbA~Dad~ty~W~O>~\/~|~`Cx}%H}1X}%z}K} {N}׋<_~7A~-ψ||Dz|+E|[s|z} ^}wO@}-~ċ {Gu{Dz{]Ĭ{f{Zx|[]|ϕM?}R<}Ǝz]YzHħz|z={LNw{\|=>|v|ېI8z/r z;bz'sMzd6zɬqv{D[{0> |;|yyaIy?yazYvzݮ[{^=c{ФI{R*y߄yfUy`VyyuKzZi{ <{z%zȎ~+~}͇}W0}3}HtЄ}Zk}=~zɇ}!~Єd*s}Y<9wpSwuuVrUW؈|;,뇔{RsѲ;:8q)PCV:4.8Ȅ2񡂡?Up Vu9S c bփR.ՁNn U388A/ͬδz6߆өn1T\e7݀tXT)$̯̕6;eCʷˆ imw3SƀV7M -\lGNػځNāa5tNzlߴS<H6*-N}o2ن N%է>w֣A}⇤\fXMݘ2, KԐ3g°[} -0e6M _1 ? 1ӣǾI^I|B̯dܪwLe1$: rW] 1S{z|diL g0\ U{[G{!{ ޔ`{&yE{xbie{Jr|/c5}~ -~:f#MKx+Ca|uI~.yW ώәߎ%¡唘[w!^T`^H*- 5GȨ瘎=Π4rv_ҍRGf,ދ̋|,ƕ{ Ҙtٕ^1Fő,;',#h%T,Qۥ{[s:9󅼓&^!Փa@!" y -.Jl6mHju,bU6+s hܸd-ʥ}wi-sun=0Ľi-_*)U_ˈb$na+;ϧT;ppA7C4.*Iߥa8Mm.ACi7\j|fiԫ)]ޭjʄU]3(í whJch-4x7h׿*P0H됎L랇ڡuÂ,{Bz}8vggҲd[!XTZZ.vlAg -{;Sm`vؿ`~?ga. -3Ì{L^WYe4]L7ok!wI~Ira^=C#Zh`Wu}p)"z7ff&3$FJ8Ҷ5m -uR_,^VS&aR~PfLL_Dw*`\-9]q  TI6)>u6 D`e͢/xqY%9ʜ;åOd\˾P&eRz;].R<oΡ]P{?: r̨\ʻb Ҥ3|m s؟W9oZt]RnÅ\cW#+nI&gyAjsN06HiD'@J+a5V~cRI̫vwtUc[3+?F|l(iU^+O?Rs1Hqil$Wþh=(RE -1BvџnF/ BsGMY9>ܖ3ȗqI ڣ5V_1ȣβiJiX0WVH[8g_/ -n3 ` 38A.|f|ј0I6bv%& ;Y㿜҄#dD.).p'3J12K[Duɥ$s8IƊ.z^48e!R6}vcMiozo0'=~i,3:?-?oS,9w#ROa; ?pB -֞IO ݟe#}ԯN$\l?], y,>&Рq]yh0AqK)ĝBFҍcH:-h-ǟcf)K9T127]qEjL<>h;|U -dpG -ƫ`&!8al`83>.qɂnA9 -; `HByg KB*k㰗2fF=#OM eT? -mTm_OBۊV<ɆF('n3uG~Ȯ#7Њ9[١`Ns.P..콤 'KnpF\? B>-`NWOOWBlfxW^b-_x&*/(j_=߆󑊢zF`LdE:SNʔ@S 03|TOKokto}bFz$4-,.m'j*J|)J6BP ^3ewܫpX.*,07xPڳ:2XOT21|"7=0ߴy}ĸB)H[Fs V+̯+Y(I(x&9JAI'tXmyG=X[8TK)2<TSRvxlȓGO|g/{>4/gRFȶ&A52 uЯ*B幃AuFǞѧuD)B,*?n` 'qQIzK֗4{B_g68#ʉ2.A$69!̒ub1&D3Qx" >ɏnνxVG&TۨÓ)sxd-5KxߣD&1±jdGjJ|J{Z ޲f6/vTp̄ub PmBU#gBg˷)-*E -ar>>Ƶrn[ɭF-IByѸP=ĶKUC wG D}"vN.p]]Q8uY{#qCv}sax_oyiNr( d8aw2CQ}V8UWO\g \yk@dcZt9$u -p-1z(=f) -vě92 w u煼ת#{P6+Dq3HIi%BCb!kc5&U ):X$܎[b2*@PkcӘdoTB_L1Uwi")=2#pI9,RO>T@>;bnDPuCfk^^\G~ oLRcHqܮ=-8^5Ońy*9:-\g8:T<?*C;[yX+I;lRL߭$DvYTQ6DyVmfy%/sIsmXP1Lռȭvow)QBb_LVwupeėO*|+](uHװ4WU.{ 4\m.QwR~MAiRz+%BKz?'{ k҉aa{H]sX}da~3_auQz VM\ĵv5I0LM)DŽp1:5,&4 %!$}ocޤA]R^xT◬M&/B:DwA24?cd&g]5b4a?iǐ Ĉ.OA 6vfvsd(5yTH/P=(a;zUs bWxDa)Eʼ $sgPJreY3w`cFo0|U[j5k.5J&eTor È´}I lpjC8c5J=g%Uo|L58E" -ِ[Ak]J͆VBM"{NrQihЦ@Y?6^߫ZWٯ]ذc؋hKSLj:>O ɲ.ݰQ{5mm<ٷ?^v"}ъw9O&vX7km[ ,70nΒ7|eP\I;-wgFN cIP#qWI ;NٶA)H~7i thl~~dzY Cx2>*c&mb{9f1X*L #> - V@g蒼]7n249=MK% ;,F\j 1klZi؊ΐ.|Q9а$_.!;̿lE,ɥDi}D3^a`Y5g{J=mɳy3CM'jM-iЦm n5? SJE+U~ ;q.tXd~~p*QeS%.Ћ"ưBsZ6-6[\d;^z4`;64藸ͱw;|+&AfLU3XTm)lF'l VɺgcGObbɜ9;v \CL, >B?KGCe"z -@EHILp<5'҉$>8#gL2m c1 c Fw)P+rkC qp/u8#!*g°Pa`vu@oH`"Ž:z_Q<,D>'ӅWP .`xW3|!6 -5 El[",0 e[Oz0~lUO+&xkPc|u$k.?{Qp""kr6isVa=~@W_ -.<7 -2#h?c~m'rE_xs6aG+K 14L^kUp^^_mS^dШ'>}5$:τ!E[bJx&n t(m;ZsF5uqX.ՂBqKP *l%{ٓ{'f';,TT,bhUq2Z3;}T9vwRR;GD - K*/@hUv$j!@ vyבm,W|-͢ ^ ~D_􆭍"ĉ#c禘*X/Ϝe>|XH;:)d9gƖ4aBQ4Ew,C -ۯBU#>SV$L-5gV ϯ*B#} npþtdU$Db&$^\^&Z"/˺+-}%Z:}9AYu rTlP0"~! ͚*@5K?߫Z-P=j>܈[O?)a5 -?WUsy5^(ge${Cm> "Gգ+$踿ϫ& Xw8?g,'ō="/xNM)'EFqrf CįQ9ZY$r!6m)4 V9kJ$# FьX٥Cp[ģ)CS;rFP#ImKGɺzj>>X9,ZL-jIbkȉ8˚?vtxPIO}_ay@:|Ve6ubd/e3<֭ztea'cLaM -lz&,f^_!?l2x2Xyń3D)\?ye ~4O+9$  -EVDTSؓ7X?MM!ԼuOtP Cbt;iްa@gW#@4c9.Do z2>M5i~u0 qswQ9ǸLt삟Mz)>kɝI;io"U)]$YL >$$T:gUo$UK,C`sCMAJMÄKC(g]ٮ9sUG0?L5QM%0Ol5&`Ƒ1,x'{k+mY}-Js#\d:i/NK\8HstQ#-ND).s*Zymnf\1l{(E=VGW9s:?wǟQZsC6A1ƃ6K@8OUY^`7j6@9?,yt4&}"T- -\Y&kVx녣391ٵqQ=beMq\`/nņ|2͌JkzDmͫIR4\~5NlօKɁZ]TC3l̅D3jSS)tWw$IX[wV -WTUw^PeUhWE^ؓ~Wchs sIg`wgs (5mr] B`7JfAaA3ƓG?{O[ ?xj/Z*7exXz Ά})C?`KcMՌ&)Y5J]q':]$؞]Yv x(ıH1eU>_0b?*񸨎b¤،D;Wxm]|N7U13*;.=>SÜj)CM>.eI1/QvН6Tkk+Ɯn\\FFV#Xde&~WE7"bju^I@j@bQ Wk8w_D ^z xZKA _`T}] -x}ЁM0S,rV+ KO&ƈ`;E{irf0F] w86f fm_8c3V<)r1p +hs|p!QP'Ղʛ2rӤej4Y r, r?4! Uq]f(*&umM+;1 --c8CjL=L1TDJ7>)BH*cHY}~xI,{7WjWާʇhg_YovMKiN> QRǧ}AQj^G syJG"?txt,L>֍p_>Po$^<%}KDS4 -*S<ܖyd;éIJ~JMn>ȸcI6uɖژ䩊i77_5W2' 9t^}/8%wd0k)ͦF9kih3ShPBULzs'0$Y/L3ol|f ɪ\AW#siS-O^I+36xas @M -A hm45V-' ѵ1S+ ~*%~k˝ʉl * -lك=3_2~OgPs -Ccd[aے{<ХjA {! ߲ۓ;O'9+wEHE&JV?fiӺ j05瀶bhWZxo=ƺ 0zhK5mov (YOut;e=R*yMVn,$v:QڳE.yVl;svn,Wi.[@34SD_!MF>J柣ND @$Y~-CMu (+lBpБ^#$~2è /@̣6 3nh -;۪.3Fq3\َvZnZ"/vNFNJ2V{#ΚVse_쑮Ta8C¢!Η>FL\M{5eH~7;F AB?VY=۩Q i9J.sӿc%FVbdեiL`a)kD=W \ne>NX7Ƒ†2IYf-to7/~Uas[`W*v3_`~:kjR("E -* -e)DDIss,f_n6":hmh+]AqñQqSa9{~8|~bh6GZĠםN\h+(E30~kTMGβ1:zka'LG2>,gt X&@?e% -=@Ihs)HUOeX^m7R7~,, \jJԌfͬ8!*]JR:WR]Mɚ PZ;JN.8ɦ,[r*Α]MM"waX)Lbjd`>:?|:?u>^G$fa. -ʥ_S%ED8 J=ĕK{6r zGG Ui<Kg"^ q -I6vPWy^,uc/5@:ǹ+[N+li{P#^yv,ñ-NѳH⺣<֡gxV</nb6󴳜Ρ +nhB˾PoT(W##ĉTwZU} w-vT-9O᭺HIz) z9R'dI5aZGS˟agW=.P1ٜ y?2X)r4VaGXBe`9Q1͚@85$W?D}z2* -pt +;Br\ܕ'> -vCNeʔL-ʌqKHr 7I d<BgNelB^փRγF2AqCR&t7߄{" D9u)Cw1t}?"'[7o̩~1{>Ru* ʖdClutqf2[l~{S4>J$.nQnlP#x])By`r+wLH?VD:|iUG~ժ+&+Rb gP>}WԹkQǖ]WSkqwZ -DQdVd24KGMvU35KJ~4&jwJ*y;X߉˔O@5hw)񘴕o-9E:_̂o&6#V(ѽS-te$ פp}4%4mrnzhe4KX*KÃ29ʩ~'Ǥl|O5ÍB -;^j㛑Q`exH;J\*`l˴Khk -&tF|(8VǡܷR:ϳoG*UjSKknRgl ޅ-6&Nŗ7O4rGmO[du_TvY{ ̏Iy\aRKy&P7ݪJ)l"W5{K S_j0WSW;wixF1^lО伴^'1b%OAXhq)L7j}=9PX=n`ɗKX#CùA *7{ jWܴTByufכd=Af]F=_u*`q+_i݋\^`BaE|S&%Z a8+QgQ[IK-jIKr2Tcju=A ʧQ"7{ٮם*X|,Yzѽ}ƈf:jCo[>]x^hlhNrϳEDkcCǪ ת9c Ht<)}z!hE~DBӳ2S͆i{;ouIp??砃46ٺ^"1R<-65sjpCSjqi6dzھİ紈 41.$5EG9:=ob쾄 v#[xﯦAF+T(C@RQF772I$^a$Eq>.AEbiO0]ТK5ΫPÛG ZdJ*$d ^}E*֤>?Ƅ$dO _tl%$^7[KSECqz"$]*B]}W zT[Rk"n]EUYvFUW\B6-RB^Me2B4/wͺh4Ek5˖<1U[tD>Q!.kR涧7uJc>c -l/i^3;iڐ0sĀZnS -qW7Np:([568ViAFޜ~h9Pldüj2dO -+61--1Ewv =JCHW34܏&x8,&#Rc3Dvz6RSyu_N/nmكvT֥Y˼?RFװKzn9Q4gC^5l`P\ܲG&ޫ` 9PҞٲXr6 -V4,{a؄\tcY`]lǿԾar鴯؏=b!&Yb ^[\aYt$w -[R)i[{$7f"o Xp -zBz'hO|Ō4ǐ|-j -:}̴a%Tv5Y9QK d0 ?$ćH|#uD3 phrd@,@XmVKY@ou([8#!OM~.7SoJn%OG" -Ü3N|/'O-R_1Vh&׺ NPz8de 勊ZTH;XQ6}+'h_|ȋCcuHjBA,NOS{3 L`]1> A rxӴ*E^.ؐ`Q5 v{`=W6뼟\9avGOXc& v1w~0W:ʎ~f: 0/˵%m KRKAcR% P#CSߥfmD5oEx17B0<&Yd8"1wܡ5 TaaJ3p57A>+yIMcu Zd?Bk1x-rsV9sH6p]DGgO| y5S$aE`$Ls -[Ym ~u8p`6*I ߕ`S88sn9O3nXOE /7f^lbN[PBFO.9Z_.5>F S̉R'}ΪѬ`_dX|{dHXԾ3QlZe7PRqشO5OkZrx5u`aǂ:*`T), -DPQʮdߓJRk=H+ -*#u)h) )B6s9߹瞏HZGzGT"93hDͺ sr|b4y $TK "$I~$v(B#].qi?CN ~ޱ|ܷLcOnT~vxj̦5<.f\K<2p:CpSy,66>|zC -E -T)f/:X1}J+>_~Q;^ㆪvs&۸>.k7yZS:˩㜍rݖۜaKa!l.g57Kv0!;ڗfe %]"XT J3aժlwVj=v姠αe=bI/gH& :g,(y 27>aba88fVVqɌT0NɉB`( _"fo! t}Wg_0}HX 9,Qx=~Jٹx>ӱe9M2mFS)Vk-eZFF٥btg0O?Dǐ%7eyښ6WSCyeUS}l`a8i g"1лJ"|PKڝc,$+&PvꖴGBoj_t4I vqf熚(eC!b׼^SbYi1¨;2W`/7uh?4 -!z@#(T 6 ^!R S#>E/Sq9z_ /G%ӈ0C9[ۼ@(٩P ,}XTOkpQȫUG6 x2e,> -?ϭQެYz/T5FL^`tީ3\#̬D:,vw[mDW)TBZ`0Ֆ`3tBQ˟kks41y `\޸cV#z`XHhwA0چFTyqӵܫ*F˪%*/>9 -gS'"b'zL=N)cs*bR)W<#S 癛)K -&L\9WtW!Y17i*%wJ_ 閥nWJ!p-0T`:K6B+SzlL,~J#ZLHBEe߈Eq1 -ڸTD}bB;*OTCnՍl$OYQ0mz7o9NŻ|hDV[Ve֩b7YZÖHl~I)ܻJ5oOݑ%(,hZGҼmRd!/NEWutV57z;jjs^^lDǾ0-a_aL؁w44簍b^ppi&nX uƻ-݂ -cY4_g ?jGIfH %J҂[%ϩC6OzvWzoZtA$?z;ؼFT2/+0@@S<@>0bSuqw;j4S'/4sEթ(P[V^5ƊHkg/ۄw 0*֭ ajyB5TC J(_F4!m, RN ?S9 :״OfOV"յڇ1,V)S@._ -#Q`K|ͨ%cj/&\: [Ft^Z"q٤Jm뙊jMarח`VCg -w"~>< 8i}XT8dzQVY<p%HG/Û`rq;Nm~Ms\/Zh:(MXа^F.꜋.Ys}5`a((X0T+JS 4&~|iB!! !)$)ʰ WFY]E븎3x,˽}|dc -|i-0Ws -Q_GpRjy0׿tjT̎ԍD1څڍ›N:ka? 7ek_%]a;זF=9-b= &Mm0-vD'^j+/5(er^+EL F1$1KWE|fOFMKm::1`ڥfXЩM*i9 -l?+Lw?-Nx͈wɳ\C0瑃f sM;iđ`$O0z*RٹB9@"k5v~.lB?ug]ed8JAj͹um.DO^^v:y;ske+,L¶vŝҼخd_5Z;q#k> MU\J{l*͟ґ3Doy"UDcu#H)BPit/ v`_Sʝ{e5mpPpy=-2[m+v6*.WۿSǔ] -^DMk,2.#ɲ\!{^I4Ԉ.~çlDcBU\b"c jvJG|H`_2rHѥ tHHBaG :Bf{'9 -[jaЧe -&hz6Fdy?>gۑx&l$^:^nx-'-]O 5@S Uڏy]Tu _,zWPT|BJ,ɕ}`8ߴy?p7gˢu\JO(_vOUue4+Qbi?A.jCxyRJ駥Pt㸲rTfdd$ֺFR>PaL'v2M*׵T]`W*cD*hAe#"ɆKO9JKL2J( KgK3jԉfZnL5oM(_>FOӹGi}<@w#Ndhoo4Y ̾Fٸ2YAz$W֜5Copli\ 32l;a<;S?B>zprjsm1tZc̥{s/J{c*#3ހfϡneh->Bc9SJ"չO8'8ހ `yHϤu-*` x[c')Oy\x!QS9q*;$;d'=NY ,|ܶ34qT=ka%hs䬺UX7Fl[ o1apuxf9QGk4;e -˸7荇5xB:yZdͫ,`2?_a[0~9iY Fs3g Ë9u<,yx87 1Ja,O@/gO㔛94 |.]16'^@1'p:XtwL,jVQv@wl{έ̱\?R^UV\GI+9D03oyd[R<""" -.2}"!<4tH~(-r25DH@l"K濣,/S}"+~wF}V dRz,:w&?C~FqJ}JݢJirjzEgU#p]ZF%+[PjewVjlW7wR/*C%%jGx @EFH)&0_Օ|Xu -DRNXA\0JSH307͛73 CWc+U#r# aQOL4Eљ?s~{sIy?y>ҒLָKd-ޣJ1v*fH 6hz+~BO:IQqZUՍP[UD#BM >$ z|?^!J0W8N WzXfщ@'h< -%sdR۔e[$z,Z2H5[&Ht L UO 췯+52j&P6uRɮ! -a+rk!o4 `ܗP)f%VQTF(Z]s,TR|O)O?ho# ]6yл)OU,F٠E})gsٴGyҘp/kw~˖I'Y;TdgYU'I8@F* 8 $I+A2((+y8OϋWȗE {բbW"@}@C׌teYgvֈHofE`eagbN_4!/e%O;mhtWv6[iyFy4ʔat V] au #QYm3rM/q{~tjD 7fiɷ  . =[n`4qShBrx_5wԐ %nQ~x'G[ `+qb]Q2Ըi=UGn~ڋJ(Aݪd E7Kz +M]!} jnh-Cզ_魺a٭Dfrj6$-4nUZF)Zpux'@]U/ٳۿ3Ug`iU}ڰULWu+SU[;uXJPvOŀ{$KF,qQruH.}imfZh~atMBb0*iWC䶧jZmn[nKfi c+.&oV.&ʭ{5_s9dmIA. *s5: 1Ů m!|fl'6#N -Z>\oMkCZ8)*bEE@(27{I" $!0a=+vUZŁ`-xEJUǺ -~~7TSsV6i1=2J眆Jh@ Uu;7!0 -߽\醮%-;=.e/T7D$v{.ʫ|ZѮmcDֲ+-Cu_{>1H1]"D^nR ٺ:E3[h9 7TJOW+3 vœLimc @6'[c`Ǧ8v!bR{1_ӵuoPE2\@;4"mO m{ ߺE1dA}C=WB}[3']\PJG5VmnYG Xyahd'J[U~ vWۅWo]WnGnR9H7ѨAu 1vZm]lUrTVA -sj6lhm,My4A*0vJR? Ĵ>2C!*#q0MJ!:ŏCR|dFa?2݂ch3dBzSIt?%LmF[AxYGҏ0m;GY1űh%[sጒ@9 q_8G>r Wn)jodEzC.qJviN&If8bg - v|sd%:uTf&L0~p.(RU -; _)w%$/ t# -~#u`u[w.qsY_-*'̳ɩk/)2* i9$7fUzflc9}],툏WYCIkS-ty7>T! 26Kݲ m&cӣh' ..+upC6&@j5tdP0=I˂Ė -C{޶$tR:(ϭuOR4$=jluq1?פ9Si|cqF!_z^SK}`d%DT wV>;<'V=(5H%jWMV#9YD2֓p~~J }D]gNSsjJmn->,vg&SLl#>^i8ʞ%4'RJDhRN0hBA0(r0K+aMY|"EGE_R^v4/?m[˨yN`K/5[71[Gؒ' '铯RGhqꭁ]>iIX -5'\GB ćd^ux+[^%e ֪pxE - 6%!Itި@Ҿ#% :*h$r7שׁ55׈Ց'I+6*ЮwȰ%U#zD+Jt BaUؕ 6}uOr7dP Cu}FEua7RV"KST20 EN{^lkƕ$vW(,F7b ˢÞOy<"_).kh[n 9W?gڈ7yș*ӼuA@ OpIRrP($e[iVYR -n#(aFq&mq3%\g?%ӆM5XD3b$ʁW ƿ5&͔D4®KcᏊ . -1Zo -^`~¿`6z q aXǰ)Ӽ܄'84 n"Db.yC<K d},{*h -ڸh>wMv^ c8Iƻ(~j? -eoyl/Dl5Żרpy1ܣܵ^004{ .%CA22dWuQ>okL<5.ſȠiffh7S-|^TjX[wCY*sG^1Ve֗+˃L3 /2y{+.;CtJ } ->٫y6q< WxA_PZ? Q y1>yK\.!OqM -0Cl];Sk)=RZ@[ɷ5JBeǐ$Ni"0 -úR4H~9.☫|Dϸah-)r~"eoMK%4 _7"‘e -QD~0T.>"x*O>酧.Ey+HVy55RWsEk*PxEGB;(J X(8hiqmh^ 0`}_APWDLZ‹]<4zG֦`oyZR|u^gCF#nr)Va5ƪw9njyIt -xI1bIy>}-AگOShKFx6xqqQ -3SU\ka椚̩Di~ ?{>J3mtߐZt]YNju]ɒQYlZZsNѴѷW>Sݥ0Bj+7q҄fU7m :8^;#eտ+*,_CY3MSU*LX.jQȖg_IWJ5a"9R'C\y׳qH)VU-Z.\+Ѥ/aen/|F[?SPkr" -^Y>VH9 &yaIxQfd}+] -U.o.=q-y][viRgk*`/pLBu+A@[)&PYQ?im/K,Y*gu(i2`؀V"fJSs=RU@7+>dْsmY)w=U?ο3D qjv83׽} 1r@vy:{Eͩԡ.޸,珈~CH{ksv_l毁@"lOR."0Fl]]C˧Mfi nq˶Q{56ef e l[IuY_(i&;to 5kZ/ jjp~Ch⨿䦿iRs!G-֠5 -&wa7WAƫXUr8+}E)oVӃIÌ}qZlh<gw -A?=$6-ޡ|,)!<*ǘ*z!8߀ϸuPpD|Ŝe=sm4'ҢؽYaPOZ(vj?VGgxI=V-̹uMCJH_-C]B~2A\8*E8PTΔTo 9/whaߣby\'F,Ռo%wU/ժnM*T Ƌ{5NJԢT9L;y _fXD\uַA:x")V%V/*]1# )ԋ@X"SVӅ4u.f?Uչk%Nj;c~?]Pۺ˄WҌ=V듍1 -E ֻqd{q׉; -NYHdfttc #&vPtQjd1o ­R)ʽ@}<7 &8wyybH04͂@>o` ~M`Oi#T2"-!NSn\ z$SC%Q%;OzcT)!M.wf.Po1U=Bl1F#F0HD\u̞rڜ*ujQO5u8E$7:"І(UuANgulWYE*Z"cT\kTxlx)$8(YBIY`[}.Bb T$=U8Oŧ yP-x$]0_ -j(sOH|/=wKR` ptl>f*ӡuU<=Ts(&zpKA?sLo`N0Mq+~*m-~F7^5惬H]${|-Ҷ9Y&=X'Vu+^ϖEm -Y/0X cAdPc_X VRx6b|C6^FeC]o-F?f7Q3V>͝yFsy]ݯMF͊k^NնI#FZ.7ƆQfeϫCJn;AjB JFw -mԗ6t(I5beElXQ͌ i,)6QS 1zJezVBf ۹ʹ/ HQ89SnE%o-4NJ``,)~utyQN]vحp+e"xN6y*,7$'x\CQL[8.d@}CɏE)1D?@晹b$?7 - YM N| _Td'wa}0Z<9|3閗3~o=Y>l0Wb=P1jmE XR[louv:.C=;.a.BřS[nWJ3ǟN1='\Xr8۲:KXj6e g΀ap%z"K1.c1ɇzɭGTRiVBe-)K@iͬ!u@_`&2q up%P -SЧ|NWP !o-t_ nyV|ؤ賐e`HʏE=>\Tǀ|cҎkIST!%Gu,%[IR'+#T}m3\/df)`n2#\M(CQd6flqGv첵).Z&wITe{JQܕQE\m`p`Ҵ\z[v7OVo9ݜQ}$SSFMWdnyuя: *o[3 O FRJ0ոl+L+&oE+d- -@?^fEkoo\fyJ8zΰXmi  -Nw}OYpz&@>gݪHc. ]7Mz#fe"g\a@\qyºJc\3ܔ r'WQVE D|PLs\h_h#9Z-TdL>˼!WS/bniA3.1Fx@Ǡ3UNN^nPOZdtvWO&-8ךshveSȉ`wPU_cař=շ}m`<<$+UV66do88{ηzkG}ڻ<<7\jvg!5M!w&GmpfSgO3x? -wZsLRq/~lK]QV:om<Q' R]AMXyu ^ȩ $}! 9LHaH8hʡrTtD-*fY]]wuu[bgg޼ߛ"ȹ I7HR7HBHudt *Ჲ=eJtj| #TI/W?{ΝO^'`v'$^E=7ITF2˵7-^'Z"[x ;[U7,QyWrr9E6cy'I gIRm2ZQ -{0K,^H/>>G@l`T=FZnZH ѳ$m¯鵩KA3D;w7ŏw^J<`i$M_x8wU-,/h!pbP1|*k _U;N45jX_:]$ %ͫX+é Miwzz{7`fOE5FohX}fL}k%Jq_b_A54WK'h?:lTHmm. m&"X7rV7l̨b]r+ OpK[{0EuwrfӵFajCCPktMݻVw[FR(Y-VE8 P?)p>͛5 #TtF%3 qhk ;`LVOpZۓ. j&\Cʡ <*g!r)J;ȁ&xK0N\B&Գ$bԍ7fpt(0H23ӲG1d?ź -bVֆ|\[w+tjj?b7hwJCmm#b.^VBDRb8E]4J 7LGc.Xd/a&ڎ @顢zQuֈ4Tqi˽èb˕ 43~,ymoθ[0 -l} TCuLBt 2ZW>Eh@+[Řy0= -sU"r];û](̏{e E=ma^2'FKv~.Оm0Oj(esߺ Pk*!3IBЦs4{^|{6k\* }XYǠD=A %$hǹWǂORV UBꯪr+Ca6 Kԣe :Zڿu6&?W&k).]%],lb7MX][H"}WL)RIrfr?AƁY&I~_IB${XlZXE&|w#؆`_vߢfu3fm89?9 -̟NՎ`jz1*.@爎܋`oْJ_+-4α6@/DWEjE}HRDl;Y+ z/1Dѓ(z)oι&;.4aZ#gsbZ+XWi;<~n"( M'b6!G lP<^\nM8--aG+dyXP^s:0q \p3bWu.,R&rm#қs)lej(^ ,=/FV6fj;ex%Dk%!FW@ao2QTvs 5h0B{UHiGCOzL'pbIq+'_1Lv -QA%$[H~}{1fKٲ:HmWS -ëd}2w7 j< O7i2G;SWݒ!@YsZ~*PƐ6xQܡ/9i7cGHVf3R>K2jZxH"Z")vHD} @} YJ64T(P_(*C]miSJqOZgA(ny8}wν37;?߇*x"D6HaeZ -5K e -tE=H\ƒW8 72ym]Ly 1N<8͍@:> >6pӹ$.7$C$pA)hJewT*FmKg-lm*{{v\ܲsJa>3_*ݑہ>V5|WG_>RR_YL!RFjz S5fځO2< `}I\:XiZkRH*4[(xX$u|I9̺TkVzl_׼gC%*wXR nY)N.9+wZ[E9ľWJ%wp`Nj[.b|JOsdW,R~#* ĽyFdwCp*L(8OelL˞)A vfFʹ.Knd~A򥾺]Di(i]YʯJߟ?>w[侾7KK6w"!eDp5V* 3VEa{:KoEDcɾJ#oOU44lTjFk,>{S?ýSk>Su=|j}T -SU.nk.mcŮ)RxbT<TV*yÙ<+`RC;S^0-itp<ȗ2IZ_0ȡVVKHWol9=fd jb%}DCy{sI*{ZL1r`n}+D_*Uz3}i779_kjxL+u ;FxL.mmQ`sKzK#>&ޗxiBV^\s3_XX_رC+ҭj|S kϽ|j|[X -ΆBL.?\DCqߢ7nO(M&JOiݖw0IJLM,NCOYPoQRSTUVX Y#Z:[Q\f]x^_`abcdfgh#i3jBkRl^mgnqozpqrstuvwxyz{|}~ˀɁǂф{pdXL@3& ֜ȝ|jWE3 תū}kYG6$ڷȸ~kYG5"ŵƣǑ~lYD.оѧҐyaI1ڲۘ}bG,{W3qHvU3sIa)\ Z, -     !"#$%&'()*+,-./0123456789:;~<|=|>|?}@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`acdeefghijklmnopqrstuvwxyz{|z}o~dXMA5)ۈʉq`N=, -ٖɗmZH6%ؤʥwog`ZTOLIFEDEFHJNRW]cjr{ĄŊƐǖȝɥʭ˶̿*7DQ^kyކߔ ,8CNYcjnoldVD/h 2 -R e r xzzzyuph^RE7)4=@?:4 ,!#"#$$%&'()*+,-./|0p1d2Y3M4A566+7!89 ::;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{||}v~oiaZQH>5+! ؎͏Ðxpjc^YURPOOPRUY_fnx̰߱ 8Ql»!Ceª9^ɂʦ2TtҔӲ6Lat݇ޘߧoX\[VL=*b/fMq T - p_L7! }tfUA, !"#$%z&d'N(9)%**+,-./01y2g3U4D526"7889:;<=>?@}AoBbCUDIE~% ہ‚rW; ϊ}bG-ޒēx`G/Ԝq_O?0"۬խЮ˯ǰı²µŶȷ͸ӹۺ 0@RfzƏǦȾ *GcЀџҿ'LsٛFsM6+1MZ:{OX͙~ʹ~y~eL~j~Qc=9~|4~cl@~]̳~nf~C~لOiZ/gP8v}6q}0}>ϲ:}i^},~ ׉_LpK-~~,*~&E()D9vyowy=TS3wI!D)J%OBvwN64;>FVWm -S^Di*bPkpة?%"1#!ϼK`L<n-e2*+) X䥂C@v2l Q?(=0q MzǃIz7MEY; Y@K (-\U&>rI^2IMe;Ya"VN,S;o_%sD;fƎ.R?l ;0Dq>8zDKG)3o+&<4@n͗0EO94#ҐnW9 b_7}B2yːv/ąJH삻Ȧp$ȫވy;Æǘfo虔F¨LsI,KhW2!AjHE^τ _wdlXggΩr!jU)[%B\DCfp <_\?k,.wȲirJRݐ=>0+cvZ{HllLVAc۠ ^{6oCҏSمbȏ:sz 7jP@Q;[wg|z30Uq`!P-~|X3+z2lIђ:_p-FOJ*Yr(".O'qäfrCRJ'dc~h!€?`}WzBd;hѲGϲmT SAij9< -ߨ%@`8xLTqė=,Mk $hJdx_r̰gʱhtG,KytomVK0X?R=Џ ]ٛa`sʠ7g&Grŀ?>r&z`b>&z%sxbw&{~څ]"WR%c"zD zA rs!֝=jcf]rmANJl$ے#ؑ >wTfGFF699<׵.'SZ*˺#-Jl.ZZx%m*| o 2ӝ_TWK4eRsu33'jRFBWl| -Fgml0L1, y+Hu2f;[T0BE{:qntoT]okI, - LgV_R:Kϋ0dP?= vE̷փ(M4m\Tk׉o,H=Zw/EI-LQ[ 8F/g֖'$?[u~fghXjݚ- VImKՀ,%ibQ*e97WKMYiHtXTBUDw-49#iԗ/r]hGވ/ - -lD2 h‘%TTT*Fdw">GY?"[f r5ʊ4`TAo4H5rWS8Xy;$Yr'q vUPV&4m/5LJE:S7Hvy.. kPXAl` -,e: E$@BKr.!{A$A,CY[EA;| TJkU>41aƜdcT.Us R&BchR) - Pd;ʟHbl?1;_:i^mMh9Ӝ+,x+(‡j3=P6u>a}&b (0=.À<2&m%u9_~zL!S`(6͟>թVlW䨸m5ypg!2< PR%wC>ubvbF.0UK$K;؂P,!rA5%\v" -[2gwdxJ:_'Eښ_+^Cژ I! v,V72UJLNITUKɎIy/R+=+(֨v6!M @PB%R--3|4-)#ͯ w.ܘ<;b#;*>$eG ->3"و~AZ$xOUx f𜓜x;٥Q h X(Zx=`dš 8b†id, ϐ!enZ -b /޲І2P0~ +1baktT ?g)˧9 С`.ޓ`>'4\DRdPaxԗ?i|9,t Ĵq]"m-9OD'Ex>#Bz6Nk%tm6BDzVQGq,2O: y{iHcy[]vaZT5 ȨR 345N@qG!fYXr{3^M7HX1ey87ҙ;NP9tn/D=}*I:2s̋%G{7abTBm6ۺ4JZmI׶Fהz\FD*rEyք ̣V-8ˉi#7XmZLW:2 -$Iⷱd`U+z3 8"}Y\E^\Qܵ)<&uZ!FM)V"ڟ}&à/ ď 5 O546PW눤0 fGlEbdc 'ƪrӬ[{K("M/y%0=zFBx}{w6{Y50%,40R}ԓvTp>K@fR$7HU( /10f<,1BS>٨RI3#&&pa5j19#yTH9cI[էjU̟~? +7NzM`k|-kqJ}(Ҙ2SaӼGi ; b:`uǤayU}T 2Ftm̔%OpuDU0m~L-_:qWg0~huw-] NVrP =<]x;Y1iw@8,n\(zqb !$zB&5dn61Q& & CuЎy#c%$7]w'z\0Lk{8 ;fGS Fx¬P~Km%t3MccM(bCB$ _ J,@՜ %ӸZ;.6B)PT~~:_tHNITScΤ5_3bO6-[o 7$cn:zNqnE2~7\NT' "[fTT^2F&+c5r~ԕ(jl 48mWDC]X#<n_ T 45 C0 V~ m&AGA7w@w;Q8Q ?d9#1yʕq_eS]y|d*&6Q30J(WG>HN vAg+[o:y1ډGmUV'pJ{"M@3X|*oƙޞ%sfJ<ߔ[-0R'G i++qNPF\&XT~ykPx>–~u2LX'P MOW rة Z?qU\+w>-q}y/sRQQJ@737Ka[t̷E8X,Tp!PVK$`Κ׵bu~*LlBz-f{i8DbMp/ŲF_<`w[Uq. Y!'i7L' Rz$v]c-ީ%HY~ٕ 鞀ws{)Wa˹ԑ`{[z ϡZ& z -- U@uBP.8jz B{GtϤ1ޕq# ^o2N*`DZm錞c@QY@Oy`ŕ^ )H??s %J@f-H%{#}řPKn@u5w:=YX9(5#p 9#Av(~-"]Qb'䠡ya -'£ +vO@%7_*Z-r*~z Ց4!wBpG-q.a+c"wmqk=WfB +k^0>npu5㞃= m]0o-1:ǒ~%ui;pVO/a3;0oKܼL6Ed@ZU%{ ^ ͰyOVNHLmu?uMBEQ1\IُOui@L7Nk\dd[i|lRܰ3"rW^  -19~(VZQjsfb5~Nl, $LAE \Yv3k"*Ie.gj4uDk"*T~~g^ ~<|1cPx7kF84K(/AI\%HG;'6`kK -ZJAFqKq$5GT#.a;1 p't.t-SSUn;QY(sў*M8= -BHZ# GcDS{d',Utl=,}*vcr+](_1rØ@?A[KDlv'”o>=ԏ[?Q ôn!ܘeoiB]u3PzP'ߧ%44Qw L7@?;gSVjgohop7syR\7V%xL| 3n|2Q|-GotuV֘Gk}fd'̐yQ/;^+b#&~ي2(ɚpTֆ)$Dru:5zj,|~0T\~>*,6Y -]7E9!7;au*8Y?Ң#WfiA~\mB\$OwDhE16:_JqBR%*X3 !O:`Iok2+}Y'1%Y GPMJ{rK w_ L&N NyA'ճmﺾo4gz"v;L je %Ɯ{NS6U'*@djNcvo^=Bi 795l€Aⶫ627ICkyV_}B.I=YR2U^c~o\Ƙa3Ƹ2@eU*Tlmcӱ~ xnNU)o`Iχa]PFŚVTC&ϣ࿋Y=d]/..FBXs+$=}buM>RWm6Ŗ6ᢐFX 5x{v*j;zv<_~AVUJϐ^IjQxシuQo=lK_ՑEkZ\4sqU7vOa J?Q)4C^\k[{3y~M|J'g4Ay,$0( jHl:Q"V҉1X&e s)MZ(W |Ϲ\88&tcpҔa͔ CC GU$^fb|8u̸&A֍9ke7;㥦koAvՏ0o5y'M3q"y$[Y@SgÓ=ݎP1)L \!B;U!)/C$N$A³ueuU},3Y'/Jc .8_[ON-<"NawGm_+yj~P]ſ^\y X,r-|㒒ܳ<L^T},^eDR,nkqց%|r,!gJx=~p{"\eeEN;Þ=${q@Q_\?/иLe>u#Mp'Yn_e<q㼅Ra8pLB=(YK[l`BKB#4;c;HS^OA>Ʉx\+0lkOԼ`Fcfup.wlCnKJIi]&fXPAn1کFTKBoI!ӮZ f)~Xhy9 ݨOC5&|T2ӲnSLB5eD0:yP;(w9mΪnWhKu{`wk -kH>*ڲ1 wp5Q݌$;LvvJ1f3n*Tg@oO#9|}?V0M5.ۀz{" NK?C_$ P&B̆e>(qIu`|ob|_0l2WꂝsCܴLTIa?f(/+PIwB WhgšH EiŮ(G6 -"  -"(H2̙dfr $xZEP>ţC~EF:}< \{ -% rH6N$(߫Nᷘ_%1]2:$o-8ȥ I-qt;'kTjJW^}kfQUr\ulNkHn᫂H*Wd6M2 *{`V%VRoJJ`+"yO|s86Vy8 :+;9ɨ=.qqѝ=ɥ^ӏwldG;fH^2`zBȳ ŞO*{M2MoR0i:T~%$9ED~cj<}${.-+P]c=Vzpwz\S;!?C:GFIױqYŞ ݇>;]mS)yrEz_n˕aI"l|sGvmߵ_7e]֭>ГU)i:D΂G}V W5*{f? -($p\)9D$ZYr|(4D܁OHʳ ;ܫv۱jxLr_r ;Wi nV|Rudܦ;@YNl-QnJȲc/14C:'K&̕BOJ{ߴzfsW|F-q2 ?}Y[pXdY<\v+M{ir8~LJޯ vlL: ?@o[g`}>?UrǛI2Lk.}GpI8QRV%܂L0/PUE ?ɹTcۼfHs^QMC!)$ ; ej uIy W6#LMi9ĦͱP*HʘFg]mߝn+|X$Z6K'OQJq m(B~ljSuZ ťbhWP"z@UVJ΂\,<\HA 5Oaf΍C75O Uݮx7F>QL~:ʥ#][eTS2%c Æ~EWg9i%3W4ފ:}޼0_X|-ƣµVu8H{YF"qĔ-F95E!L/3zLw@"FRmOQ&[#ZO/xˤr~9T00bܬ 4Pߋb>_nMFY%MOaN$ʡ˖~ &($~>tBM%^i3ϐEf8UB '`-icIaͨ+ دR=ZȾŁ=5U#5HR>njky/s6H؃E oLyCG/?QE%FvMMz)=ZB.ϡƋ/•3O85&YKլ(ST eҝZVx'xaV4Ë*H]z~h~ i0d,K8CZy{jCF')b|xNJ>V{0e#|SE1b狛*_R"37Boξ(p3_<ݥ%-tɫBetƓpx HuRuɵ)H?mf@Iz͂qrgM_D|Ce -ӯ_wCՄYK/Ԩ 佨/Y0y̸7.]*ѳa !d[m9#{-;W[ U$mb?ci3ؘsq6ĂT t֠} dlv{Fyt/ټt̰KQ8 N"4ʻc'׸Ns6I ][#?wsb,4U_ f)Eď* uä6Go76ɵ{'CGa+RUA=@5_rgs1OUG*ʚO&Q͡4%nlc=%Z vY Zeਝ4? eC` _wvĦ10KB/*Brv4όwM 0r `$CܝGa6;g-N_&ɰ.` `0M/s\PMf`p3 $A7 i c(y jӍ 5!UiMSD-rBFL&^:OF-T4w T3c q]2Rd/3U\;?Up=@b -TYRJ3O)*+sWu.[L6ǼA. 귒hoN_=C|HW Gz}w\2h{?Ur_ס,[<4DmD〷C/Fl Mr_򑹾g"P\TMIiDw$=` IӐ }6.jYx^h}]"]l -8"ӽ΃ǐL"Hڝk:^֖Tm.^@1~qxTlU#U75:LE|4&W25exz*̖̆;M0do^lpmaIS7kD#'͊$"lL?bADINmEh 8Ԍ*"vұE݌5Z5 `z~x[MN&a|b(ǁ$ch |cq)M_Ɔw>bSО$  Dpz!G@o3a]PnN2);K4 U"p+q 7bLay$04iCc9(6>E3a{ R䏡0`?s07y9'`Lq`ScLr&MP.ڽ,_ru/F=܏=1ltŜ 9>1lם -KX_t+ =#ثL -uuWK̹ u)F@jR_$YuBśGbQl+$,o8qlg!) n2QήU>Ytw(^'Y! %GU9, &>YcwU Mj"Zo6VWF9=al mynqA/2AI̐i -qAN?!9NxlbO{eiYQ̶>SZ .&sbj?1_ǡPkٟx`дY!n6fVJ?ffon06l)7BuyMAѢ&m>>Nj#4J%&|E]ۊ:i2g0io*6zXh +҂3;1"2ҍ+O?KjaY|nMHpA/LsI5cu*ΐDx!W {|mpq%qehrYbBt M7uA- -w%5,x+ z!Ί}|%wpȩxeXx|Yy$M}yAz5{+=}5"6~{άq~p^Q~Md~*XŸ~,LU~S@~5 ~+f2T"P{pUIpf P[AE;Z1ٓ0U)Fj"0΂op~7f ![BPY_EE;T\1撠C)k"djpmfr=[M,1P\ǑES;`Ћ1')}"Ρmfni=pkqr^mtolVurX wtDyw'0|Yz>̾jqźjlr`ntpu0rnvgkbtgwWIv~yCtxz0b{x|bh|~j|l|^n|~pp|j\s}AVtu[}Bw}0z~l;fׇ i -9kDmh5})oviNqꂿUtXBEv=/yVǧeP{qgi卞|l{nohLp(TsuSAv@Z/ryX_dִ2f}}hƖMk/zmtLgdojT3rxAKuI/8xσ[c&5e[}gܞrQj.xylfoDSr d@u/x\ębp vdܫg%iwy3kyenbSq@to.wUad`RfWh-xkkemn)Rq\@?t@.wZtf4uhvjxxm0xyosekz.qR|{itP?|w-~zK'rp{sqԜu#svFtgwwtudxw*Qz%x?E{zb-}|Xpzr'zssj{@(t{vxv|cwy|Qy -}>z}-R|~H(oYpq݃^s=uPt;bvSPPx <>Ay-|0m{opzrt?s^auQOw+T=y>,{¹luSmoou{psGrlatqOvk?=txj,{ @k mܖnlprxqؔM`WsNuȌ=&x,zj׫4lgmomqq0_s*9N uI_|2so|u]}@vLO}xT;"~z-*|Ly(x*yyr z$y gWTaˢĮkTd@D\dPPp-HG&]30;sCg( 1DE*n6ܵaz*&>P3ĸg| ,X񦁓`S$>BG DǕu#i#܌-`xJ!wم:(`[HWeQ2UFD`|:Cd2~TvkdEeUb2̽p ʠ~[@QdF!7H$ #dLt!BOK*G-iCrB.UlmO> ,B2W<+367ߛ@ )۠&KO 0ޏO igm82=D 4FB[!AIb4~Z *fz\OtF&ӝN&3xF[Hjz&3n14bM zB! |+ -/hw{V\lsTjg?қ۟u 깮D}û.5ʺ(wM ұ=Ljeo(u\ yPXƢ8p2232"uh0 ;(3-ybݷ3WdsF@w ,8#!H*9)iF^ -P7Dg3I33D_)JQNdOm2ta':=J.۱ -s`d+uu- ǵiȵ\L -kw/i&G1|91:H^gW@-Eif?QF?/KvřMkz݈uN0:ӎ3BJ]PU@׊VVzDPC9>RTl{=EY^ScyjN96b~mwj[ Zl'd}[YގM:tU9WI-#d=sѣS IKuƷ6i/JO{s{c@6oPU,'9cV~M6IQ1WwoT+mlF0\Od?oi4M4MC%HfM[r0p[p|R’/Ld/_c8]׍ YpFKM(Ewo@jjI0/kad[H>|/ѓL |00SVRׂV2Cæav4x,'L82'7&n&CĿf]9-f]i{Ta4EeNٟή"V_ǔ3tf65ҷ, jP6Ex)ͻUSu@6M6dFVSˬGŦwƠuy@>.TȆVOdj?#驺sycA)w,zl<ـB*7ij,\P#;}}~r4fxO"ZhNMBe@(78,iA#FaN}qǖ*lf Zۋ M2HB-7߅,yY#p9|qeےNYƐ*M}"A튘6؈U,ۅ#||(qW,esY!MANJje6Ç,}#5tPcjOf=_`rhTkHm=op2s(Hv "zbtu5k#jl_-$nnSjpDHrB=tytn2ݑOv)yL |triIs ^ٟtSuSHt#v=_.x02y)B{! -}~st(o.w]^`cCcHlVf+;t)i0aldOȯ>tsw[-wnw\-_AMb0ke#SsShA!a7kO|o>#r -v0[Dn^aaShdL%rg{`j哟On-=rfv-vm3Zp]­ `܄cr f؝C` jRNnb=q-vBw~o`^q&ccrfBti quk_wInN1yq<{u8,-}pymjynlpptnRrp/qsr_;utMwv2>@?nC)HKс#Eu$%`^>[ -(?`~^x0_+OËv&"YD>s5x']~-if~>NF" P^OG# ǖ0<7ӆ7 :sXL!kݱrx{6Rt"+@q*7k1U誘Y}(~\H`J䞂\ -52[{F;Onݦ *C{2Hpuw0D(MHOB$vKѻX{'V' 5c - -sh]T4I DGãTD(2BNlz9eB_ ݫ.#JUbGɰ Pc36߅!3?o/˼ 4Ta1l-vKWZApɾ<>\Щހka8Z5$GdW#{{ߢ! e8l&Vlu4ʚ@ԸQWJ"쎛)9(6gf y'1?JL)b쭢l]4LkۘPpuﲹ)nCA Ŷ+2dEH'Hm&Y3uѷkѽӭ1n]_Z<ڮRvӛpjm9G݂#j}dA-uڠ -0\C"dhK>مٸ:IFq\BVhF'$[I&3BtK\ D'`;I ["%#N\I -|?a8+ş3"-Aש_ZZKO%u6`X{cͯw1 $+OM{'E],jz6+~ Qk a=_/E qbVk&S7fg\"&]KOÑ: %ijeB>%j:l=T1e~/ߪg I0^YV)<^ϑ% -զՏQS-WGpaθD8ߠ9D֑ՃXM' -UJ]I"mteuuE)-3`Ҍ SoO6Ju@$ZZǚ;oam>݄92)@m{>-V|WU>r$Ӳ]qّ¸zEYuɔ>GT@蚩\'}њG9mp.d.@L4c&,r;b ӂdlt3ݦ]Q<b-w Nk k bK%H@ j"W4sf|Aa{8c%J@bW\E':Ehsř=}9fǹTW !3ߔ% פԘ]YzĀ&XIkWdPيb]9gbIi $ O1wu_)xS$P)m/UI .mpsf5Uwl}oyh 4;=DUIKSDSjj:?2*w0P4o+G4O6jeu HW)ϛ=ݮȆs51 okaIӽ֒Wo0%>#}?V5N_r}%7 -Լ{!`D}K_4 -!Q\HҽzȔHN>uA-^Ჰbg%+k58W #wi+q0khcuTT[`5Z[`J &-v**cs0:-7o3G(Z!d  z Q}vx'E}aQ#*'viƷ|'in˵Y;eR{E1vikYT24o/;K |O c -Rr_T'UtKyγzaL= zs#k)|OĀ܇:axim&&^cŽoIѓ` -W82K/ױϬ˽^ipuO:JD:WtG<8YJ] - ՄyiZP-|xm4rQe`dZH ;4SX1̚`wpu>7 H2%Cd>zES?+&e{\Q>+) ^T9ZPFV+@l@ A B -r3L2$$x *,^-ڷ[]<**RInpdk ŻΫ :C>KXi<_TTՖqcs.JmZEŒ:^΄hsVIbm8tSX&^ a*Ɋn^m=A2s^mICca|k`K{"Y١:nf,ڱW x_n~ -!f睥# Aɧo(u -gįVg攷E)?n/ؠbdSu3QQIB`\C!d -P,2QC[Pһn`RXYU^',|Y5G4-},V{:T5zGFdx|4Zٲ u'ʦ"Ww[f^'0Xcx2rKJJDJmB|CÁ=55oc/hNL9'0jI. =$!_3s^>pX0]ScԹ`gi9Q?+,O|ekkC)6bf!),MjQZF_Y[-ۈfiv&mH!`5oIxudP#F -P&h_2nnmMsC?wOt[Pk+jnA ǐHځY*zל`L﵋TL01|w:44o(%j̨5YJ_|fyl00DO+/.5T"$8[g)T`MH?Ɠ\fިÕyL/\Zj@Ν(Wڢud>P"Yd'$$ʗVJ+W>pG[^Gڻ2|M 5kci{ZJbILFPCR7<]'wKÍQXb* -$f»~ ^̈́:)]}pA(+RXzE;b1t!9ݠBj` d> !L7gh%7nׅ _Qg1R2Ǽĸ:@n\KX)'WIC0hݤ!XL}4l5 Vh2,?bLb#(sÀytk]:ibP_"2S&F ߆*:/~5l6fݻ Ӡv(l1u;8qi7mL[@Wxlg Y<#nMDyYZOEX;/C<_IfGuROM++c7S -4ƊaZԃu Mߊ]>]o/m^&=Nh̕.g*>d_$ -]koj-]wz`g`@XRSZ^6uV^og~XQ 濮a%{s Tp4{HLydW)YU&R?FD/'gH7yOG -S0᪄g :po)-.XF:e*diG{.㯙nwn.tY<"`7dsSC!x$g:SX9Y%r_']4K . q cYv.㏢Mrm*ADbW냊M1Dqby9mT'buq7Or }yXK8`微.;~1K}wҭrB;ҏޒ &6 Rr*?j䆑lugICkM|vhZYHn8VzQ3N??֫zGP5|No(RGJ[5&Hs)qq}^&2n:zǰkFmP03;7Nsi+ZiӍ ^zs7Tm , zb@p22{96ʄ/= 4)c x -t&83B-(;^SedSy7yG^H@Es7<AQ|h[\jeZҎy1|i-M']|k!3h{&m5&[KiK%}UEk̀u hT[*FkkOZ e ev]G ؼ;GLW[d;oo3xY{OEk[@|l2섐^򒼗F6a 9uUQ[Em'*uWAw:^WfAw:Rc$DZ9-N7~c - -?;A34VfO 5*DvUe_Rqr_pMv]{қ[;f4( c5ڑGdxEjO-n -| g8 KٶŲ]{r3J(?ұqlu;S7qWA}ǰ=o -nxg|GCTpTaH͗O0U`llڤClt0jh~pڱY_,x',IUjn\[M zDBb<Ô]T7S0Co}2%sF͘MQ ś!7fSѕ&.!mFk(+O Oȏ@ W1fG 0JZ-#=qb>@@gIxFz|޴\E=Yg6atҺ*SY5T9vh  %2{}n}I90v zRf8kOʼjVo:*xH3_ 6WWx4\;5juK::i7rʶYAd~X:J1<;e -(;MsrlڪU[y5vw(k --OlHWeG㐣݆L9sŠFp6i&xИp0C2}TxmCH#ѽZyڇm{+EAaWdVSy%ې8bש"SLL14$Bs&Bj&d@Y?O+82}-D^ݒD(PR{Ѭ.s!$4Pڣo\i(#u"D8 -:]C>6ڒ׶*m@1GQm lìOrusg# tk-ۤ^G) yۂ2b+PgDWB;T+4Qv{9輵;!f6~/ė|@r~EM$,<`2+oMҿ$ȵk뤆)<$\nnu|LX+z-]:r"Xꗺ.KW;–YFC :Aǔ+IU u+U>.+͋;SN@] LUXKx6 ͑8=*U4^qݗۥ>S韒+Ż eLsf v?m!'粈Yv0zْ2GwT1e{BHM, &fr(y)% P Ehl% -$EVDĶt o \~6-s//E 2<뤪t :mbpVn(Q7:ziZNl*3miИ` snX -U\Пbi0^Kc=!!{pwpyKH&Ș/UDg#M@1&yf_sIrŔ\ Bc7HexXltbu!hI -&) ֩ršbps;Cu GFq~~c6RbO'l"<͖z [T0}5y V|EWrф\2aAA0 /ɷW&aA -AK]מ q\kPU"Jѻ?W{j#'rG^$U)~VHDTup7eÊ⚊R"I^w0^+mOXiMi-T5ȝ'N]~{e r5Ճ-wA-VYF~UgBOJt8y0.{KO(vlJ uS0փyk^?6Wc+ -Cl]Eko%ݼ脦g}h0[[tVۃw,U^|}X?4:a<X s%هU)<@ZQ/[6 . 0A=fxIҗQl3\PBoJ]Դ\>[3?,ЛMOyIOi> '|2kxo6oy*Zo9XYifNP?1k𾠣 *_BupֲB[ 4Xφ}P73d"dٮ&<ăT>x4Y"GXF%Ngt2S 8.hpq܏#~2HleҢ(j =~n$ Y9PKC‰/q䢘&lrS1|8+ۺp5q Z(QӸAX!\$$$CsrL2$L%,*OQuOłBuUX뵊]xV~n,[|nC --bY@X?(e92"կ)fm6@>_|Xȼ L N+VJ2v&ǂga:y*=>C,꽅zqwΣaVbP$Ԇ3H* -|tc^7CvfCUʆN\A X)MȊQrK{Fۏe"j%hCi24.$ҲɹDӮ?2]HMtaPZ+C9J*_r%QNH4r{W) |em}^e ٻ -.v_.e'T)V4(FoUgzf0=rƣ[(hGjKҢy}%]ʟ%(y쭬0L1sR1w^NJO7 نyoxõO`i0)¿6T@JJL#״C[!)9!w+@,&TQ0GU5a -5\1(-9]s41y3yʍ/ G䇫~IĴ41_35g%@.1N§ N̡Pi'74@rz8Z? i;f -cENOri@Du{A6.ѱ>1_:, Jf?/LCNN*E]٭!mq=p)ݍ -cFMH?b;t% 7r~L&3>ﰞ~6slD'9?6T­ϙ^ 5; -k[}gX0^hq$WKJm3qV/f̔&|}31sO[9"6ε6 9K+|dj8a&kɐ=9wUͩ?|0,lugzeU,}* e-^uGSoy77bC#Qşn[,( l^ 6!ʌ>":jbiq2$V1\$ǕwkGԣQ%[`ѐJ Ή `]+Y)u!*5(HIdaoElw17hYxЈrMyA39ScLYgBل*dlQ P/Džml)IR`i?ĞAY訌:et/ ysn琸M>dSG&HPe*p:vFӫ}9|%*CdڌTm ؍θSVkq~VQ< f -CB'LH? 6ǍZWzjxA|+cshi#a43 KZr?'H:m2AĽ eЭdcM^k^Cj#,@DL2I~tHGǫJ̀e W`_qZb -"pp߄CH I&d2L)xʪ*jXEtJJ]EZ_=@XY#>(UT#tgE UO4E]cDix`Ffw0b(U -Y]sAvjfhw@A,bx#iu+E_Xx˼U-EW'_@ce2b1( h^EN -`V[@-kbn_Pe:60lu-'\j|Dme;tHGD˪&աD!ߪ@M?B=rΕtSwo2Y!;DLž]򮆁˶Rf;˷-r0ۏ첸R}"?5#mk+3((.RxP{K$ ~?uX m(U$C[KIl9vL"F]C2q.OI61Qx 1iQZxle_)O&uZCj7$6} A~8zXmb|n^i>]fQBchJDj^ k]rou#Ih -8ЂTc1)üW+-*kxueI~PE:LR] &t-¬^*$M4-bB c鎳A9ZuKDۄT}pp;dzx0w - 7 ? rlJU/3BK3hf@jm1RזD*p֓2O(Vv -ndmMAO;1S`M-a6)N˛,_ -l[c.Hі%Ŗش+#]lcٶ$ s~&b~In^Y6-쪸ʟ/FRa` Ei|o$Գh:)=kZv6g|V'E;R^t\"ZW -YnN'⢒LiK[!6bjnf$=+ *.ӃKvIchP*%zډ,1-pGsD8DC7x&X8e!j5kL4Y &XqYLA)$]s_g^.[fx́{sHq  o݌ KFaa)1$PoגיDO̐Ńwq?0$װޮxYZN8$8 _ُ$`lcZ6ݐ?ȇY+0H5zቔkQ}Ö!~QQ2&P{BcH|7gz9^sylu^A ;RckU>)vQ 8:oVcsK68#7>^nNk_<w*>mڹ3"ΨŢl` D#ޣ7W-#hD:G"DxA4 >X( 6b-X>*'qkxOOX+{5| fP|~NEzEy?|S-2<3}=`[~#ltGPj_ _߷,cn$kaM=UlMQ"gɆ 5iЉ5M%7R%qvLSG[]]M vKsw>q| -7pL=#.[CjϨ^wUOlTvCe]j20uuFfձʪ:AƆ"E*S'_ -!Z:Qpt47rv윽Ys9{<Fr׃d+G1 F~ /bm1&&x, ^ LtZnDz4g?x7o߽06m3fB|=ksΛ 4|K5~Xp%&(*,.0<664^?|X@`PsB#b$ PX<1A͹O3l.O IrOS#?UBP' -BPT;} *~>22 -EOL_~[ g ,v,cy]zFl(}FVύPq㫪J6A$*H$Ρ`v0;f×9zL2ٞQC|QM5xzAR+Ԕ k*xGjsH%Ť^Vaݼr~Lȡ3h5$؋#2'$ -,FP].V!foDc&2`* _'ǹ{# ݰw%{2>aQ*X SV*5r1V/\2dL9x~dE ]0 -^z[AKmILŤSK``;m\ojc{.]w{]}A][UT5䄚T9"#֑$-QJ֙ -(R;7n^윆a:VVTST@e& -PkLlvw6ԷU8{`>5#8-Eʦhc5Ij ɱUx(EUu=XU=ux}{tjG -4a(=Gr(nËqZTivU肝 F7 :&|ؾĮȬ8CLNlG\nt{Bvx~T2?]ъ?:B': nAS+w."nG%PBRBz^MLpz&*T@ mHh؇Dc΢&ZT_Wj 5yI5LOї5m - һE/`v0;fˡp;ϙ־A}UlK8SQC#kדtYFUVErAF̾!b7E|{e wY쓌E8T@V4U4<7IIiA(R@: j:8vug*tE@EQ*r 럄B; !rIC@V@]_ӇQ5UW/)aY/-Ry%F2"  InK/i"tY{p8d|Q\Đxi'6ĩ/UUi5gԧyebLY(ke&\1q(h-Ev;wΛ6 !5kC(xH@m՝N&וy UFeaf5n\+#$,۾.wAڐ&T%_}ؗY6"s 9G&j ơR9aWLt~-m ANv$&! 2p0t{z$?5Z uTj]Ġ`9t& f,h؈!%gS$&T<6ncK /'z&bp`F*8b(@H3x!}': yo8IP&\P{C@Rt(ɓʌ*rH1𵐗&dx'McČ`$f>m|S~䃱ؕ$x0mq]Pe& i#eF6AWB~8QChiTɞ <|]z[u*nz!bg9Ԓr3lq Xr3" >4SPh=m@A8 {Ͼ+\Ǖ--F3a@4M6;ҩ'Z8JԐpjj6 DzQ0'չ=;Qv(X N#0-z#}2Ң>ƾ#Ahw8Vw5C/[r:mU5fYH7H)N6S PX'>}<5ӽe~y'NNdtOݗdjM Z̓x3YAdECM&-ڀjG ož>ْm\-u ZTS#%xG;Ѣ8]0^`#Hƺb~ںnA-9*ViTR8 -`'yM>aATm#GђZVZ˪ݐETD_l }mϒdo8zPc)VdjGT *:YϪ z*MSqKP}W7K۫Ov*om;Czzqt}JeVl|eryItV2j)kb腳h ?|lIlN^mzQr}\E+ݫl([Xp1ٔZ[m@_Xi䮠pvfy?q)?GZ3=@W =T2lvsdrڰP챢ށzE     q5YTp -yOCŻReb &l[Ghmb9M%>]8!p~{gkl’B42?ȩVnI6 -e%2G-8o QP6ncN/J/FQ&= }-9>#, +>nƙ,Π z,>3'ЏԍI6Mo$GWdosfܐT:jGyhKڻ)k[Leٓ#ceA>Vl oiEǪ2p˪lMe.{J~IT"Cvnc53}-"ÐhI'ِ,kHM"D[YjsUZCM:fD˂+)U -Naa␽Zfk@ 0,"IBLtrAlĐ  N9Vr:#Q1ha x!coDjԀE_dLqi&]8NLSNIS/)WKlƜ5==\[jTv]٨@(WKsm!fwO)iiLڤ?鑓#tɕOL=?ٯ9,o9̳t2UAP@C6-!d!@ BB6BĂQDkop94Mre9*ӍRMd0W:rB5*G1GRBd; ib"P'dh8^`B5yϕJ\ L΄*nW2b߭L)3t*E&' sdr* i@s?/=:Vh,~ߗ;{u15k}6EnA;xobhS$u,N%ɕ8j 'q/qO=`S)г ,Tרs=@o5-z$^˚Fk3(lUA?5(!4v(_uw1ff:w-}hXKvzqAOQ NϜ@:&z$B/ $Gc*8?z0;ߗ]/ZZV#sY]X&qzlKNCd P¶GFޜ=;èj!,z5ϥ+D`C^n"NJf90 2?}ɉ=yΝi*mJnL6M$_e A ($eEU Ȁӏ^9,>IoGs}YEHBWh֯յYTwL3rS1MOeS-)*d`[hh%؝jӣ͓\$|[XRK@-_JoЌ+כŋ8V"]?/&{d_$]B?,kʯ2xF5xun#s -[oyDs?{how1,8 fL?CVAyE% -K.?)-amU [5[ڜȺMtM0o?s}*Ϝ|-.̩ {JZVu (lIneC6%FQnj̍;\M{w 564q@p${{bKXQVx &\^fA{O򒻭m.B0b @ħ/d?4m/o -y0wA6kloz=vVtbd.RC{,DŽ4]@Г zӁ4#L#y,xK|}]XÿC>A𵲇i6pD1|܎,HψP(@c ii@Rq2[eaU^FR6Jz!` {v' fQm)0}^(6Rc$5 (r~P,y9wM:(^։gDHDϡyl"0A4t!5F5bl ”#@ -)ۚ+Ou`;\ mqׂZ4++'8bqu2ǬN Gt$ F7 G,)O '6bgSo/+WuQ.mlc`rj($oQM -0rIF?i#@I_S>8Z7gW-[ܫ J?&[1Ck\B"mф;[ - 7qD -$fØt;Sj͖%qzfg,;-^Q`-}"ҘGHv- 35Sl.J7oÉ@ 5pNgmwٱٙmu*ꊸ/#7H NH  @HB\$77!PxE.ov[O8bD>Π)Q6AY-aWjLGU-oF7k1Fj@3\=ۉ <'#Gޙ?uߎo qxeP IÉh1nzY=Wu Mզgԥ'(e]-gCGi.];^ɹ>~o[?) oOP^M!=aǠtRl69m^rU4\ O%%-,O]TB*s;?Mw+Pmv{ւC)#HܥO)ih\LC.!K'b1 HQs.w{ϟ/2Tp c6#s6"bI)i+˰exVz:;9 sYAnSKG?vOW{$a R*ը1o7l ˯WC^kh+qf7 :B|J+*u}B2#PCѦˋS%e*:g cCh܁li) -`Fm5{kï 5!>s^sUXt9UJ厓7YΆ-P7 $*gz0W]yl`\:XA>s97<5'&cE=ffӕDdyix M8ZH6."4Fm Iz9)d1 ź F+)mju@a7gDfFiUcԝRڊXxi>6|XG/@@+$kaQbќ0/nMҋ]%:c!רZTxY jq4Fּ]Xyw?=5a'v:u]㌵u=,"@n9 $$!+E@AHGBBpEA."(hA P뷙ӗ}Їw -oPEiԑ9qͩ[ q)Q<\Uh.gY}WS(35QEJYj)zS h/Pk<^~'?aS| A :8}F/R+|cha - 4Y^HjZU7 -[C1 ?w<}Aw{_Kyē]Pmp\+ؐ- TźˠRVYĐ[tX;-i(i7[9GPq4zg6@0=4kֈ\c-MANTij *A+7V |ZQ4fmld/ 5@ -ݽ#]w̋Usri07mN wˌ|!WQRQIc fWlerU:Gg&{ q? -n. |f0rg$u͚B869A$Vˊ:bVoi L,EUJ@!Og)Л@v4>4=A[+g $fy4"nv,9r1gJc:5J-AYL -:J匞Y*ϗȭy5Zg!W6@@6,GDOMBӆF`+٘^-+*uj/iuUcnC9K)7hsz 5]Nٰ;Td~>TJ4& *ow} u?zXcΑggS+~P2u.3MV&*1Z,_e%I#\iPpYRg/PphmsY}~'kGs4Tj`ޅX~>3en؈24"y 'ʸq~tZh/5kofصOa8s߸F_$@3q˰>'n9;7^^^=1.5?jD'_X,D,Qn?t/J\p &w!ב0؋gTStZ*j| D„=bCB3WYx{ot}5[,w$ 4LBA#oaQQ\xąʈ}IHNK ȇߠ Ke's}*_};v$p;$p\,1~ ?$ - - ! -9~|?}SRwp^@YH{VDrqQ"Ş'VpoTU$VdDױJtzt -*BM"{i1a=~oضR[ Q!q/eUV.yVH[(`IʪYL 1KWiE2c9rg0]DgQ])ܚd]ѯWiMU}:o@:vN?ćѱ@Fq?.[cT(y1oM70œh~8Jh.#lQDҭWF[3j;E#@O<~.;YKhk&qtd=rT}J+zPUX}Ψ9gTz<#8:<1)y/%O$yevUm:>Cn^!R$,@P18Qr .eFҺs&o|<#AD1@q47剜_NJ5yvAT8a@Â*2 -hc^3~13JEi颸r!:Aj$U^NMrs!&xt~8ۀ>4@sWѴm)9PV-kQŸiP8SYFR4c4Kl] IC4<Q zás!{2 ЅfNxfKH~JμΟuF^4܊prfJ@г:6BRBd -Am-[[ꍏm@Ch[kd+>~r`vS!CkBD+Y]d=a&JD;Dlw؛7c_so` - y툈z6tk4 6֗7Z *-Kآ&%ת#qfB׆cʡ2 GMTC?.X [ZH5:Wt6譥dUEFIҬŋ(ZǗkxZ,z0= >=P~?Y9=1y~4tV$aix%A!jLsLdEԶrV!tZQ<s`i ,{߸?xQ#/Ne`%zyx+UnGz)xVY'iNCV`k"|FyT&`y'_z>#n/F\Lz2Cs/)Tb%Ӌ\8yU B+|Ȫ/: {7Ӟ޸ho;A[,8N(V'O7* xUzjޝ;Wd(aCV%l`PPyp<}捑^gՕBkQG5wa…g7pkŭYlhd˿L^b/IİK(9w} ۿy7S[Zh=(L0~l.}-ZYn@."@P -gSDFd{W5d˸:n8 \o3K>^=ݻ_%%4$&8 j%| A -oմĶ^Ƿî:fԌ& 6-LzH| b?ӑu[}U -^^_b6QYU82Tݘi-434o'iͩZRn -ZoH͟sӹ?}W>ߪm7 -b#1en ?#s"*aQ{u5k ixtJK} -LjH -0}0:[gAM vtv3tљvZuծ]uC;rCDD @ !`BBHHBr;\BZPXnŋu ؇}f~/76ذQ @Bbh\Yuun^R! lQwLs6H-M{#RpRʒKʓ7k׌MrM'?gİkS!" q8@& xw3KsޖG!禼:􊑟 %X~H<齾vmWkaİu~AD -(Dh>F,AC~I)o|J"&xŭԤǮ03bgF}PM}3-z[6|ǓoK@C' 룐A PtD`#c{xʢHjl80bÀ!s'<jc/q/Ӄ@ | -8- QMxFeU>iHR|/1{.K<['-<+AIgPW7 K g - N H]iD/X"IYEMo( -g]Ytd_6]8|pR~ =)L}Uz{@ yf4HsRA:VPRX[CYqDu*ܹr. Y%3XlsZ~=*UN^i\U^,t{gP5y - AEr(ӣAeQq>IY`<<)`?5Y^2]b+0gnϪn]T_\Vc/=˚%>x[@A#I=,-B- g Vm<Ǿ_%߭PfZewJ-۸?{5# %SryUC ݠ>Ф'XʂRlFyCrsTI0%ŭҐǞ݌!Wi KFMvWZfC?]>jqF-VTyl?d^6b#Sl0bYKO̹4KftDuE5spx!DGSvWLv|j'mmcUZգ_E&Ѕmc~0 ֑ܙyWk:nv}þv sv$4y4A֏K磻2nuJUaDG222qwQ؃RpaWPgM/ uLnmXivu:3_0%yN䍡I/ɴQ:8nj %bP,|Tv@^@q;$8ΐBOGhOtP___r:!͆i`=li_(x1ra q#Ь$ $v@mdx8$ F{8 -;("a)^STS 7 -Ә>ɟAdL bc!3쨠bUom`kRS2i@1ȏlr>>^@=͚#K+ڴW+lc4`}_81CQ~u6hxF 0l? y;H !?)|$Y"3?iV徊H!fLSI̝Itx#{vMH!!M@0cr?H+e.%fNMcH͐/dLk V-I9wȫ_G 7^P6P%Ȩea-\`XL)jYFX| ך3"紒jro/&ꀣmjv;!NzA1 -1+d)VasYV.o*X0N?'Tg<'TZs{ZI=yw)=?S4О\ p|*N{?(ы -Q#eMeXqiJѳRSFz9XFRwOMnUzwOqKqOVgKx}E5qcu(:ʢ2 R^P)R @JHC"BE0 A\ gnև}99? ^!HyYz@-F*#1KcH9}b_Rh2/s/gf 97y7 HPa 0WRX3aA *v=A)%(j*5ybf?7 +@\MH@2 P7]APeB<*#q -r|h%x\N/bz|VViè- -5(n@ -^$k -$ub -wkd߁zf0]1>F)\d7KheRUr:[Dx%2Q5I%euaYI+tJ^%(G-il \~NSyU0.FyaM𔋵dCPq d&؜L,QdJ)BJ)dB֋$SC wNyߧ6Ʈ6/> -qJhMIlm"Y+q &WQ%+ŕm -Tbs@@ӞEoܭ-~b0䤶2'rą >UepKyBBc^3XVVIqUz1 >7O;AtzB;~ICțF-LZ,8GK(^4#J]cz9@YA}O_\;nzGPLh%%lƲ.I*\Y(ؼX%mK$ik ^-!Bs@i -?lu?ov9цwD%HS2{31| -n)c!5*!/Q)Hj&I A |sPsp3F>M/Gl|tĺκ>mw3ȭUNӑ98żbt,Bw2IjVs:L&9Z&9&^ MaݕɤvOeq'Ey+_hbh'GDzCȺB(kAzE*f5Ό0"4ӌ)ftPnjXo]+o?سB쨅手e36M$Po(u -v02`Ry=0^G/z*TN k㷩a#3 -sr%ۿ -Ve ˴?si1ߓAԇaqIw3SY*v5(Y51讆to40xQ9rl|Wӆus^Y~mKw|NQ^#Bqsғi1s̈9Zn0/GϷ`{|{cn[:6-2vk-oVZm-FC q4Fcqƴ(c j&Rߕ}L{#}9,Wϼ3 , S!VCfi}ؼþMGNK?z8O.{—`bc?[BD/b>bSPo93){J<#}Yw:W@F4 WAZY۾[hΪ8,v -]#xA7̀}@a zZ`C? O-"ܖ#>65ڷ;2"{+vM%\ -ypI^vq2_gQMg9=ǥ=Gg>(*(Ȏ;Hd%| ,심@EERVOU0l*wo{_;Ci zCg н|_H)Om;ݠ0ʃ]ʬ_Y4("65p`63q' ܭc~3!>G P~؎wr+ ..:rN@uᎅEc *lظ -zHMQ xzAԾDkW pN8t8@`s$@fka;PYln "b HQƺoc.᮳cً9 ܹ11?` v뀍5}wG!Bj/YD}鈿S -+5wqY.棇xcy/q14o(v7kHx AAn8x|A -e=1ı.${5pנq -&+0ȋ9 55l eԄJtJ{UK?Mj>"k>G>EOsE7ڙ+2k1`0)쉑KxP{ -]D#؄t -J2:xՙ&V"_8Cj71RuӲ -6YPsMҹ>jY,BOz;[Rd:MRhg75V]={__Зsbc kAENBv?k|?0j78H89PE --aoPoꤜYB#k 5*a\pP&k, -E|>O<3KbXC㟡m+y~oߛ`b<&Uȥ\59颦lY€VɋTg*uũ 6cdJ3Ft@6cv`^GKq;}^] -h;c;H N]/eS  VUfRe $7eMZYWF0W-3|@oΗ l1a ؜um%]V;B=vB\pW-%\gKERSy*ʐU(E_0}&79 @͟ -S߮\tncuO:>hp{+!Z#9RM2Ǫ* KH)T*mN6M2յ4\DgB9_2?B p%MumwuL@#pBA^ ST::8iQimlY"YY9}^Pd9(R6 D)LI3 %8)|'r2$E9)yW ro?(}Sӑ) ֩ COǥ]%c7M5Y,iY!iFy-_RM-ϻR?{9,Rl|RRF$5tYqE7 )ɏ<ޑ)  Y4PSF5;/xWg-^f72.ԊU!AyW2*R/}8Bfzc%9gʥAgjĥ:NwJCrgECzu6Wzsmsw~a5eJmN qȈԪkRbWH:&*_V/+w_rDgfIkU[4Pe1vGO}MO@ٛK_omϕY' YwFHNM?x=G_sb:Uݔɬyɮ|ɭRAb/+զtU|J -WmR}mNW)6'|cDŽ6%ňw3\Heܩ%w_J{1 GV(d2*uTnVyxիE5.vmyN5ҏ.b< >oDrZc}[-U$rD$j {.TB2/^#.SjПS3gi{ݒ>'Oqb_B]\~gݑ&ft{w t\ ꨎltz9)z68D WoZ?u#ꇗT ,iCzҏNF<,iQL?ЛO`S,W}ueyUL+vS;3$~S' j#*eߩ]o^T,7Y+O;'=#e4@ӑ/rdbO,B&xȏYhuX#wvݗ -C3깢L!rL:{NFN&&%ST˴}P<4Mt -/fVwWkS%*4ҩǡ; Ra:6p`F~ 0cFnuF##G! -E$Ks@9]0D Te8v,`X` N70I>~ r>ę["fȱ2E>ރwf6uw r3W)˕ 0b -WS $x9[LkpXBA{c7$;C#@!MO/ X/AbAh)c52 -E0"Z+l xj=ir$5w« /Urc3\嬃hD1w!av%8?)b|Jؠs~S6$ o=OQ3MAdpm:f2ɷ@Hq$KˡS YeLT~Sz7I}t _(Âh#t! NuM5exuH،x1bCp = Ȣ{v)Ki5)Zޤw=@0A}N7PF,`Ȅݾr<`&OlX+m$9CiFg#Zd= ̠W5o*oQ+~(F{.0F0Lw$sD% lggEw:v/@2ڿ.bϰ=l.R-:{RUp#V$BB Y$9Y$0Baod(PW+^!,E^y>9/yw}qzP!qO( CT=gd W o#oŸ_F M"#Q/IѯȷP(7b5. 0w~B~`9PXT?9; @X\V?, !tǻ4̡Y%ԴjH#uz:~CCoX}:No\{5MU?ͯO+r3nwfB` 9HY}LpuD(09ZMF5M.t+y&A ?,'L2򤨈2% `uM%;Ěsy~QC| %'bzjb72zjRXMI\I-)'Kb mB\@ḨOH8Ww~rCsk 3s63Q64r6[!¶K&~˙F"D]?L 49.5%Y =7pH`1],Y1W|rTMOweC/0m|L"H -Qo\JhKٍU}_6HϵIӹ{n OO?|{e/ʏU{Pu''L٠KT2^fq OhgK ^\RQ?& -lLjwxѬw݂{"YMв֞\;Tw}˄ nʦD֤ctB5YN7)S92 C'NEEC,PGI1YR PJ[rY¹}'}K5Uv Y/Ηg1c|I'SCR(NYd*R!Z2_ɞ*!hTAc2px3H]}=@]_Y0^}gwt# cOU EttAVJNSrY&U+UJJE1HaU@5ikwxN|ҹk5zC'KԘ<^-j3$/K5u&-Qp5 J暒Qr4rn,Am@7dK[>Tluٰ}së otxՕ`ߦ*P'B2p5 (\R' G&w5\gZ׻^<|}WwVPr9꘩{.+a%R!(Pq9g83mRa. $rt >SWV:rk>WX}rKEGK 2؀9ZG@$Ub\TDc+شB-h.YK}6(E[%XӸ$.wBly; -OU+ڼGr꽳ݳҚ7y(n)(A=Ǯ52:ZVf$+̂J]#EOP)=@/q֯/qxpoӡrΟ}=K+3FNȺ :VMi ӒLC5vDS7<]~QmP.rF/Pm`C߽yݏ:6Žў%GVg  uDЏ fB)7^^Lu)6Z2>u䝆c Ъh](VED$ -*d/FI - Œb#ngT-.uGܷ0n -B39+r?%RC]9˻RzU.y;w;l`Wqy-g?cS_iy=*| BKZJO6>b)MSXT*4VUj^cu:ZvctWn`>ӳ~˴[9N;W/9'%j:f8#mϲLviTv:^֚ۖǔ.[Wd1uV#eߴj%?Pbv$k4mv!&2yҶ]7tG۝8 /t)]8IWN0׵^bvWrRsLyc?=*˷ /m $KQ TL eP`F80+c_ĴŦXJU$& U% J>=r25j"#C##KnD]=q=ɑgDGw>ѝW!p|!ݲ7=^Jp|Rq^>(9!Q( HaY1!;BG.;QȞX?2n )~c3:Q/H&à r"d(|!/1B?T`GMG b ֶj+}<Aw#` 'p3nI`ǃѴ(ȦG@=# :d Ry=[9}Ʀ߷ V|aStD}Hp GP''C>i>ԓ}<9S|P6%_z=P5uv1 ġP/r. ܙIH@Z^(%Q| DJ/&8X`a:$I!a xa;{K!Ȉra93aӡ@ -eqqu1Syn-\Hnlf裆XT?go"aHi9C -crY3aaH @FVҖECm<$ 1n&x k&i}V3 #~{Pi کaa5, >.A C+Ĺ!<20DC:oe@Xu QS|pS\(nD{;rPo,'!6@f A c8Lש( _6 hLj] -䛙āh'#NwY3a)X<,a&Fc42Q)mkD,Bg_ ܒZTO.P&6+%_e- / _'E}4pR4Bo`,L\jV[x~IvX%=!+9x-7+__)[T-=YsSn\V/*G5f. 9sPl8PY^X#*EP.r`i^|onI)k-筮EҗvElSecM셦Y֓~G>A^W֯;8"߇UcPwGs-}5bc)pڳS2$kw[4UՇ5wtO7T]Kzuᔦp?VM63rz\?Y Brs9z!p2;ik#|r[a[!g=,Ʈlׂw1XWef ƫVD)tL^Nn?Γ8rFJF7qxg3Pr|UO3& S5`їƽ}/0~_5t<᳷9h[C䙆xO$_TN r0󖻍\g'9YߎAZ-՘MOd%LM59U}v!5J@XĖ1fGyPdвp.O80v9f< smOvcb8fZp(%-$T,,5K34HDuQP"KٗdZN<9\vupdi}{>Q `>7ZNHM$RCÆGda+2ZB'pĂp2SHr] -j yhC_K^hyb5b=lО# pQ,[8XG*cE_ODNCVNš)i8GU;ۈ&_HfPHZ!I!q"EmB"~>"pg#!(Ohg3aNQ4NB8kC{-!v,t5J d @T~|p7c1?#HKAo*V"t@' @ P{}dY7` -b u: Z34b(@,i!֡%`D(0~N} G69?CL  [(B[= q.Ш=4Bqq%xg`]y=;{5x5,k 2)Blp'0\Wx@c2;U ._ QM;#tp[\6scc~pG{ÜʘT e0} 5alZ(~'gYb.cny8=לOO11v -{*D̿D[!އ-L쑾h hśH 1%:K谺8|H!rP6 ca=,(^%~wBx/[bE܋=!9a grܑN6C=ڵQTUnE/?%'bW/wsᓸےRȬCAIɃL;8bXɜ!|n>sZzs~Ē7 ѯ4[؝>sQSYr_?ߓߑǷKWҋayu!CNF -;ڢ0xǡؐ|Ѹ#i{KcmJqkjobMZ:Oo tgw%;y}w,p>zݭB/M6小\!8D߲^7ZՐUPq̸%5:=iszGRUgcefobEf -b,g":z_Jמ 獡#NvF:unrsԱLvSQpxWZy}&6K&w*簩2yCgu9Irr{A"rYLtފ#oserɁ`{&^ɛu6LfJSdSy:qMP\Tee`KBE~Cb2isjrqؤϷ&,%!T ; (]@{:!PRB( R'DD H*" qwPagȇ99ߒs9I$(BVK S%> ~"^=7y^as`&ETSYAʨcGq'y3좂s‚nÔ/.w-XOlDde1%PD _*s:bhqИvN~Vqt`~xv>ǵ6Ç_TSq4Һ"މDnW49z)p}8EGדrlD@`VFExߡ³JdT=bH2`#7>"ak{?~л>;0y&6)!3)l09l:`9e̒ (FPyyX햅#`\/X˜pQ<cr9Ut(PZ=/2*PmC|zu;+lrJ'&I̩ZgTn$VlDt_$ X' ڤEmۓJper7ujRzdYgg穾P3Qֵ]SNA&&t.C#I.^hz-;XO#v>c>N6nkRlrk}xg.+98=7Q; pa``4ݣARP.F}CycJO$ ]ㅾjQPpav:MaC/ao,lfʹ%?wHo, ןDY\$o4(^U5"kUfJglYsVXV^ R x_md-;]:fֳ{l`^`h>jd~rgc" t^hXx@@!`CӘJ*䣃t'w9O~[=>*~fnsK;jZ|[=8t#42B/kd@su:pPQD-JSь6t7t䌞[_Ce!S -"gf(`*`Tݍ=.ne4.OH"Q(D'P\ЈhCFG t}JaFK!k.:7ict5A=Ș0EƬ_lWXi?M12qJ$ވ:&$*eQyPEY+:긺 (# ~| G E 3N:8ͺ;8Oz@5!8&cǴ -|5;Gk :{nq#x9g 8fӸ/<.ou[@1?s!p@3 if o^9-j y;Rf5@nrv' tR/2}e_^S\?zqfLxÞ7$>hp ANAF\2r6hjіI,[t;RZq3~.Ӿg\^3E&$ߑN_%| -, @`iRkCٽV@8y5l 9H:ff -(wĬMқ\?'?z u:Lw~v{ S?xJ;oe;5CB"/oSlKlYk3)Nd;9ut3{ܟ1N|ʸI/WIs >@e@>AngkJXO]%i2Bӟ֯eǤ鎣2Մ!n 1!ktkk:K7J?(}\[0G}Eb=l AdHQ@[!Mڮ{W{zn4yX)(6~;aj<ⵠ*+6EI>9?nj3qf K10$H 0<_^ ꝉh4 ]\ܒ\w,_!5{omwrqqQ{/3=.iH}!徽jϾ&)id`Oˬc6'vMUE]sz=H٤[ ע/Kj{FܕXRgkܴ?ZWLdUE7pQ=’_DőEQoQ3C:~AW= 1%ޙhFIiV V\-[SOxgWVS{zTg*|$1ZpqXqU_-khbOc/scs^r⦅sx!!n꽫QZM}y6Tvnj -Ҁ' ;#=T>)2U>(I*ي.Q$]qWVS4)u߀`_vP@cMjM給`:IkOk[ -lZ -ϗΉ#j3I%iCibVvr/]$8)NIC5Cǝ/: ;/1n&K `ŏX4jFtM@- - aPBzVYaLYㅘk|kObX3ٱ~&6r6ȻOOG6ɠDW9i"ӽQEhƜ ,0b*e9,'aՖS3c3{DQ4H0)ځPqE! -<Q=0i` 4LOt=.a.ʰ"aDCE4TQDU8 cPf([ .Rn(ASxX9xG r09ACڗZ1Jj ֨IGբ8hJ*\'8(>M\'ot b`8dLT;YR6*q~uF.J=QrNި?(KGyR$%zQQţGC1 0Vg်Qf@e;b/CxbQި$D*,,  ]彂w9zЧ[0OE-z c LZ` -c16\0j -#ڭaMzo0|?@uDЧj*[>*/x}P~|ݣ|ݥBY0< }c% \*fS1wM\H tdrtqƽ7jCd n]7{G}^kNtiD/5D/4Dj=|f~Rc5uԙqIDQ⊈ȾCHrsH }; - -#xZʴiZԱuZ>sx9||񐊵n.5YMAJ"KA 5 *#pL6#-pͶz7ӦJWn]Rc&S٥";H+,%p jHVJbe)Qa^b(,D y)|Z)qn3כ X)a zmVoRG,K)kȫvٕɎ|3LV&V%XU?@Uw(1ſ!1Ő(ZeW0Wi x6}=A{a.'M6eKȞ&!>6!$.ݙ[+tOfUUFW#ȑWy{R"wypьÝs8>Zﵡ7"fi-hgMoKKiIuHl7Iz7QCi -n -\+k{'B>p6?7{qevCd]@?ߓv> eЛbw8Gv廝xw{S;|)W[E?r/~V迒g9jfjk`s@=aSN3w1_3"ܑН]QM^i@AH ,!!   aȢ ѶNjkkGfܵ"hE .qj3/s{{sfW/=4rl4:&eUԉU'br(PV_}P#>NW8,9u >K~i]ԅ܋/a坟ÝyDUD^Rj NOD{Z\oO#"V7ЊwXN)iQOͿjr˹jʺZ\25/$7'6}&o 7}״Gm:i=ic l:;wP^Ս Ϳ㌊|QMD[}fpNۊ<zǷ1tmk|cm_blԶݜǸv ?6OvwP;;ye*pALdRԩ3vΰOJuvuO*vt/v^^ٳK޳[s.=͐^cHzak=U>GhùwK[w@9(+JcԾ"_L+)qZ;@U=h̦E;ȇ#J$ëpKi -נZV7n7ˁp;8]~QBi8 c>H7'""zBJ*'T"}kC]dR!EBXd/48pܑ~p֑ ͎,xx5quoC('u"4c )d $L.9t?$\0Q ‚̷C|n Pݠ}f>g#Ѕf!8w - -W(|!g5q ̤+$a.9N )Br=H$$(H-@TPiwgpZwl!_t1 b v{ cbh01dU!$Ą Va8*Ĥ@= >re(>/}K _2AR]`O!tZ -WR`HR~E$bP -ev0CKq'@7' - r\>&@~ aأ+{X>߀8rɀ7(qVH pIj*$&9f̙!vh7z+bMDbGd*FU'9oTת+-Πӧ<S@?IH䓐0)IO0M_=_3[|5略3h5gx/4x57xk}10=c ֟.)~ HEnZ{4:ML5y$҇V'c0l{nj]^An}SwQDMЮ$M|[:A8n@,ҘHB>#/~|qĒ2U<}̷;u 3+ޣ&Op/Bh3Pxtp_t=ᙨ*рK_걺I& (NBQ(e(:\ Ź77ǽ#g={ U[Zm7SH!zʿE-!ƚ+ƛ9ji&"N}} {o7sY Rʳj)s\ΞMoBVkNŲZД!cR֐ȧ̻$VqSmDcYi@~<4VJ' s<0,bK%!dW"fŹbR~]ʀs> *SINf패';Q̨<Ѡs,AeԽ"xBBZuh)MְBXRȶ[ȯ)\.<9q]QMi$((H*"@V,f5@ !LK@(h5x92NGǶsȇ߹~z}c)̓*u96Ϝ e^*3WuZM?YP2r}mob ZfkVPa~RM|%Qz|Ǹ$~(ŵO%n -%ZnUSOPj8=G`ߡ_ҥhܟ)<fA%z)U#%ܫefeE䶉ò3. ҼMBZ P+ڰ¦9$P%+2-%&DqlZ`ߗ+ ks9l3k2"Z*?﯊"you@+a{6 }jKKKbA*huE!j iTo5&#YP>e~L`C&ZSXQr5\k޸qM>ʮSkMmeCJ)׻_V& *W"5QXN< @>Bsoh\!B-"y3$0T`½z5:<̶ɖøPFm[ÉZUGJ>EMʪ|oHY8T*Wy-$W6Ec-sFF*"odRJ,48X`f:` -ؼbt̡Bpק{+y~š@~,6<_ɮdUL2d tt[Z?tBɐ!䭐\oJީr1p {@0uָ]r]Ky뀨1dzX]ksTu -BV&*)LU*CqP|Ce¬Aȿ!mpLp~Wy z{ô1){˻O9w&)HWԖu㕧4K3!i03"Y3JJTϑ+ r|ȭ^:OuW) {hshF}p|f+iZ@՜#H1\%wc홗.:3.f$p㦥NNzj5y˟>?}?Oq$6nfDgpG p =I=@+B;D7xxK>ؼ04+6g|`rŁfڵCk3eO=IW_zFοC#fwv~Qir -os+ k cLV-&۞˲?f`;Dx; ejgA'зhv 7|fkg/] z ٿկ{x`),@ [ߙ@C 8`64f1ƳGm4c5ȵ4W+jv8N Z] _;{ z LpA8"4```"pP, RFC` -l¥zb'&jA'^R -4TxPQ HG</chm6F&Vjr -l&e -#n#D -eSNCCC@:*"=S,kP%;LQRBlt$js_%nsFΐـ޻9sG^xWSo-Tj}'润 MuyVMg/hF5DӠDdEa0$L!g*Si=j0DG3t9G.ߌzFZd-tm%mӅZ!?9rNGؠq;EQ=QGNZ (M4LfΙIJz{zX[3ح ټkqyVcW\YgCSǟ"8(s9~P~Tx>좸6xx!IM8JEo`iǒ7g`Yûl;x -ʩg[at5#}!UgєPp6i 6-)>$VG7yTE_UF?UcP=LxI ds0<Z@{-ΑR.¸j8]ECF.-D -ǣ_:N N&!Ƚ2~"RVws܏^ZqO%(ߓok"!dc@13E4wкXD]c[lظ ]lq|,úՙ3 -\+ֹM.}7מEIRN+g^3?*I1ބS8Ä́!9&1<&_b7r2Wi1_ì͍dIUTfgT6k^QIɷ<^3{{j϶:-畅w_u+7nJG騘=C<R}ZVry^).jpdI*/Wy`vs-q-[ 5gdBV.YMY2O(g6yK.omZ>a"^.#NzK\ g8@U+beV%y:Ewn_Bu.Ϩ<PD H)#LQA,"tІFpF RD *1XQp]f%'nf=G}s=WR*x-^nAIܐ84wQSQQ;aQP_B61xCTT0^,p̕_-]Qךnܔm^`UfWH+v)OmRIޒ)ܤ޹oEDBLH$ oA26.98]pfnt.*[;hQ]&8+e6lDzBY[Q+HouSEg|2R>H{-H#BK&E20\ߖpQ )qXt)*+4W֕V"ҭ &ۖg:J $\IN^vNWFv -h[i Q^R"K0T꺭bQ#U+,-}).$)" -&{d1pq5k7٨&+46r5 j:^q:(X̝),dEK9wkE5/snAph}OQQQF_,Õ2ڃJwfm4Յlț5{V5d7DbRd+>6)uSu墈&ކ.uCq~hН) -Sxgz7.^܃ZZi>5Pt:2e^iRuI*Knm7rKs=M2 JnHC{p OpCpC:=zW? --4 ]@e*{磤ϖ)sg.VY97[pp֮(f):v!;ikw۪n{B.^R=lRMPzA]H-u̕IrbVύ>u4BcuGLBd.XPWvﰢqy7N}7{;s& 9:t}C@HĶQc$:2%@`u#BF6_s*ppqp5~'[-LjL.7h2h1=D[!b܍Y?.b/Qߪr#icؤ#7&s,17]Կ+_6dǁ\DU#c$&3+Y+&lU}'|2爦4SJM&-m):S]{ýqwx+}P2 -d.W)6ncmm,m -ib191 qBG|KV@E1aɂ:3jQ!9N,vP>'Sߨ־XԤN]O}&gI}D]\wa% R)i~=>BO͂82ٙ!.g.CX~خe6JlQ*\iTS@H.!y`b FdA@A 4 aJ"cD'( -(
Pϱ+߱}`:{uI ,c`#ց]{I|OdE?Xc{< -8b¯37*535.ClU4-B 8۰::paQpڱX'v1e| 2F9#a[ lA{̷Sɥ,s0\; -"_ h@ |9 fрW2:pb5 a|'&Gq b{̽D|^'Fa7BMhXt'=o) <_YؗڝW(5ܞdZnQcU!-[j!.z5{%-dp_jI:Pw1 d_hwWеL*D:臕fJ>Y)hץ(Sc +e&Ir2j}S_l_W- TC|)3I]':&ͺ(f^zLd/.XBVJ/)y+nd)˼hYh=w2٬ )vQ,yvi%)YaYYWCoadbτd`Π6AfҊ`u ؋M,hSbE nU/*H,X%%.ls>abAǐSN7=p w -%!9kųx)-vbE8{`u,= -*̃/ŖŔ fL7=[+"|WhW+BwK' ,:}mDss^R(shRX\)wPCTffU*'EL;mV1$bل-mWC_^!S~\[~ uI}q-v P߻`G)@N9@ΡKհSk -km N3<:fjm0ormڹ55K֤Uk|YxWWENѨQ?Jw0%wrf@Rɼe%ǘג3Ly)P@w_wOqץu*N:ڕyw[6~_U%1/;{xb ؅>K= c.Ul&׮VsǭX[-uMu^uY~%U4uyqx"*ʡvlC5ިxxŃJs`Vm\clTf3iwNl׶ݴMnc3w<>]لmqN -`TRiyFxs.q|r۵yyo띭}w8>9|nrolʖҵ-ˤe=UΧ䋜o)`"<#“QZ2\b$D+ mk ݾKvxr~Kqf(/]p6Q43` (; e /r*x> ].K< ^9e>gx:,fٌ M`tWDL+p`_+ǐ5|U"wxP w`EĄ+͸EQ"\!dAל8#P ܆Vk=!㼽ay4gTh֩ȑtG] ;z6& -,}sQD%IV%~pYJFii~Nu?V,'ZBsS` 9}yt{\T_b޼1zDw5Q]_Z|#x~sKn)$U9 48U*婄\C"⁒RX?"ZB =zOᨮFgyfG*˒V{3f{OBlMz 4eεFO >pZ`JUD/y:Ľr y̿_ # C{-4k-CF(^ԽfjppQ0f|7\^a3d{wUҕiM դ 0ь]}QNbWT.ŪUV^+1\"h:еg=Փp>j --b oЫ*CH׵Gh(MAcj1:QLtwxBOg tZf݈kVߙ^b]jP!SXIsGN/l7O3y|-0?a LYB6b>@p-3(.7RFvsնD7ó2?YWyĪw6vXhŽ]ٖ eɳјJgg]ȳfPQ%L^`}a`aQ PD0÷Q )Fal7Ls:q&3sޜ0e \[%%I8ù s>pٴi -]ʞQK @ ?IoUWp㠻6DC{=7ff:47BsP u~ڪ`v? lo>mnVGA '&:n1ߒBӡC U(| YO"$=3!Q2 @ׄBz=HfX0IF)_u@wPlP ( PC2hM? tB"A -kSRsӚEs@a=2`8Ȩl3q}JCHb >$L$)^>8qZt^wK-uD'3Ÿ2q'vABpaRNH^ɛB~ CXHPCnnDOZu T 52^HF"$W셺=W3uЯGnj6{ΆF.f#W'~#{;֫e=֥?:CןdNvå_…VW.D.rah+i 8Jc=a} Xa2bak7lcwݿfwܳmЗH=_2p5YIr4'jqbjQ3o7>xDxG#G퍼y13K~{ԷofÆ_$TT.nTwR7\v43g7p$I42w7y Y<=Aߎ~m1[b~(h-hHh\`%li<?"ﻝAtWΰ)83Aq^aQYpZӀ4ۥWsN)LjK$4%Ygu 煵Dğ |1SPk_yd`ZT[0VFr2zeN -K<׭EhJ3y5YxS}k]|tDP%VHEfuIcQؘo1}c%殺9Us0clƐfӧveٷ͙.J[}FG]z%WPt!A|BT*˗$S^X`EаtP7)r>0Oc m@o6Sm9`ߨIvV8ת\+Urg̬-l/VʣBYNxBKdń3_ ܣگ逋"`~ǸCBGGAӢñG%8XrӜ+wcNg3de7 }|aQ$G}%@~HJQbB'Ry"es8Ba+z|tٰ֠iEU9H.%:!_YW˫mks{H=%Qi/dj )Բb-in({HWFG'5ԗ25e;8a\sI}iqp)2t|b -~VA `T;!V.J亻r'?$ -K߱!u="!{KsH_[p"$bP[*( b ݜB~xmuSv%2MYY^aS̃$0(8qKQ[Q&']%3ZZ:WtCY?֠ȺYwrpnvC}V}^8vw֕z&Vk}j15,(-aW¨/U V]uTz>+C4-(lA~*h7#};jdEqmim2Gi9%5\y볿_x,?:_/aa ճ`>GSʹ -]=m]]@^7^/dٿA0Xnb>/!W[cv 幷%ޮB:B:㦉fz~t.tV.=Q7![@$oGx(3͉OF"Ʋ9u5ctmim##?r>o<Y, Q}hPv ec@¤b=%F:ފ] gBgb=3) ΙmU?nqxkzq 7/ޜS'Xc@ -v>ʵ sH:D&u9_[sc>oχ`|mq2oTh3q6٬܍~Ivl?ᮝn9~Wc2 Ng9ឋ@e.,x p iq6.a]xj_Ǻ%,e%V/YUKʥ#LyFr6#Y,/<爯1E#T{'trcIICm׀759`w -ﮃ^ł_9}PV )x=χ_u1>FH}oM+@ lzx> չle D((`W% 1`A,H@Dņ(< C-O1D!ODQDĂg0;=;{9F 9PY0s C Yҿ#DHNb:D X -ACFr<(g3J,Z=X=OZ8 `] h%+"6!j&;@:5ͣ1n@hm -}k7jGK(]48Zw }0`W.e@~5Gn+jM :kRsG?:=@ON}DoG=b{}`]$7bu)bѽ5t?+f 5(F?C?b>`hUŗ`RwŮ`0o4H%$"H>)k xCxjth(m0k0QLɼLDcOWI%KrW߀|ExNyn@߅BV5ջ ]x)[,<:t6ᑬt7J+&BZ7pC]h2ehTsE9塡|(T7Tj -:U3PŸ@7QMVen)wr{q]yMWՌCkp^øZsƝ{=fKm`f9/c)QDy P+Kz?'\z?#qnU듸c>;sC V}ҮBܾUXfLXD%L3lw`φ1H6G[g\qǜqy,wy"y_sW8-q;-v\#,s:Jvv:;9:wlqfLm|N:h{u A!8bnqm* -[u_epKؐ**2,m7֛l1l5)0.7TJ6 W\:dk\^V2Yg`(vF#9. % }#cwJFscS[ŋ6-X f%YZ=_ڽXU9 ֥t'+mZ#PM88>(cEV~O8qT oDѺk6+Y"ʐ-ʑg{fzmS,maeye//L:}?>4sЬD}>͟Po ;`k@xry`A1Zѓ٣L2eit,ET-RBg}[~=h(1:ӑ (X2 d 3lj2|/N&I I?Wbиlqr1_5׸S3Xejf<.iSGCp" -80(ٯ[u^ȉ̘AȈҢ}QXqR9Ӥ'S E ]|j)ǻMk"-&1sT?pjPEq췍Ҽ3NZ,ҿqBj;(v<.@0wlpvL8!f)xy\ԨLȵ" uyGEuqwgfd`.誈i*e60 URUZb2XYK(nQ@M\)GO-hknQ999s{}b<31=uO\u]D1D[~:s[<ס='ˍykP0e P0I(HҜy2s&3.N#56CiuXShvNޠGGp>36o_kE QY|7jdYc?4bIQ4I\tl-4 6)1D")!ΐc/T+b۵ \z/NFŋ~>\3T`'ٔuy%&G,5E^rR!+ea򗤚a6IѶE -$}LR¤r'Vaܦ 7w 3wY`%Rf5Q|'&`_ԥ;I 2ۭ^8cGbt8Nşi kܭz a5_b[7 W`=.Z -׆]4T[]Mo:`+@. -L p? f' iA̓0 8 ׃S -{t{Ȁ>-fn)Eϖ:4@ro9tXr0y TO&`R3`Q19*hZ]nusp2Nm U{0C{2OAy -vP7A%PJ^uqW}@w&cN7sG80u -p>-*ka{l(H/xArA$upup}DwPA;6yDt3=S-iw8O.ձ]#Zr_`HD)PY^K:_KFn )kp9}5O= G; pKŦ@ ؋+p By:xyDM?} :[KWO21 F.~EG+#ɗK q_po-~#nT]:˪^nb -8K!N>C<O}'iǠd[[k;ϯEf\ wNrgũ!p/394L`""}*/@%Spk6\KÍ8†NQp: -jp2`9Nű yy9t>`:G}vm(/cH?5'Ip?P;2z4.c: 'i8ڍVW0.bfzWt[=h/ - n{h˸_E zyɓTb5 O7?OEOHhq`t Dg)`Cʘ!]Zv{*vkphsѦŭ!CΉׇ7OZ4gI{Y*w}? A/zPg&2S:Qh MP3}:5<@SnT6hZ4uuqUҠ%YVkNq+5WSHOQZ*HyYITꩤމ&8biޡ'H}1 -"'b{d86Gji`6D3-vv]m / %^^%^DR[- & +[v\^'_H {BWG7&3ҿ| )-F{lM16ͱhIbƤ2l}C<@,L\5G$jW3NpZzfyմyQG}*.*D=P̎NQ-xyO |JOi:D'mxZѬSQ7uOg x $>[TujZ*W+F^kSRΌUighUjP yj9n/L]ns!I!X2)!K CmJ,S,HNe'e%9ĕىeܬJiybLR^[(TĻ|~$A& \9 4{IF ǪXnZ㻨1b12h![\npI%\BZ_ +/7+)ەN}?&zAI(^s?dN~7_mSJ<ñ TMAeZ$Sa2s -[jfKS\q7K]*Ӵ'Ԥ1n},)F??2 J/W袙h!kS.s(N9]Q;yIq#IlĦ3Ein8U(1} -$pGn?cUk(b,% J,v-I.. Eu݊#ʘOʘA'GHotE,9g0@X3}9ݓT84ɬOOZqIP/y_,*ʷ8o{PzN-gߑn1>c ӧ#% iJ-,KRĦwIp^4;D!:gk{Re܋$$ӻ0 -Lg6)C8cl7FgaTV?x B\,Il|ଥҨղYeY&rM"<'"*WB[+XIYIoR٢M^s=\wD\C5`0D"83ƹBqfL7JHCvKCviH#iȆe!Ԧ.e.I -^ ̦{~F`8[֘B99c@"u(AxI$ %_2JF_Tf!شzS۴Ne*Kv -PrQ? -_H -\ la d5i!݉tOR r+ZJWޕeE9X 0e,sòb 3КB[m(xuQ!b#IY}XLa[8 l5N /xF6#n7LŖ-lڶ* joAe}u͏Dt##s*g16Jҿ< pnPBUNP6t>2 kgBCfQttR@Z| 01O'06 z? 'Q@86!=Õx-~ 0h兠V>xڸ\[ 9/G0+"<5`#Ha 8iAu#y㼖➼ ŜG;/"WX_B_-'{9ȍN2I{F(;޾^S@y\|N u'^5Mw6'݁t$jV; . ={\\ ry =f -0^-z~I8m|E&w͜>ɤDtح;DM"P2$ydIOK exJVғ;؀DW!-tUU񭸆2Gq?"G@ο\!/"o™89iͦ=zГQ3pkMrpqUFjFgъSm$3‘O"%Cpb.đh8!x ܒNuY"o$[ TY:Sf*/G|6Eр&E :=؝~@JDd j|<\5x]7\uK18 Ψ)ؐ<޷=||E>86pcQgvǡJ? -`>e TNXI(ћ`Pl67HCNI6ܒCHrCEIίx̲\fimc?p}a2lEa$&4lLY(6COBao/}\)A55J .{]8..]n r[ۊ(%*XԱmSӦi3δv!mӴt2M3Mil/2f9ߞ>f&mJ`OfO-'_Ʌɍˍ "ܱj}6p/{Vp\qz܊5)hF+" ӚjLjIMs"fÙ!v43gNsCܠ"\4wYSe}~@DPCܦ+;t/m"hUc*7'sMέdFNfXa젶 i{~0ק=hgnK.UEg_  yyBrpeCmnNSgcDǐނA}ۘ~#ۥ悺\noӝQ ~+BY_٤+Ш>BIN1@QD,60aL@ش æ4g"dGٌt*tUVG5U~B$Zʜ5!M^Z{&Mpݵ6W&dw*&]g] ] -+"\F5uWep2CiJi -zE{RpqbS#uEuSnCw}jwςb_c٘B5Y3xwZ. -וywy_sjJ`&FOy]7Gif-PO՟ -f"1j=d\?_T䴼n"[n~i~-J#0GLQ;;ZPŽ0wn)j2@eE~W9tYV2s܁wyu65WGyu7HJxZ)st~P@1лoA^nhRqp@P>CfdJ U!#:¤zq65qMMKr)=kJu.ӞF D5-ʞ[ -d!st#2ƶc8ia=R|+,a_؉pH0ç] M&)|II74eָLZqhcq=dLO ej=N'$$O`fbI"qH+FB3sH\3oFH28O1p#Mύ!Z-v87 dRLL=e\,'`f< )H\8شhlX|s/#~qxqo n=<9) Ch_$uh -ПfIH^6]p) D"\ށX"vŌu+XEJʕA|-p~I|gėPG@pS%gi9i%ҿL/וP1M}SQQB_CRJSNhHER !|dB29>eȲZfǚ550żmw\]繟њ@ҚCeSeSE؈xxu`E D994|Cݬ`@c\ 0^_o !(`$' NRp>ٜ69mV<Z[9ɭ u;yr)ɘ+ƫf0jRӢ P676 -}@R;Nl_lL:X;:8 u'F7yۀ܋ouQ`= PSy -*_6XAEl<sDw' L7;0x0ZSלV/R"ȭN'w97?=G3sǼBOٌ<݋*%_꺑aуBFqd$$o+%9V)6 *5 Gp-'.o Y]> C+"/NyYG(2ꬢ:lΧq&9[<`_Gz)s 1'#`uQ/Z)ʤN`uSJY1ks4r.f~/Ȣ!ӝ7:WGP3ٌV"uC.b,lN%3_gpqoZ躙Y<8I + ᧾dJQϟ0ԊhI>K\P\͜E140M\ts :k42JC斒e.F` J.$A"gѦV84%^:e^.R/NZ*4؉zzu uawc3vE= 2,wwȍ>6^X㴱;MI(M"pX2 ʏqPze6>WNbOr۱t?63/QmvU揱-xN,+? bIaJ.l?=*q|]?o쵘ݖѨ)nyfQ%*W`U56YQ1 ^GXmnzxj3%Gyg{GFhh:!m3;m}PcjQevlMv`7v9Xgka}9VoE{X^nA+'C %bY(zԿ=}bi}z5 56t38zc?*ð1ӱ#9JYXR<,u*BSPۓ C%(Cg( -<'bg$LCRimE/R. aǜ|+W㬰@=ծL?2ԡHWO,TcNiB:[H+~vHZENһ\b͡\l{Jza|7[ +Θ_!90IB|B\`/.> \/E(TL : <&JAigV29Rz)d>rIv!cv RC⎙!c1# !a ؐHĄ -ѡIBTh0=4W -mSL -'-kzaRYA#[]dK3f H0$h\FFhM04ᘮiBdx0%|09_#M273(Bj+7& -"0#2L*8y2T2E$\Ct2_ۮfFmo^R=|yߔ-}ԋRR-)>Ϝ"3*{$efEim4%wW^zQM ʶ&fPndXVL#1Z[W,2Z2cI>&6j!<@ۖh!Y>q4M`,e,x 9*#fT{RclO8MIE,%eF+amڭku!u -j[5Vm8պʭVU_Z-mߺC[[7䷦A-Vsy\۾HJ1eRl4^kЯBnfs nԢ:D~aj^)K`eổf+]M"ˁ샓4(-wZ^;ir) 㞓nwF[Zi&sMk.:⽏B8jijpkxju-HN~spRb]05g9#э܆AV -xE{M\0pvƎ4Gh 1.::6zIù:bQG, r/ֱ>[#>AVG%h8ٜh[mӝihml҉GccPϡ_ONIt=.9_9%tzuR glf13] &;Jw>%}iBPWf2PWIU̫8rf`Db405nt;xZj~yl ҧp>HKo[ȝkrf>7vߐ@a5쇃L  B,$B&'fѿHi5\Buz}M=żtC:~5V)@C(M44sћ 4棱XׯuSDg-:XsE]>c}X+]`F>/jh   M@'_\h(Ac{)ezO=lK59cnE鄩zj>^TPnBHȅ@B.@!B- !"BAQDTRuκεgzvvnݥ]9o|=y2|k1;nmmW׆p%f.Ōb^pe^wqbpGX}qQ,MB!R}[;q+67Dĕ8.n0np̆vr|'p"~b!MX‘8p1Slӛ+,ejwѽW6\ڔsxiXJ$+܂d'wc.#2-޺[b_77 I}O0vG1QݟP{WH{1jm }=]8c,Pxub'k&j~GIF(}Ls1.è( Qv 0 .E!qbz]BgNtW2)ZXKM於C~ʚ%X$|@5敏)pS=e勔Ǡd#$Jr#K*C@ZԂvenx:) -f$sSk48?&"fE9OO5_{Hcq2Kc^2F9)_<Ay)(ѡ]QVE9*(Mp+Фtl ;|Us^lcQQfU=|ƌsdL3NY)GQF@:,xphRRW€ - WzPW [jƙEsjN1Ǩ}|H@1jO'Pݛz49D&N7@9z_ЦG t|4j JQU*;,:7:?L>fԏ /1*Go6Gg!=GrO4\Q|̒մoѽ =?eiѬ_> Tx -`5\@mj#5uiBuc:NVefZq1^Tr*L#NKT֬`o+&&uh<͔zSy(CC xIe_3LVe(%dtSV@uʹ[hUIѶ -X6# D(ЯvB / ?02xmY/sd?q5iݧg&#?E^`!! rB*d lnFf2SH/!-|H }z+NRi2Bz'6@m W7Dd;灼i06@0{]1K%5edX+aXo/m` ƣP;612@:Xvp {KO"ޣbrϯ.˥*4q~d%dԳճ|$$;G؍=g~Iރs{Ecpnk*>'͓|]%5!qw4V BB%}lN:PBp$aIvg9s~DD$<Ɂ' =Q%_BfjDd{=YpN')|FLN3,19%]`aB.(}INPWʤ8xd8Du:1>J;돟Ч[o pp p&t;1({@}>np/p_b?'v5Q5M+[4[Rjcr}Ǯ{GﱷEsS{^ =9כ `.AFhC+qrCH_i!eWk2[EB ;ɳtUvZ+~~vuGMD]쟀F3A#bÎZ̙m e|??[#(FXI 5hHKS?(4HИ9hb4qR<_Zق5b.@dP+^?jFؤsbguC |h4)ڏ$/{;vk.rrkmOqR-Yۤk#ވ ?;@_e.hza}D Bc>رlÎر;ꔏ<-zUv5ZVJ*T)W x+>hv@Iy _bh4ICgV)B^fUllF-n~TTj{OĎ\봷hh{NC-U'5vk}?UV0īܐe-5LbCfaJh*w\*v:"*p~9.ϔbUnܜoGEچ{hsVDh_wTb-pMD(9IQ&1S9DqpŚjdt/ a44ztc-Mh`yн\g̣:0+*"EPEaeXT7( -.ǚb&Zq_c5֥1xXҨZMD? \{0t^>|߂3s1TG9y%41W1~PŌV1V$ٍ6es[2͔-WJ3-WAMJ`?fr1 6 k`T78bEqgO9+h`U9Kq&(%a,pFIJHc0'+ ?:cx#%S3=|K!1'tTN쉽/[P%5)J)Iq$[d-`.s\ŧ<+SJM2ZbSI Qg[)#Si)ZdQ5DJH5ʜ4LiK+Rm9-QtzƦoԘТKj0;1Ue -v~ۘ7m]Č~2g V|F2-cY1YVEg56@cehKoPxve -G -r+^eti)̇ ߶LUvyWMP*սj4ʳrUS99~nբf@ pWKXN/`^ @8)a3/ffl^˹-~**uv4{Wnuٕ-thFt2K` Py;Nn{7M.v77\ĵ7TN(WRjgpG˽_&h'?mM^!A918P~!0qGBAlp.|7ݾ\Gx`K:9:A$'1 -G f:GMhI ކ* ]{.CvyH8ZZg8 U|J}'|/Fk~Eo#v{n;tk`3?M—Nñ=]|m--M< W8/t?úB9sIm|y=C魇 -ЏF{ok:KkOB<u:=K[Dp\џDlAOЕp@F=+1ɤI *!q|@#q8մNjB)odJOXWGta(V2:h䳣:FGqK]k!*WmWxvjgvBm1<{/H.ΐ}"1++YO䱜LYvNATúuLM&آMG2ӤO<JpW0`6``6` -$&!IsM4I&kf]zd=Uuӎv6դQҺN:mkUv޷dz{>I}R/xW%^սŋ7Zʥc:\G&dQqXtS gb"㙏5;e2|+ -O =.V%?{ewV,Y ,de#l33a*pN79nek4y g((FsP;."7)R.JŎ].%Yˏg m K(dXѢV 2X4Lq턶GIPݦ2=Ke6ҿ7Q׾H_Ny5K/Ib$SCrM6MNJ)&X:@w8]eos[<7C_kҝ6GYyҾLh_Fͱ 3k6Tmqeioi⧣"D{(Uh:D,xlO}fۯ_\DVyFWf/k\2,'XL5v IM[aS4,d +48/QxKEDd'{VwQi> fѩ6n5zqmIޚNuk>VֶJTzx#f(-Q[仗G~C(7_eJ"(YRZ X;TvPљN3eՔ1[(80EQ`#.x O~S -U..HgI*1'k*j;ʃ(`KO>=&z(쭥z MIv Y =DFۤ~&~OF'dDwK렴ĔDPKINA? L!w("d U9@pA҆GI#ydGΈ$ ?KŻ$ }*wJkYEHM%ZcUVQ[cȘ06HD:)y$OyZ'$bcxMćOb_O7xG?#~<Ši1"ѡ5UIJQ٘U!}z I$m8Ms`/68e|/Hu^dD~@cL<0""2 -* 5"(Ȧ(( (8* -+˩₩1n&DQc%i[5ǦMjԨI44>99=Ǚg}T:++Hϖs''- ŏ;q?>Əq)S&ժt"_u~uyzYWz+TXGO~>/~طb-v7R(=zB>C,N)V|^)P+[]G9DFx!Ngu%yab Qh@#`52yi>ZUƏq@Vf*%cDuX;;M,$ǩW5Ġ1 -㱟LVUG$oV*V[rcգ_Ks4g [{/^g A' -hEc)hdc)E -ZV,""[.v._iswr# kG>>wpelwUSVw JhYG%Vu.ZꚢZL-q"|Y܊TVjZ֤y-*s?RwTcxJ1lD%G(1,V aAي /иrF,؈lCuR#~=;iAo m -1 -ǽl09C"J (EӸъQ)5UkTtFF[4b0dǼa1|`!vS\7ya&po -K#.M ̣>0dQvMvD}}GEepcĠ`Ԉ\Ƹ5qiFkUظ/MjzbNs5MSTk7IOsf`f{{K9YeIPfRIIHJWzrҒR%SJMJM]j%7)MG`A,W}́z@y>9JTqd2јTI)& -`ҧ)1ݮEXgޭX`>x7e8نV7m\30*ǔ.SR3(;[9%ʩVdLE(}t jK4l)w)We 7v2l {Emg6k|m~sn0(z8E BװH~Rr_&,K8p.+*.]tqíAaa= Gw1]_5 ͩPFs([\!k\>ZiJɩm*si-䱎jb`;6{[ Vf6SDEVFr{ 6xh$2.c}cc}ǹ}7TGKH1Ia1y5빑oz v^x2 - 3#jrK y36 Y+0;g6~K8N[ u?E\vih2@o!ނ18I59͌# </W/RK ե e_&*F;Djǒ7pjY`\ U -\eN>aFї2gl MVżuؠu <=w'-]U'mu}r uvxa}k}Ӹ_C<ω <74}tWE/JD3|t*Ш-6KANw}eE|y\Y"qyW(29?9<{=;BDzQDJ^Gt<ΐ))y|X5<\i0w|G'X4HG# |4J=ͫ O[;i$Nb''sqbױsqiRM6Z:umU]K+T(L\Mh B6&B Ć m0ډ3??~:w}~{cc/V0]b -|Q_75O op}$1s4WG - :kѡ\i5ϫ~j%?L FX0i*\ъvif/hGɋ*ɒ5Q&>d -eEi׸?-Ye,-5jԪJ-ЬyC =ij׌!ƔiM5a<NjĮ1]ר鞒ה0F,Yڬ^FzЧ}c~,lZsLf1;5mnДEami21˘F-Jn\U c>nzRqU Zju~?>./8l>Xz{f,3qږ)Q)&iU֦-,xwnm~LъksxUa -WާyEit-<3M2s36{f 5dw*nנݧG=9bVr\Ym(TO5wU:koÇgZI"r=I8ce^FːH_mUPY^g8[R&Au׎*X;EuTo͉[=?kh=Rioޡyd,}TckDָTߖۿG.Ljj7T2|[/iW?ճ@su~NB/ ]m|5j RC%w{jc@霑sE՝GT*^eٻހ_p7ά濏YjN~#?yJ -ZUVnTTeOLCS-isCO,| $[[&[=>Vy54ИVA:R#Շ}…rn1*bQe\HnUCe٢CFS]C;'Ḵ{Mb?9WY73hzϣ3N Aۄ%n໣RU_*KT>`RـUA6 j`#e )>s2/]_SIǴ0:tf|0^ B-'F)ՃRuPAED6$dLeHKɘJ 'w([*H^T^r*7C%~(cFgJ D H~hObl3ɘ*QIʤ&*Lժ ըT@aتuL.EL%*Pl܎3% Ce{ˇvLJmϳ?ݿ}" JH%:bv̠RѰ$H@phĈ`ּ>5&ym xyX{g(b5 s/w)1WΣ0JWAJc6ԔG1 #uơK?C"<˚eße.o-q3<{>Mzmx_ShB?ʹ |5[By=g®r'oϳ.0gK2{9 2{2r{ 8|oaׄnZr1xvfK04&{CYi>>椏 ~q>J%?A۹B>zƸ%9j]cF2ur9ACa?/~곟B;i8'U9@mcAg|FW(ćW$ ^~Ea{3ظ!'}q=/XRl $Ip.G&& ҝjKt>oKOlH1ӝS{7$ۘ~S M̫2ґZv>Ϫ@VOS;tF=ğI |ݞpOѩye \0]׹ i"'kL>RXf)'Z:%t,ev+-H|';!.'v5LqTa'&3iB/mt9.hXIdn9L?Ev( ,r5^qOCr1/$v9u&q'-[|c!.yds.3: -On1.̓ي -U2E|$E/"|,||\q7˺LOgTT2CeO8[S6[.R^/i8:4D# <4(GJ31yJ}P\M曓Tp$:`v [6 jV^?!=8-:qHCh(fSwԫMԡAS4>. Y2a ݩЃj -=!vA@{ql5[=0fO53\6;ܠICtgUaɚR{Xi Tkh79|uq 5D,P}JEnGBTaT,5VŶDٜ*e/Hy&)7U9]N%}Ik2*#\gsó֣T= W|$^h)Ub{ -Fʳ'+מle'I.;FY)LTc|Pr:#x>3zhL9eHc_#yVR!: qq)ˑLS,yJO-QZZRL#}R\ z@IGeǕ6|W<h5 ћȅL|}^d+ -W\QhŔX]tȑ_$4(c,J*t=TO\K%7MEF4 gR]AQg]wEЪ(* --, -BmăD3iFUi;1&ͤNkNc̴L56i֣c,d?Y罾}FL+`WJQdv|dȕQ Jv\*C ~;+ιOcqX^8V±`>( *id_+;IFYIJdT'[y*u)ڋ'/ыp| <<_h&q;(@1τ;~$J ~dʼnJ**@0 :3"$ * !yURxP JlL_qÿ~Llu1JXbPt|R.Fz#ìCH Njų#aKgpK-/p -PH9ĜE̓}O?/Q_µEgKO F+k+:w%KF.(\/Qu`;ϰ-DMT\~vPBsy&1O _?f4`9VAZM.?Ppxs{Ez3r [d!m\@̳p}jΫ)$C7XlaX?X6N`LM6s6U|RMySpw+TQ"͡|ի^3uK a·A? XWY -q/O=r, w}qKCM~'q~g<>,O ڙzb/ku?#|agD:a/Caq0&Xku7F4(8!8G䠿&M sA ";`4"hu&x`x?NsfO8)w /:r΄;M6HhD9pɈH#88rpu\,b%% -~O -y.!MwAQj@|ν:+OQ8|H❧I~E?"sphBp;C->Un3o>$}|QX5=:7j ~{=Hj=k? -Ux3z]W]Rt+pk>\P\fFi3[GP'^uz|:z:~CE0-{/J'i : A ƸE+Zd$,%ض㷋\DKè!A6]Tyxscu9/pޏ#N[f|a -Gb]m;V]a;l/nvS<7v#dr EA+|2;17bۊtf.v#ʎ^DZ=B]F yBz}d%,ã%2vb\lQ*'a{:sυ.#U{~=7QBy5df'ީ~.=$8#`; ۓ=beد~ ?:CZEKo -rzSL9q,Ǭ`#vpFHo~:b&'2B". -8p@wtұkuԣj .3HxU32_ Vq G-*3VÑG&ȃceTY 1GT5Ii -De=G(\jycm+U5qr ?'L84^zJKXk'/SIF-6X3k,!K.l-HWMbHQuOzU&.UUfRqJL/tBEp |'6\p-^~w[62UcJӔjTM3Te|S**7WUV㖫hjͳUk}Eso*!=pm`cmzk.|q⛃SbUeMRŢ -MI*NS5[ֹ*ZS;IyW)7urR٩O+fL9p{HC -U |w*_ԖTRST:A575Kslʳ*VDEʞT5#}2.5-cD55,! ¿4`$|e}oJx  b I5AI*;œVYKfnVbUQyUۺuն]ﶹ]n9 d'y^z|*|̍W%Yety-Y*R OGrjU(Ek -&-V_vl4~PVg~”߬8Ki̥*PfYI(/TzT) jhQjE'Uo@ɾA%;Ċs2T\*>W?a;Rԃ|ǤJ pϊ|THپx&')ʨLiԪP*JnRbuDŚXFwlU|^U կ+|DUݬmo W -TP *1Q -<|.HF3ńٴF4P(NiO;JN3X3.kᡖ&lAĵ)0(41{$f[3K7E,^mfv)##ψvl/ dx:4z0^oQ&R1&J ȵ Ny=/亭Mԃ>!g}6blS|s>imd7yp.]6E,`c 5YQ>9fq/r9br9c/[yfg0% .mm,o:HCYk7f-Pl,`'&'ߡOQ!zt~"'(~sbϫ5*]Msv,!{_3hl<&Bh-TlDŽ0 ň2=r?F(8 -a:tPuVr4%-|4.F&1BJg蓳q\E?OAr3!pFpvR#<+;<au:Qx\(.A]6}fJ#+{^8i=syS~}=*:+G /P]Wiԟ%.~J~B.i\:ops0^/c_>Q\f -4G5t̻jL?~ʹy -JCxЙOEh47jvP}hũ߄3,ji0)(' -L5{ #u̼M`pEWhT՟W<~`;۹v0Ŵi%mx} %rǘ as9jj=7{L`e R5:%.Z;}Q`O#6Zm/u؞{݌VlEݥ Te е/iVқbX1\G.t욱k.l{]Z쇰V+#]Lb -Y:1~6ktv 5bׄE g?RX a2)snM?ӳٮ:e05&9(Fd}{\,XH.&=Fڍc~t!셱ۦv,n/f:z43UaKH}$A+oX&fp:9/:jQ6LC8JdRruaĉc;ǗN8NvlDZs:M$m״ K֭bBJAVSV1Dm0؀A h*h6&.ZQPG'e=:3Hì1V*f젗 c%Xz>A4lsGX 㰔gKH ;;Ѩ$:u42to>.& zg=;6%ʯc³x/U|8fwcniL".|5ը\nsL]:Yuv0-WxZ(m٣fA,ǔVr vM{RaG^{jSWKVZliDҸZJJ[;lWʺPɲ1%(n۬mjS" -ۧ:\G8N -6 -CC7]'caVDY]-vJ~%uJأjw)UԱ@ 1E(llVG!~*h<G -W^k[KBzNUy9-粼u7 ;\MZL3v@gi%r1O5m - ջ+rW]'OWT]HU+ީJ.Uq}\Kryr{oj'荓@.pm4$x#FE[תסץjWU DJ[զ~UT㟐ۿA |EFpJ偋rPOtk#Z!kR]'D~vy*婩&.W0#gGڅ2j<4)Gh/òRYcm݆]h44O#"YePP\u9rWɨUy}4t'[d"kdlUidJ%#DN *\d ԿEسA,$!=P ˀ91B4B6Lֺ"og4t@ mM@mݍ>T𚱮ib8d6cLll&qc|-0'3/<~w4\|tzFaɪ{Yנ6t-#Hb3ı8VjXCc1dOT -3oce}~z.hE75L\=5-Ch,I5$so%{sIFMı817v0&;XTVfH3׆A!s++z ))"ö[/:@ndwt/ ıv?~ޗ}S) -kyR{꣯s"!Rt{^sk^nh -Ƃz8K!Lt?I!q8feep#TxplCN.a0UXR|e>oH])a0K$SgX'0ٟq%=y2ղ1@ۏk#VR+{ @^y3xޔT'Y{.o?$ %KE&<{ŋsgW ml}y`}ò{ސ͚:Lm`VKs%O,~ccl:W {ś4썓dŧpO/yC/s /d"oGG,~~ͤyIKLWW^/}_%Կ,jg'ހ Ufyw?6sZ) -:2qӺ{Esxq~&̳gcۼ8m~v|;׉8iM鑶뵵)F=Cݠ$@cL ILHCC􏩈C$PP}~{<$% ݜ73 0(_fѯ=MgP^ O߰y ކ!$=~7V!Rd cse e:#h$>+xyK+Dgt*sB?Lm* у_u]S25t,v#Wȑq?>2S{R#aCdC/6k*< 3ϋJ\;-[Cw6Н@wY4:0 Gt7)T 2d V9-hm[=c0g!X=GG xl'[p3=ѲЄqQϰǦ![[-&v؉c'vة`;fL$GS\VY<:ށ(Na |ayjiȓ*ʝʕ3ݔ=$[愬epf(Hicc{SP2(:x$!(*n?/UK/w6$gGL*)r F%O9s* rg}-ckl@%!4 -AhߌM-]N9K-uma*$MG+],ljj@iCePPo)CН$PnNS!6J@e4U6]?MS'hu>[w4qu:@zJʱ{-hAz<2Lrr®Y~ΚE~A!ah66@A<0ǀfq&m&А ឦ ]` ta/)q ĮQaE{HYaNaV6 3]Qg6{9d7l[ Pb F -*e(P*SS -J/Pʥj-2 ʴ:ڱj 3Hm-ɞt;oel?V~YpYKbr5 c̉ջc,NY{&Μ&38]p~ᣴX,k:gHL6}?ѯ' v ?mI[-~x;gr!q68wsΕΒmQQ]·˨#rs[ 7c?}&{vdVĻH"8sIKi&xA;.Gd##h^e~WN0?HH3(qe3~VpNEj'[ٜ;nG<$H9X< WU~H<^W^ef\. euqDINۿ^p᳹ϏU6K<`,D$+5>>ɿJKb&>f- | -Ol.>IQAaM2z 2zQ{u΢k~8 p ޿z]uq-l$.%~u9Gem~~|?D~bz":'~BiUh -^VXe]SNڟ&hq48Zj%v؝lj~>^n.NC)u}v!~D_v<mv\pǝ;vd`IЈ"v;;eZu&v;#bl/"Vc(p< 4z"%kЙcp_/;muiG:ў؊ @ENA{;ӱ;arXeQÛ rW+b f8S a@䩾";=}ll>B~ *YoaT1v|*8=ط{Lcz\cQlz+۱ݍ>l`o6 ;s:>GNU QuCt~1lEоkپ Tc ~o~;@VdjYdg:YG-e:5c_ ;~σaWuMC,lr2ژT2c^y;u£)TE G7Y.wmkUh9WJ4fy$;B5ur%X| EΊ}ṗs&o/E̻,HK}ܥx#+iժDb񠂉jO˓˝lSMG;lqf܆i I|HbxSGdQh- ϻ|Iy"QX+3SD~ -& y24Xr5 9gϢ)K{caq+X³Yφ$/"\Cedj(fsI>'ݲ=&=#U0?;ӼMvū_nF5#\O&~mXflؒ! ||e6;A+h9/)>O&d\25 -r73D V:HJW xmǶAlcoC%K"K+>|pN+=`hiy׀)ޅ~F5}faX5 ZZ" -nUƱ3h:Z+neJ;=HYB6BIH@P !Ѻ/NT;նK2x:ɇ0p=!?}f^LRpφ`@Vr@G Aw"0<A!\ŜԪX<71 1 '#hGw_C0" 5m ṫ` ",B",BPGbP !BpS/ t3Ϟߧ"$/0` %:BrXa`F6;XApٕVb\r>i:_PK -:G/Ґ9c+.q|h"|X ~5.5uбFl 0a|x=u04.zE4)x C$Hl- yױ;'jn i\ W8tl-бk؎nA pNlEMlaY6{ר` -Y;y80_w97=Ecg@Ҁ= бQR$Ή {P1j` B΃Vݕ Yk`Õ(,7U -U+'F|` - ^EMB@n/+iQ'B/ paT/D;C!XB"0cr>Q88/l0݊M?xy~n07|cǎ0q)SMs^(d^^2l/WYn_zWl۾ܵ{"ވ־o|#G?>3L6ğ=w>1)BY"D-U5ڂ¢CiTSźƦffpvv]|nܼu}ŗ_o~OD%}y1<\'_ gK"0X8d$ D0QPp)#`@L6-F8n#mO@zH(=&c̾dݽz~x FEyy = % G X'$`(,K?W-=C o"[ ;=Qo;p0ȱ4Ï?!Idr -bXwAWM1 0 -z޻}_>xo=z;xɓOkMuDT__ba~CٖsJ:CR Z G#e&\WfHKi h0a@À 4 w|kfdKeUh_ݯAųs94HASe *g)AxӀ n_ToO*HSoTb.W]ޠZA Р%4(ײ3n膆>nE$YL!`*_mԝ/QsР 4y"ySIfuaƹgc,i0,5pCu~S9Ѡriȇ۝+]xWY"Z:ӸdM3^Dv 97V0N6CC4N۝#>1tdBG*@C'ie$5hͥotРUrS!\ʖrz$N:Ҡ#{脆ƒn#Hi КʷkJ -A˱)sNy6K"cwgI=q:E+6 Zg -Uo-/4CTРa;rV(ՕБu9'_4qbf՚ *ʶ̅ڸ|5ǢT۳,8Ȅ#Eƾt^鎗{<6XjwУ-VZzQQYkF}QLVנϋIh4X$&}49߻w?cW{YE˫}?Q -˱lpWDL|rV\`ƉмVmӰi4l6 m{Pdžg0|ǐ0aV]ց灡F!ʺ[Kn۹l{`?)`oh@lǧ"sf\޼-RtɌ)Nm-në= -5e'#1=0htHh#EAg"F Vh•Ibm0;;6 7`2>A :SvIQĢU]1W B% OXoL[n` `Q/c×hޫF'Jcs_+!DtU3(˗vjYy`xN+1™-x[VJf AƻC),ȗfjkۭTkëK/ck$fLGz(6lj;^i<)7m}Uɰw>&t%4aS&Hsĉe!e;l[԰0ݸ/WioƮOW}/>{cI_ᜲks,p!m,g9@Ov.Rgu6A$Ⱥ[5X=ښWǖͯslwrl$&";$&,aqJ'=ʲ[_vwMæaӰi7X?ښc˖9_ 0tJddD'%x:,&rA>'>\0EEh`NӽGWpkz^`x +Wc"R,Bq&<$Lci7_uA[=kV};Ǘ/ b$fǢ* ˱\PW@i.wEfx΁HmjiHW#-]`0(̩ IHL` HwEĴϙqrxsvB@E͌:yn8~ ^I3mfځ6MmҔK IJ qCwI֣yGﻭѾobKl˖%[^ p(t4uU}\?ɩk3Xb?<1{B1 )ʠ)u -e;5+jK״4Œ^S5x{z~q_=a8 ie/ŴxXj(Q@ӨʨVf =[rSPԤtuEhx{~ {/ͩ0/!=k[8P&ڪY V $7yMRULMogn`##4n%ubD@tPf*haTIȚ^ʸ,oe>OUq x -"8g3h.PԗMЬ] U,*WPW2M~K(d+\+x{ڍ^o_=NioYz!pg'ئb -Z(e^ik{dEDUۆa}B{_k_ӜB3sޔJ(6y -%<$iCPMAcqd"mnf:p~0HA\^0K Ì*QJ 82Eg`*)=P3؏6r[h/w`}o羣=\[u᣻nj:|ͶoZp7ȗ|ImKu:mlB%a50as5ޱwDGI^{Ivx\/$ٝh cD,IFIdB#mZ47"TՁ>m3V?1Yiޯ-:B}Ky/eN(^, -юd,A#$9Z6mtoJZmio=aqS5ݾ|OӂSacO0.v8hx'#TQ*LIHLʆt ޜYޖ~0˪a -аm=ć“!A)# xB1B 3QFg2R!@ R`, }owYr6[iì+auc71'R 9#lD}qNܱqZӝNUzuuk@zWEAAP I\Bx $F$@BȅpAEVԺ9;m-ʶ?*9M8bɢv:jh"(VV@ߠTei4EJtLpavwk}n䅜4~1+=n*(NU -<L;sYINiBx6 -_sZfFGܰZ)HB':!TUr_JDot$ H\$\VQ"Fa]|VaG ^j2#(Q6"*r*&!i"$]0 k A]0ݺ4!>DZр/rz[IV-9~`qL45z]ECmdULDD](ՀOICVt^DA$"C V[+{$SL:Q 1hG 5M|CF^kʇZx3UAPi/  n҄di=ۊ~i+zd%C6@>k\OX["d>Еq]iB6gx;iذ% -gd9 $*MM//uxUakfR2ȕ\o`*X( 0,OƤAq.<1*; O[T{j8lQƒ .3&Ba:A8/ W=hS g4IC΢/}ڐ:=kJ]* *8l]Kh-nH6j &_ciS 3Ҁir`xaؚDy]Mݧ 1M&o -Zr-s.j)kjTAAdGO۸7`pHGܤM$Հ!o?f*wm2~\?h2b۩z2lnʯK @1'TYY0FG)2UhӲ4`^2nK֬f{}Vm&pҁ-ZwZܥ5UUz(ԦMjJ m3GrA A%h4 `Z ЭlVy1>g~ |y؟~uG? ӷmHozޯ'|%:WS 8#^87Ѐ`SӏT]=r{L&u~C*gN{i%8 dp?3 x \aheeh jOy`~RMOU!KrUh>Du38lj,J0pzT~ޡ{&`jmյk˦t˸("R(HɼX&QoAqq˓2,ah6EeX=7eNަ ;63e0uOɧ4]jnH"QRĀvߌ帶la,/1 G#Œaܔ>ehi3~1k<ʞ1tȧiPQ'5D^LRMl)l8q(˛G| 0#xeX+)z 9Ys{xJ1?o'ud^H2kq2,9ʄq00|hahe>o옵fϘ+&;jpQNj$ -%h>鵐ifqfb5\Éߊys&``1k{ڦ4vTᢁ/AɩYL"2B5=+ v:̂*;\q`r!=\= ycʚqOZO:ᢉ/),duPbM97Fz\Wjz{Be7&H΋ ( un̬uyP>8Z?]'[E(fjY1)QUoh"^jN^l^$oGs4o-Ҁ28>u9Ƚyhlu^sKO3;(jzIyD. As\5KT1E7w>u>3mu *].NQ!iWcZDX ޲=7B^UtpQ+.hD2-hM;[l'Apd:d;,{OHgpj]<5jT:hCjJ -]QI%d@ [[ߎA;.}߆w[|pRB\G;A-٤}SKUT*K0)!D=eRoh`2xo.cxk{wt#;]ds=c?bv> k6`B:EM{MDZ"VE -Ӽgwo2oM{ ireӇŢ#3PS - }fj;8wym>3tE`uÅzAQlnwG6{xϫkE7]HH ~5_8ɯs뜀gq+>~?>].Lm`=acܜ>"ˑ~RJaiVUXaS/%(\bxa@ @Յ e nH\tzK?Y)ƶX f#fHvuqҨFą^DJ +a]XH:$?y.d_Y«ѶOo~~ZJ^]rrj[Eۛb.A\Ԓwͽ xYbN8ww`{-CplInF'LǬ/F>-/,zTB^O>{.V~1vtnYHI׽{Bc{C: >gώP:}$%_z^US~nˢeϪq%kҔIe?R˒6^L|,Oxri' ޥ^y/ >9}Ǿ+22AnB:@$dPɈğ?Ǐ۠d~u9;3'ܝd}/Ds;d~>O`?T.@WY4v,dG$xPt2\11 ЧO| @<(1>0nN\x??G )eUMuƥ6-k8b#S͢v횮馐J~Ү*`wo2`i(`!8):W@KD|Ъj){g3Wzǫqdq 1>, Ay-"8YhfNS%o_%B)X7oǶ;LyeT;- DA  p[ZT ͷ4zS>KkL7tDa 3fY`l^{j{~8 &x@ ?= -R7 -EUne2^dQDLr9I[M#D%@P؆~?VN8 o @A$o @ (pM@/6,qkًxդfu㍼*d %vk\Cn\ӂ9Xgh ?)lń(9 -R7DkPPqKf9T$Y?. c(w 5A3xی{6gsv` ;llHklԪa *,ђY.I38aOr791fkpoui6ٶ0 ( KJlK-Xo;_*%/K8 P*cK3\iaY< r|^|ǐk2L=>_USI;İ 6mNH OHT$+U=Td웒rl+Z3! 6?9(zI!73`zѯP^e-'ڜ2a@d#LҖ*1:HFמӼ(/J pEHy,pWt:;7 ^)m.3ȷ '=Zs&6qg -6q[ͷOG$$_py"!hgT6! !E f_+Rl.[buũ@36.}"~'>]W6SL - 1f񌒢Su<*qOhfuqi6gAm8%h?w=Oe4Ĕ=1a$P[k匭sH_g7)hv!oFVϷ0&96gtdul`5( _YT8PG]s߉5{4;~elH&{aL0Ejm<,P2|sszl e1- -?N٭s׏oPʝ~w8 JW14Gu'C0VЮ#ԫ%JFWV]R-fE`%la*2 -& 7Ym((C U5XB~dgr[7h~ }hč87w*A?:Lڞ64^or]҆Xѝ&jL/RiYvCA)Tu6Ae} -{48=?pkbPVg(3]BGiK{hnzicgXeTCP T!١} փNt[>59w#;vމ)/)+F $ev+Ӥ(󻒔.RPtSj]Τ -eGrJc(D 5f&P}j-~&swl&n.Yh)YQtвE~Nkbr[iWra;=VCjRic.TڄjP E &P)46_.K{OkVW<>D:Ewa>r:lHd(qm6r[uKT[|ks+AutpP.0Vhaf' ,լR:!]: sep1"@L)FK%tەYݑ@ 29!kZb.zۖ7.nޭY["B>ߝ1cEGC z)?"WWc{5: DUՄ/ -jDA?iW7lZ7ʷ;[%NJd&Dr'IY\hR60r-ʺ6WC`}UI$P,1oDAÖ/V:eņ-`,oY/ݱ)|! 1iTܽشDιt^73h0!-/]6(֣5~c#턉ӗR05nl:CLy! a1Q_sOq!)%5#03g!0̃T2^6:ע4C_XW L: ip='>sCa@Ci4kP z#T=saTؽ;`fVg  ;`xN@vvG! R\!pJCPy8Otغ.̾߄?m?.N8BpDt=~8+[Z!H[Ck#`X 0- - "dl2.b" >c @gaЫ\BXK&=ה%?}*_Ŗ͐iŢIbhX<" JFA0(&~> C e Cfpc/شLVbJ-?k.A7_"NDˊǣ%cƒ1;;AͲ^bYgT2Cb!,OK= yЫ7DvZC&3O&L%Hq1|4JYqZy->i':OJ|C> 1d#LĐ3ѫorٔTÛcM'M$cؚr]0IU=uf# ȮZT!΢<0ZOsjӞqkuQj-"eA` @XB$d%!@VI %$lj@AA VG;ߙuzݼ٦$DbRfw9WiQ^cUT-U3f5URmJ*0P 5ṗƝK@ޱ C? - ;61|3$-!xUF1x&(bJfX,tf(FނOg5p}o1(f|Sv/%V})$;͚F.MeםuEmvC'hQCݢYаsh],^trx77n97Lw@,Ddu,B %k{=eե:uS.uܥʐt*ڿB۷/7&V,tOmx} o*<^DAxbyލ0>P,8OkĸDT6.HO:{9F#OV{xAW~%=3ϭ/?ulmWۂ%/=J=:U|?HdeP2дpy7g3w{jd8⇃ȀX <&(Gdl1?Ƞʨ13?3vjjqBn8J:j`G'`21| ;7`&oPh1G a}C )ȁedD#O/6 P{]䈪F (䠀Kc.#KqgKhpu?ŀ׊@ؿtAC}"c_zAW;(v@ہ;\BPn  :w#-ya~ C'z6 UC_ - B 9t ;{p?*NN& n -nlw p?8_QC< -Lq;FVk)+>eRƜ%Y8ωgz4Q0kMa?M47q1콌!} Xu;1pC:b`!7Ey!%x„LiRK33oT-"֋2$+Ill2_;$'I$ʻ厐7Fz, \ GN-M"EǚT`R%~BL&6.dN(&pG~H988l' +]mE P7ȌE2&GrpI/9iγ"Szx2*}L|DjP'^81Nh~ʾ}8K ii1U vp9l Z$N0gy4x2L6AT'f=$7< Kl#&s)' /S՗@ A -N*1hb d| Q&O%xΗL(Ɠ+jU) QS4w75}M{Ҁ6D6%h'h ĈADA pm|("F-lTže 'Z88kaVmFwII7 -i~~~}FY;A2 Πq@PB ^WfΔT! sF.JsѯzJrИk8W\+e^_4 1b ,oB! APw}A"NUqSJxBrR9aC۴s%Ime]+nnYfSV)) !cHɽ_oCP% I/ ֔J zP*5aniԚ>Z*|a98fkz.7q{ʹ=O@dA (F0aDY0H R'uJP - ;-ִWSXmzNf+2~D]nt1k%~fo2 0~Py]܊?K -ՉLMeQkj\rU[kתKmVHaыLzqWb1CO@s0 -&߷uasQOԑLe-ZyUqR+ -Ygԕ[j2ZkkU6NQt.bA&b#VgL{BPz7CF7}V3GvHwVeU+mŲ.5[4my6kR-4UN#rH|jx>A2 91PRo<݂x.NW@Ʋ5΅ʃvz!0$lŜ KHH"N_Ԥy=Hzg04Ay,Ey٬,G} "}bg}OXeeK'!vD _0Yǩo"ȋąs^kJ86׍z99`t2~@2ȓCByvK߿靐E?)ԯ&X׺5\L^sv:F"ed? ƿK \⇻)t{]ue5yn4nq2ueI 1@&d tGeɍRR؞Z`nvb, S!O" -Hu rK}*e:.װ~vxcOѥ$Z"oieLMoʲ@[ F{^ ؙΜ.zD{@,D۵rZ ?8rD݁A bfL6lL0V;f`Kdp3% d 7 l+Gq@#[8ko G-x -,=j] bOrT!H4dT2-pSbj'tC>ZMISs?Ç k -LDFr$j@#H$C!ױAU&46Aw'(vGUNkp+o5SB!JbD}ӃP*CD}qIE3 aQ*qGt7Z#`&gV[VpV0wEJz@٦ }}/DІ.ݐr%`U 0j(6 -pUa/S 1f-u%o/&|E@j R|iA -~9_y" -c>CzϐBT0Bh2@EjpB e(;`uzP/R e@SWI-A+vw>o/e<{g@|˚]b={ǖ lMi24kp/70D'^' RʚBka~mg}#|%#3a&ϰ&5==-:+ZQԣuTD+ʅuBf! H,'$!Ҡ("e(U(Lx@e(λO}s7i /l>BG/`X/Ш[ DՄ.3#6'=0] 3ĉjқ:kci!i{JFӚ0#NI@Z -݀xr 9{"=qH{\v[laSBzYF -Hz1|`D>e1̦X 5Q5P7y7@?H @O< qzܻ,\>5F})b_d < y`ۣpnapE?tݦ,p89 ٹi$,~'<=E3ch/qǘcӬ*h䥄gx=?1x~M\!_;_[ 8> yȷ/5 Yt Ac|bIo#e\=;0 cÑ͢GV\_͘>؇:Cɹ>q%y?h] zjPo4L A f~ 'J8=leC5Q QI^M|or=񁬊@vܛ|ܛ,`:jp!ul,Ap#@䐏bv/f<#|`l \QރR܎V^N9OJtQ'i= -G,`Ow& iנ8 `ڹ} 3 ѻkJ&DD0 GMIT: wc;rjޑnct3:S ])lG en G `2w, oo~g1Ag[$KiPyRT'5kkCWlǷiYjl|(9Uѱrfr% 503o':M,s&[W8nR)UK]^6a֖ 6X~%dgEl|AWIg)E - b K1F|q B̳(V=1mxCY0;̂c&εk\,č `rlLjxcWʴ|Yu6NQaK:|a6.ݮX:ҝbMf*7CIC<\:W{}w/<صSS~ՍuquDPQT(bIl$$,D*0:ŒZ;NZ:nǵZP*2)UdK9}m^|^K.7VzaZjBK5}F_\c<\mzGiafӛ0ܻ=|j|4쳨Ǟ$MW?l{I]voqf"k[եm+UnzZh|:^Eh[m[?QIT"bŋxFR.p\T*m?;1te!WrΉDyjx,k#]!ԳQ>ňX&gk *Y>cȎcd%rQ)#5Ңq+QhG3bwF-!?&H#!EjZQq_qY_iRH #ܰ8΋ŊhM\ sp1nq9fG!~%d͠3Y /RLtFkӡ\Ob ICo2 : Ʃ:KayU4c&ϜBp,4? #G2_%dBR+>a.| sxF=qs@ ݄Y0)։AXISQ-~bOqp?;"s;TR4HH6•%t0 `Hp\"b4GvnM-13Vw_,Q1_@? `g]!gCzztPh -á.r=3'CM*${yCBEXtY m Rw26MV/z/钼vH?i3 lhS`¨DFf(Ь\_ܜvCrH1D%3O ;r,jߥh@aEvy7;S0 A1lz, -8HA6 MPnK|bH- z9DWUB𘂠z'~٨]BfoU A %@ǰlr2p`^cI<BW(w8 V)%$uWT5!zJ _6+_(ltrH e&f|U7h2}`t06 -cP2A J$7?OCj!L0lSAG~DuAYgV\7?QtR6?I:?K 94d0 \`Qr$TOCl6Vh%o eLpq__ӫڣI7?k~"-ցjWuDd !I 2 hQP(ThI ǭ{{̋yy~y$A'b*37EmJO%\OŚx4C  b'iݑ/f F}KF-%:v22vfAi:Oǡs=_H`0Z:*J?,m: 20% qqChmݨ6foT?'j݆49u NU<*А^ _b`406YAP24]f2e\w|D x~j&TxXp%=6s@4j rѐǓ -) [`bc1` i,p<f;/_ -|A;sT!5஘I 7X- eI$->CX?\Ij(cO3 4#76N0 Zd{߽\ml׷m#šC.9 !ƶ˜LV]Q[j6,KeDŽ =<Àd0 x9h@ZjKf{p?pjw˓S?+<ڕߡcSX8Z-PKj~!Bl0{R2Y:=,VGr=/mDP\s`z[k sBfjv,t^<{ j]7wZu@E מVET$xb%Rν)S $"B˸D5ŕhڷxHGz,߾ோ;^5YovYcS%]7+Îj~jrXUPPl,S.)Du2qrgH\&餢aH8, DO7"@@*,XSiy}-z.h umǟѨ1yHJ%e+f% b~jږʑ!K餈tXHFy1_d 9i9%FWa`FN֏oU6>\w1ҧ"6TU"Oe!<32%Q*f<%Ii#b|TȖ 8)GjD́dtm-,_tmkŃ]_t_w]|`eDAmLpfV"tnKR%q)yI㲇%dՈznLHK -B@ -6X֬6c7WG0}wv]:֋5-a9AZRNV -T#$Jđ%"\hrLǟ7J#rn<[%/sڥY-xg ~5=?Xt,S~gZxB/sI$4IŎ gj/C5z*4 F.!gCȚ0 -Em-xlۀl@З}pƁ}U7ܭ>"Ϳ{IŒ81k5Rji`MK vXQdbF0 v<[_o7l@陣UeEmz]~?hn/$%8vC2]$ow/4WԀWKկh!Ab;,å` -tYk24cGfMcݬ?Q }#ف!'Gz6⼆pq^o 7}:Y0y!`XNKg j,eUL9or^!p]/?4$BQ.X=㴞0&+Am;2]>0GzbL;Z hk ,A}kPdk-[me{Vg]1f=Ϝt{jx&{9:jo|}{׉ϾGt~;߁pF:0Yc>:̓|ޖy9ӡ7Fy:-p.]gQMy? q -.,* l!!!{ I 7kKGwKU#-X+:uA=zL[8 -B|潚|w]=hil*5{.]0wp3GN RqU"֘[>asbOn"){>G6bڸ-Gx}HY|HC4ЄaX(AQ> a@TNq Gq2͓$ߡ(2)*%`8z dE!; qL.}6D3e|4|Es262'aqh/Ȣhf3 2* (\GAi,; <As -Ru t:3ALd> 1y -J ' JCʀÄF KTaP-!DXK/ldAV'ɺ.g Ivg|[xbd=xM4d'ѡ`1IgB'^9pGCI<ے!ٟ -tNf@x&v.Ywg!>Y/yB t&xCȀ. &E [D(@/8nBܖ>BE<C!ρ ُQx /(#hPy#o1&BPPCUꓠ4 ʝ =GBH#3 KGR9 &'}HNJ1&QOn=[}KAݝ <Ϡ#4>(:qLT}å -A1(Iy -|v{8TgP^RWhʟk4Owyw:?.)4½a#*}P23L}*QhAd$?ҵj}jzoW ˦QӅQ9g0"7x&XśU@|e渱jGʰs)wtuV+neEc88ᑾx_~aKyrpf.l=tГ|{]Ċ:&N'ؐ=ա#1+mWU]GF&K_ -n[nZd(0[mmECSC-_zl/yAo"ؔ-Y#zY[|%+p2\+9TcqK?gK:-;,J/Y_8Z4h 8NJ),9yL~#d+ȷ.ͱLlK2ȟ9( vmpo]_JSMk{As_%Q{k7%γfGpYeM>'( dȾWOz4̣a[4;Yp؛=n[m .ѕ++ۗn)ztAGd9׉+eU|Yy+׾ʾݮ~.'0FfQC5&2%?1Ad袻[~mC?h9|{ɉǪ]]mK:j\]Etm_Wly8yƟ8H%CESf_˖889v!5dl!ҴeFiK4L^XYA@3AZ6]MDj+.;fw9&G7%ƞgTF.8M$, -%tIIlb樒I^֥N{:+vxof:4 kRe i"anH^lYXVt/#\Ԉ 5=/%z*"9z&,9j649j>$)j%=֓0{"_B4{YS.uEp@ -k%Y5_qOfKf|Pw .F -&BWLxYN\;.v% -#<{+UͤHߴzrLNM~jK -ODdg%222YI„)x䇑 ~d7*a:<:~7ǎ.DDaDrxY~nSћjᮽ&ʷmZ_s2P"wZ~ܙ *d 8ᇧOq#Rgy)~[& `A O_B'=q/n&yd,@؆%`mY`Yn`ug=w4{@7|I:H5 ?BHI t`{R"n>|bf/s/m!?삐OV"xF`'!,ɹ 0z}OX ҂Ag,7{Ɇ_g"D.ǃ -QvGlYMtBt"s+]*W5Fh+ !:i__#;?=G+b `>7ҁO=3@$fAb"h%[WWGmtp:f}6aי D @+5zq$X?r'j"Du"֕ -S g8@> JdHJ[Q+<: D3q,]bk,d;2{!8?Ds3듀UHXAPAK -},N&-*unH2 _x+lƴEwÆ؃Q7Q9/9}pŀw3Wq>&!?{ԯZ{d>@V#֊ArArUU=,7J$6^Z^%s^[%*7!q+C;Q 8/DN&A-d_Ɠ|Ň-֑{@w. …lٲt[R["WQT;KRgIO{[7c! qe#C1$WLhb- -#G4g _4egy?YH_κs[+▲%kҞ+o.J{IEeW@ܩj$>đ|)֑6UTN-g7G8/yZ\ИNn}%7,ܫQ=V!Jy27ңv[V-@g_Bidg'=6M%sz_e_- ~6K]nt^7 -r 9戞;O?O9$w&8|[ٮ]ٖ2h[ͩ㲦ԷƴwI dgQ@zlZhRjwZOkCf>VEuv$ٳ!}*$\KlWv#Ir8}`ZjMk귚}#ꆵVE}Ƹ|{[)!yDmH@6o<l&} ԭmݣFyN$,P}U.+*wWdS6g4e6d\Kٙ٫NQdsqYUDH$[G dΥ‘2VrG6O]m5n6;^.{vW6g?h䷙6 -[ -+eyU; jks?լ}0RiN0-1VU0.{$mJ l޲T͡ p<߽Vԫ{58xthWflYWf6nIY\#-lTWO0vZn|Z^03 iMqTU?(˷y{)L|28k݃(7x_h {YGՌF6Z -Ě*yeNfSkʦԒ4Sb:ST41L a&.&{S͠|>rǔmݭ%"J};uʍbBf\.1M),,ոLZ^ُĀ>ӐX:)(UƔLV&Bٜ3(CU沧iFuh:'ʿ۝j[W[Ģx=rzSS -nW&./fkIiViqUX٬5X9SY׺-CuyTe4\ѪuMBXEAaIXE@0qWzZD -REAPAܵEܗ#n=3v -cNUԞ,gg|~zy}?ѐf͂1=ŧoA4ӵV+ok2?mW{$QRYk+;.b}˶S"{qIyy%w,>{I@m˶\6E~у*!ݮ3FtmuM原Tյh'ly}OqOj# Ǭ;&a)*>K_X?+w᜜}md}=@V^`O2w  Y٧DN6 u1ֳ.3&sՒ"/jT6慮;TnuÛf=,=sӪo2/ UYeCswFRևD"_IUǧ M%S,\RU\,=㰽CQ>wݩy'G,iY5-yc\vSѬc{SkRNo / Æ/?R>*FGRGCo#zTFtb=tG_]ҡkT%^ 1MmDd+/d/>08g6;>'^:1U>>f6#9(TѰ臝Dw]۽j/qTyÈM{\]ۑފ_q3m,k |VS\1s6zڌ1יӣ vyŴ#>3D]!h`?Utr뮈ӖO}[8:>˼&<ت};hVFByCx]DFvAu:yDgD7#jnfʯӖ"kNkzżr =ZkCO]JOxVcz>Fȵ=U͊t2T8w(C@u752ω.4>/N͈V/y/eTFWfɯfOxdחa3/N׷!oc.܂M |{FD7$/!5Z!Dul+Xvv'_=7-)_3{p~jZxY4C -UClw~d5IJAlbY?hGXaD|K#Q;#JÎ7n:Z(3 -BHc?d`l.ATVK\_0l_Lj*P5˿C)EpVCԿ.4YEjE( "A% #@#r A("HM׫XVG+VWZ]gߝ/g|g]ך$i VcjD0!D -hzG[Cq n@=_\r}As}F} -ns[x -ϫAy9*Φ9|f9DY@DB(KD*׌F!.mz?2a4;Na1vk -ZC狰oR # ~H{/px*ٽ_ -LJjٰb׻ͷ=o:~y_#!|\qw| $|ÃQ>P@)wusW`Qn2#5hyR/ף5n3Q-߇/5uM  -N :!x\$hB6&P(APo8.S3)mOEHd`\iXf6iK'Ed Rtv阽';' :>|$l*@zg!U 4S V, =vS^jR -\g [ͨ.Ǭ="w99)xOHKU|%i t D0^y(ewE&:bh F 0$@@)=Į%Ωs?A şS~+[ovlLqɥgr"2.GRIZYEࡄc|;+#vl6Knsc$SA -j)0@7b-ǮȳCcSSfz3%쥓a㹱.#->J ;,3*o&e=d}06ߐp]PW%n 8r r`d0q-=-@Ѝ}M>*g./.qL'꒮O+IX") ]E7!=*nFgfONTF*=ERώ\>fP陕}z;D/*'Dˡ9a~5i(akRe --D}/ -=˷Duz|o.5-Bg7߿f6x@ wqo]GSI:mu~nG߶a6޲z1hQoge!̩R^[.*KחkUM/+(L U~P^^Z6j`0pXWwT hu:yMt52-&bEKh}]m[UM6]e_Q*P+K+njQ@ɵgCe"y;B;9S w!!tC}fh@nj ՔUOguUMbW]CVm7ϐNԱu/ D{X[~|pL[V)DBwNc=fh rͲ]5gm[Gn˞YʆܠRzBNQH~T -Ș -Ht@ĖZYpـp{C |i/CC._-+aNn݉[S;mŴݭՌV"0G)js23^;B|3$toL>,u'{RFj+E^O?dr7 N07]X!@*Bw]Ad Bc _ݤt{+k/7ZT_ks76mDna-r[;~cx|D_|J>KˎEћԂEG->v8T)Nв@]n|;)T{s%35q0Ͷm@yW5;dd&GyS-<D6zvc_֍Yco,dYbjmt"\8\ۅHMkD Ds;^ ,4㹼~ocd 8= TxV{ .\;vhH5mL¯.CwC׏ma3>^gsX~G[BQ(e>*  MCraxayFc xGaw$xKp' l`3vog&_$*BM# |Ʉ@CBZ(( *.\,\ xH` X&c ࠇW!fpU3+l?D"\" Hų: Ix -C =q?/8T 籎簝'c??g5|M˾Erb(xS(b -DZDhĒT /j!8K"f5SdZm$=m2] -{ --HEbfy"z} ];ҏ|!iү 9ꏨbD2wa1xd] ԠkyXzLVG'zB9 q h( F|?b2 ?ɜgfn3~_r -B,#dX,TzGPA}1a4{W#"f2ς友#; @vȨAKH?0q}5HpvE,UO ɯ)cI -n e@t 1W͈1Ҵʀ﫧4OmbEۄ?+[+M:VHiPv}>dj3q]3r57`g0o/iK9XߎM9#sdkQ5nBN y\8 <; ?QB+ y#p!uNxʶ [Ÿ] X&wg<%ݫ:0/<8S6|n:9@틼H뉸Axh|KD~F!ZS4.y} - -|&t3I l}#fr+Ȧ0k4f,9nD$s& J{jUwQ1k n$o<.x:rVȖQF"vIv$5 -Jst0k울 NeNEOU{JX( Z0D] -(ަi0E&pJהFߍyǷ ʣl2v2&%ݵI ť3ɵD K%)^U - -/ -Es -!Bh`/ {o. -c2{WTKEV}9{[I rU:]M/6 %}_7[͖7[|ĒC_dD[ :U7JHu!ܪ5*5LNe莖˜=jС&K<\YH)ʨ+d nQnz 1!Y*bRSv10x{J.7[$5; לvU< uSTbt<%7GEϒ׳dYa$8̯~Lđd"412D -Xp;O눠kXMaщԭq-5ǷUWFRW%TVzeRkYE;')O'̝{/!s[Y)(J"j& pk0hkZ1i8f .ZU*+{H˔Ԥj<|/_|b +.1]$[=gp{W#vVvYB{>bc'ٸQ9jU#'!@jYR.:S%񫚙'+|*'88|"*;R%S"h5[KLqf`34&w3T1Lz-#6-.Y(l5+ȼ&WdC#- n -Va#FpV#ZX+*_ͿE{Wp ``#6ფ!ly +@N{Ss\»JC:՞A=q;mAԣ͈zL(Auy{oq`w0@-vвuq1Q -q/xl#GN *v:s9>Վiq\r@ o/"s;ٿ}52GpsgN kdӻ iWRX0o39jUmW;'2w(tێLݒc} 9. ra ut 4|$@MH3v;b=IQ>as7[MΦ[sf -fjvg:`Kږ:duȎ1{\E+WwA'@?@ίXΟH m!f[Bਞ_l쫏^'1)i}g6Ky+wVn|8x8]Mh_ο-3'pC"HvY(9yѡY&/J9hZru3W/~,=A}ny;P gD.~gЗL{(m# a!: 5px7?ՙSa20 f`FP"JQ,X"q%Uc jtE=.Y{uƵG"%( -!;O}}'~$~0Ofh#v^R+uBW e{; F;m_ x(6Q}اD֍"j)]5GPps`|(|H?-"")bϏ߈5X/v~nH>6J-߳* .C4'DD8?( - - А:H>0ZArCOY -yJLX R`Ev%,M4/q-T{cDAD 38Ӆ㡽.Cw&]mqm{w'♯E^d֬QSzɫly]jyh'P=9]}GK4wV{Ju#qg|&xBSFӉПHD1v( Cjxm#TFtfNLPɮ+( }߆}fDTDDYaVePYM*X&FM0.59Ѵ1ihKs޼[ą3r { ʏ2hnڒ۪1Sb_ǯ*Ҫ=RDna_Y9sMF"",MB0R߯iPQt &VX) wj+\ټwIl徼Tʜl~Yv)(NBQj& -S(Xlaᮔ^;4>#80Pk=uL{Ӽ/xE}ZhBg./c$18%#p0U$MK]O=O>d(NGQb. -w`1JD}P:}'ih`A=hcZU4u kbMeՉV9iҊ~-FX_r'N>++D8E; -QB`4ԃs5ԃz{vH[Cje-ZEM+c-$u))Y$TzU7 Uxm];xs6pk -bJsS 5PH3@/*Ʌ.3rev.+k_ٶ0Ӥ{,wdh9(w辩KpBr_:lEX z.,^.Vô6T~GK5=Z)GvMw[n̳>\Q缮kD{xv;a="zNϤB 4MC rfh a]';m$gxF[bFl6_7 o7䴺)AU輺ɡQA5h8AzvV,Ns!eL83 Gx*NgLбB㐱Um -kpooȱ>^AwP~1?OH1Łi=3LL{յ3OǨޥzZtnT!ACӷyFsh"D3\p-Ds8I?DMy`%6U" lBgE b eJ2L^U++fMOe?Y-k7g]ew+bG)F)O+a5Xs\3 )ς@x+܊f֟btRk(j/˔? 'ODT up~ `$lF򙔱xV2eы,?xO{*PuAo_t?_#?%7j`X~|0^@0WANx絔Ahieޞ`og?hΓ|9g|Ht7B|{`'  zh%hp440ppX%B0H1Bo FʗRQ>= X=Q[LɅCy+)hEˉH #[!`|E~\BAYpS8RB7(ˉ -ro }bL x`B/Hb͇C<hƠ3̕A#z jAM,H`Z&)&5t>2L$U)}~D^ KK0hȠ ]̝ACo l`rI$! 2A%r|INeJvv :2hOZ1[•XB\RJj٨B: Bw,\'u}GEugqSFA"3u -DPAd230 ",BK5ZWcM=hbY-b'su߻}9(zy'V&q_ Nq%]ev^Hihde-r8hQA:'hE"[|}mqBLb?ǖ( zŨ-,rw( e}ow?$kxo%7WCgҋ_w?=߷{'+E;oKQܒ(['e8s21E3fNPxpz]8oW.Z ?Y̬ Y 0/2]7\ -g'\e -/p@w$@/#@oZP/^z~>+]}A&ݙ;U'Eb;w>3_q)0JƧ(:@38]z~@Iw}҆<4{~ެ>;ܛs\Z&Uٳg7'dY>=x5qχ&G<ޚ~f

#z}b!\ C a ZdC_E yN68=qh~y&sL?ݢ?`xOn>A]gwd-MwN6]V@A`Wal-pM9G2p:ҋ},b>H.p ,ݨ?$Ev/6߹r{Z6A[K:K7]`'QkԱO/&f~e%<疈JGT؃q=ѱ{#4=]7nmtۯ6lM%YK#٪w͡hOPc8O7cq>_'d$8,d_۝P=>Ұ;.AԵ$lSlEGtmMֈ6eY˩1sC9z:N(#5hWұ0e7gRYp" S'g67c{g7'upKJFu=1Ŭ-![ܪYĕ6/Yn"UVѩ6̥2+yy]7Li :Ƣ8н}I ڍ0۔)oS1ņ,؛m ;s䬞l/^g\Pu1$U)&uMCR.־:acE|sejkQ)Wjvţ3q$2 -ÍxAe Z!3|gVglnG^[΢ DY f itMuZ<ʾ$ɱHѩII'ܴI7r/Z52ĉȴI0.x82LcTe} -AO)tX6eiʟPj=VٵuZaIBC]U(ReS*,˶I+-K5;w01E]#.BdSc -PFF 9Pg?\Nay4;ʛfq+ Fuj,ĚqҘFYdNʊmLXŠKhLX9:RXU[<^H}ݍkW J8 -(8g6NZ`jNmzN?f`afnMPEESkٺn]6eyZ(*X -)JYYػہΞ;0}'MZB׋ǽ2-c$)nJjG%W?ō'=vpUB`J56<ցYki3d^S`gꪉ~E+߷bz + |NXc.tsȥձK,i)X,1$f=baoy-~KU^)5cFi(ޔmJצJGxiqoMnx$p̆; .X$lhIix^IUDnIcDܵZ"sVIdގ5^u+7r~v'l3`Jy*qEX[Qsl$S}Fna)kֹ9[V̭3ʮ؇-%$}0=5P-gťʁi\&TwWQXJ(W wݣwy2df3]/ӪKR\;-] lI6h )wHp8_\ɞ:P;`yVCNdQ7F׍j)3u{&կro7$1T(c1f`6ɝ.`2Wûùf6hXt$ G<gSFcwAUQ˴2-Z-~ˣQ;"ijro`R?PTY@Ƈ& cO!g|&_$#%;`?;}MCO"h-ݰ} `;+BgDi#3~n`k/b݅ F I'3@9=.ak[,m03Lv^NOй^6Am?tuނvU*3N5?evSO Hflo|oa1:w4;pPA7 -`s̟ɹ2;ك?e[V`'` x@7BdNqL9ćᇡ7\.,P.W/{rg̎ X>̽o,v$'ehB| CG{"$(C iJ0~OzJclr}jO][B 9 <9Sb(T/yf(ў:-TDA@'/R'yN[ߛ3?;nD$_}š-&¸P9U^x<~4^.0#;ߟi%G\ )PaI6Re١Ԫ֏ k괶MM6ѮAbN} :F9UrꧠǕiE`_PKufT :kA+i_ !7!q6Tt-? A$b@k"q$>ǫPZ%vٱDX}ب]ti;֨ڹS+D7Lj:##ݢ{-T3$88t%|t$ˉWӵ ki-Η=>wqڹ\wYsssy6%6{6&]jH`T$>5@| q4Ay@+#Wӝt[ZF⋴dډS5?gcb)+ )yLeKgMi4Hm5M'UvSUX*iIXgk{YjveVc5 Sհ|w cemyUWo5+ o" JbZE( K!@k@E(޸junkn۱vvt;ad?=s9s߰NJbMH k) ^ ك{x s%' 0!n%&,%^JR/5|ϹR3qS։ةPG2{4!xW!s΀e$ kg|¾Ct+J\V卵WI*9}V8=0MTL$[ƒۘI=!CCY=2/.H]r³ זDظTuYc繥ΕAt_fMMtfv<gTF0즎Їyj^]w!S[lϩ mn6gu4Caͤ&s>*Ie#YBCDHYCB>9Ήװ{^.p!g 0e b GP5&0z -ޝ,}`k~ I_Zȭusf털\;')Yh?P[xJ$  |s×jߢ7 A R7 -`LRʢܺKeM - "]`Ȭ3VVs͆v~YQaIH?+)/n(|+)1"4#Ucpу. {F[UQyнŜX[W]_]j6BJj9%m|cqP4*Ht+rޠ5~#0t`aB 8Y0O0{Ͳny\VQS -(2UXEj/-唞ה^dޗd3MD1AJ^W%fA=X4By#45Zѫ ޥ~E@C]S_kͭif!azSz;\Yu:\YHUITf"P _]AxkC?4 -`Cz'f,@w -;kW j0\Ž-nؾ$mˉuY [uMeW/ة)ZxM* u]xpNA{&q38;p;@57h~D@t[ۛ NDn^>pW BCȃz`uP y2cc}8ܻy3itu` cOx>>ޏ;x}~lFຕ@Cq \֥)bJr:ɣP-g< <ܗ\;JܖᦼUp8^E' 霽:'8^vMm -,U)Q٬jifM~/-߿-4˩ŸS۟*p-lQ犓|P:Ma(UOUϰfRn1MPm6MWf7 -l0Ԭ7m\keYb׭Vh %? Z+jslgXgzj~:J[EJ,6PnLW . )lڜk\]n^bԼfy\d\h,7W9aSs\ Nq+H -eu-??;w -WtX1QcJejtȴ* -OY4KTh;7h.?~vP}^P}n#~zБ]N-:3.mKvʺ{:+=TFiXCEqYZX, -SvfU6zY_L.4W:~Frǜ !{vziBЏdO%⹷7ubM7gjHwP,,ΏL떢u͌lsdvq);|a\NwYo _G=97Y#Y.{{3~,K`E=^&W{^VocvJ4yRp }بR=9$A_ٍCf =s c;eH~kZLtNr"}zpppc-4CJbe6%%ppj\&#}YI %)֘ꌉ!;_3T#R4b JIOde7 1P,,.V:,UHA@*`-k1Xb]QQD#UѱrԊ:k+ڙs@wŤ,F/(GFWύ8;jSxTQWc(a>_# }xk+$|dm8IZ%BN(If4-yYrR"!1ba\eLBUt|M,9"V6:p kv - A>0^舶Kgųf] ޹>-)9;r=$eѹ~Ȝ9aّʰ4$Khz: w=}lIV|(fYb.sFx <%!e3˦˂KQ~-'-Vy[M(Yc^IWؒSڎ]*lH!)6=g;ؖm^!I.I}*$BP# `hKWjlҪP3yU UeXxUYRzVnQyTWW+>j -a^c{s2|s@鎭WU[` |7q8P3kH̐ Y I{6+1n2w55w1lmxk:VXX\s;}FZ:K+* <moԪYG]׏[\?Mx,i+q1K6HVȆjdCLN2T+䃶^7τ={tW -MDofm]2 kPO  3CwǀPosc6.C}$NKE%q\[Hv l#z,za ˞u?0 &5M:0h`<c=F`ӒrXBz\U3X>"$d382;s `. 00(лв]:!e -mv0o E2 -N?!kvN}'5) i{M'܋HDrA..iT5/Z\/_\JyC2h/`pB/뭐yO33OW:赦;X_*8kx!v7\[cی@77,]N)KOgͣp4x0mځ=jz/ȏI~"r~T<</qC.נ(++7&F,(,ȲܖEvvrY˂+  ".!xCEh&Fmc6If:i:MSM[vڴ}z<_9y>|e >X6e7pmŕOK\@$ dXqu,xFVe -*U-])[kkݵMp={aj1drrr_w~ko7CfC $r"CkKGmoWkqKp/4 nRZ.GRZpP9E;}VC)g~֬(b}Bq}Lq==WΑHH둄CHW ׇG17r}G͛`!:)3aNi(-)>)wfi^Qg2z{88w}Hca kl!Mw07ߟWЧ>(U Qϊ귙.=CӞOQ[2 $<%b޿{?@ωlsc9ʅ49Lføv33 @fkזs5ތF~OF-L/jOJ[>})iNؕND"BWO_zp}b0L -&tRݱp@Gt>ի/`wg[]6^g@ێ֬@wV?Ӓt3Fݼ^wKZVw#ơ#"$9p7\G߷`=` -ci`@J0C1)Q0󊸞<+ߝ[ВrE 9{NÈaޒWޕ m'2H1D>O1wW9K(D}7 -A) iN3X&{m.,5V4 -ZE5=!8)Ae_HSGD瘃[xqz~\__z_ΒhlViI]lvcI>Yb9Jl5N-,+̃RaYLPZIXn6iH; \>b';(}-ügyQۼxQ}z ?jXxc^.=.vv)jdҐ0@+w(RV, Ư\2ZBm6^V{Nr1糨{{i'҈ߕ>j@k<ɃȣP]S!> kjX?7vy@E}eaOp}P, -(q]ՠƂADET,NPXh{,G$1qu]{Xۏ{@xgygΑڛ%_>`Q2l]f(2C/)멷4y赌A.| b38~Z9P rxë;<+"Q1ír\\p4éUp,2!9V3yLYǻH?RO VF*gS݀cju#`WDak261ZCcIڲ*K%\@]+!=bԝC݉Eݸr6ԯ_ȠAVh6#GdeYPV: S^ jO-Pwm.߃k=?CIl3Yw8ߕF6eل\dikbR5љ&+"CV!V`zmDQ7+|; R@.Wtll]> 7 Lb|II}g'&w!h!y6N(F{;Q׋]# DuOrLhv/C?[7lO 1yI#_ҐWhv<xռmּExD3=桍i<,`!Pqk6@kA? $#dYM6RDJvRK!u/+~xI!쨭PpW;H32$t䐍dur -.2i.'WG ƙ5H?2|B>N"u9RkC:k%2SVo>~CG7A8RWm! -GzjXjMf|tX@Tjds"@# ~I p'4q7F \hK_hZG9&ۇGx}Lԙ0&He%rM8O_ŠS 8tZ%#R9SThgG8A'5qU˲h%|:bN+qJ'98̃UYê -4jpHՀ&|W2cjAxQeNW^/'7~}6}pV7lGX3`?`8nsWu2:AC=84aT9F@YBz7ˈn.yJ\C;N;tQwðԹGT{$aL敃*|Tx{JHfKi -IA3!!Z=k, `;孁Pg} lʎcPR(bdl HVJ TX)Iy'e~LY֐՝FRK03Ov@ol=P4[Gas8OgHy!s!) !!9!5!U!쐣eOKC"#TțY?]8iG,=c~3XP7la(<`G`q8AZc"[eLeʳƕLFEq2ݸS^~EX(\(I< ԝn_>|r8nU =+LXcFie%-7e&2Lt\E)EjZL1S-0FlSϏ8gj1=6 ,Pe s :W|j -{Kھ>XX? -#e&5E\F3+Pydvf>6#hE ()Tm(O|ǧJx bca@OdFwƒ0XiQGdcNR̎LNNγ]mMV71.!Fh*a`+"}ccbuX2qH &̏(͍͎)K#"q4!SR4VhuGEyafav .D&葨((("0 ̌ (qh]\Q0.cMh4rZ=&Ic\kmm&A;8}}yIirjIjI4j{'JxU?3~F[6a>(ѠԦ*CPnH t$=WV^PVOW5MߡYgMYHc֋*^TZRES.qaQؑlZVudD9TfCi*LiPlJN]Y(_Yeƕjq&˸KΘqZqC&#CT ҏ}mf`69x%RuԘTfbK0ʬcQbBA>dbJxyhI%){rs~0AZy(R+‘R9HLT I\E4L6-U]ު^WY>J"r,JB2`y)PK8]LWA߳H^FB@̯}a瞂hĺ0ǝ"ĸ3ndX宖Ns/nO}M><<P{ - ~u@7hYGo ڥŠ$;Fc@G8;#\<өG] - <M hw=n];G;65+P`0^ہN``~ jCp(C!EAeaqC1}C"? 6je6րv1.Ao8]@8B{|a#hB>n~psynu󘈿+27ԝXg&Qs459=@{?0# pZM3lF{p3,?gyٟ!a{(pm>/д.d/`=fC70ԧ'J"H5K\~¿ƍ b^?EnD|B]k4RCIX= -(z%-BR&kOm?rw޸p0>&?62j4hGLAIþxq1GxPR*Ǎ+GsMԝPS20l<@?F-5Aո޸5ZxWXwq+0"<⢤MT8UKƱs qW\ %uW7hZpYӉQ\ňv ¸C8? ΍3n&<ĉIdGoN~:G ӊx0n11W&%atrF&0- _NI~GH) -^?`ST!|:lG0V#ӝ84ߛш3۱j웹 Cv`p>ݳ10v%%U'8V? _LHjȹ{<3&̬)8>'$r&cp{T`: 5cgP'vö~ak?|^ .l ->/څCք|/@܎FcyG92]ұcq6-.Rlw/# û º]bO~qui;X\/=R}F4XLk6c9 b r&G/Ė$W|ٱVW.jձ*]إ[/vI!-;*ޕb$7SjU=c;3Ҙ?ov$/޸ذ, -Xn}+Ra%=W.H Ƅ'NQ?RjjWr^\ Ekp4riӊ 2)I~<'yNGWJVRn0͐/BBl4ԉC6 rUe8T.j* w4eߓ(N*;STu˯lU' j^,^h71nFȘyP"\ֹ-B-΂d,NJ`/( -bAAdHyղ֯dۆ4fi,5L}2dZU%3_S11׫=W̽H;Xx:O#c㳪EpFIB81(rБ-6!Q"ګ{dwY>ey&& MCMZMZr4;ej\A+XEq 挄2r˲S/dSYlN)ݹINuVR55I4)I%)RCm|GiJ%i"ߋk$UNjr!ۥɕ,]]EBLHuW ]򲪣r|ը纯UUT -U+Wg`/*!mMVXE] k#ݳFz}IEDŽdAyZ8Z1~SIOrYSZU!ϸ\R㻤Ž@H55 IFJd$LEb<[ðu ⽉f`ׂX.omBw{P ޻bh'bh*6FU {'Za'|/^@,%#k& jU8"W-EĪdĢn+ºKuG|qXYĖ,$&niTUk_p -"$DԒPJ2UcLUjj:Jϕ:Gr#y<꒕Ȭ g*]FhI#tM#44B3`i M7-a *tfpY Sa*gC~mw@^dQbOE*<7Ps#)7Fay -믐 - -̟j_v;\y)`jcmAv3yf.fN5`={e!/b򥈥Rpq/R?- T@iڔʿ4A~kS>jmVҾU^#_WOjYQx?Vv&gR\)"K/ʥk%O<Xp1Pom$5qQ cXFTޕe) -SM4PIYhx>]B IϕR)51JjIb۶21 ocR P RCk(b Wovm7) - ĚzrjE oTK;$]++>v۽ c~ǏZZ}-ͥbbjW#0Gi%oFɺUh$/5?(G ~ŏc0$~b9EQ:_|F^}I;l 5wKa MchJV0E:\:Ǣt%B{ KuL/gds2y4]!T=AOI.?H+XMXPܥq>gA*KczM#c/v?>>~_zNo:ptp0JSjc &C0&51II1/gה_q0ބ10fXP+` -6ПPOls&\wV6= 0a&~j [Z=W^u_:Rtzme.4+k4xƠF -)O ίu/`@hȉ+f7r}!>w7%,gҹYn!Kktv> KP_ ٤4*3ZzCǪljjm3S/`R _Z- -N!Mhon6\[b6R\wϑc*=Vc=?jCZyF+n{>@NZ5/bF*#r#7i{YQǍԨ+ƌG(HyNd7xg{=Ê6Wvg"7*l.an ZЭ跔=Js'jvLbR53fg̈YaT2c?5b/ScSbM#I̯\%gˌ\}2|))enE1>=*U)@=Da)fn$[IcuhuX&L;by7q3qFzWhD{o͌ qڽ]iVK4+>B =5#>4`%ۆ)6ZSmD{d[1ѶИ`+UXj,m\Fλݳ 1g$b>ã0{ KHe K"I&L2IfLB&$$C!"ITBR, @!(}cVVc] -B_Hg3s9|/>X$E ҐcU8E5IsT@U-wdґ -G@2#Xa:Ŏ;BGYn;[ycq9.YK$_mqg.j]L,kc acSUU -TE<',ݩӣgFsQ3Lw[,q+'+yN+fNj?g8IK+MuJ,Ty]̈Qif3ȝ;KnEFk\mǽvo[Vr_\GF9ƱlMԀxꉧ,'r`fE8;J9SU3GK= qɔϛ\o@^o1Mfg<`9={4cVy+󱕒c}fCV?8+/n-xBRgT7\c_-or}'w*Q?_n0#b&w[I^+Z\xm&}$=o%PF0 7f|>xhA,BeVVQ2#*RzTVj|&)ԥ`- -V(!x lc 4o2cؒbی-͸"ۈ+c/bO~o&j`C5o(]k(FӜUʥWj֪"ͬFnԴnM=ɵ(zۚ\16&gJm<h|Pu<شZՃ4>\3 i7ѴxMmthJcuC2Mjӄ6ii|qkzCz[Qk`mD#hl#Yy&-)tS4s!&E:TKXܗ.S p8.jkaR3нAWe4ހRbc‡/L>e~>g|A`fNmh5@8 -q P`%:X>qBx_]}%~1%ޅ&V#7B%B70vޯեh>g^}~$%zEs`@}xËWbCaADA z,EL -Fe;{v0-[nrt#Lqjh8Чm>GulꖀiEP0'oeX׈?L0?gpjJU^lbPx;w@x#F7b;&"awQ\r㑗#G~-QXM7gQ;O-SQp2"G#q$*q`i9-2 v/kΘV#cak6X.#/a86`Cj~c>11_Cqy,$Ȱ31;VcJlYi$+6%90HAOPKL=PISA&ze?Z#tI %UoW9R2yWP~XaJy;RU496*pz9֧1ڌv d?}ѓݙCM7!Y'KG=2%|'>KL!rl/碗͙s1  ec [Do=9 V8PxWtS9ڕ{QNUy^ g#?¡3m>K,;&Ygɸl`\*cїyŸ_΂j -([ -OaZ p6¥jJ4 ꚰ>ªzB$a-@Sf4(cCO# 1.aV-EWQ|řh/΃D*.m^4aS$E0 u3J$a"?JE>Nśi^t!:Q%,r\pVhЬEv6VZk`n&AaԾ& EQH5咸Oͫz4KI='=駛qfܚ%piQ)CSU6UhԕêӣAgF&}F F@NZOIB[%*%qX'{j}񻋿UZLXj`-P:FC#j -1tBo Ag}Bcr:#w#K V5HA 5Їf$&"p|wHdꓰb | .&7P[M`븪oR#$32R$uHYjA\, iD"*cDAtH8MENLm]'{LwXǿ *pʐ%DqEׁ /BEyjMl`֓&8֪16Mn?H}~~=~_Y⦎%( )Dn(/WS:`ʖ@Φ%r2mKʡ|2LhLcx, W<$Rk3`\r2#s͡jgQ[ ٙek,3ƛvsZ+*Pb[嵅OΗg -S3`VjeSˌ[ۑCh(u:.:.Xn0g<̙+[F_sa -SyH1g`^.@Us$z 4fp'Eg  -m=E'{xK4bX94s퉮j#MCd;srÎ]ر;ر;h(|Ful]pwr߇ {)5՜ ݌>4Ap&B4hΏ{Hc_N`G#I#ůKuX4`;1'-cٮqux-tɞ%CR[1Y~ւ}8694.HbU(Mm™&>v ~fتnc8!;ݪu.4@W 9| -Mywt{>Sӆ#I? {YrU -nGL_M%݁{ց 0=&&OVۃAcYp drXw@0C̄9P eP`~aY̍;ټ' K==⭇܁uޔ_8 l4r9 scxƎi )>s]u ~˯| | \K68ش +/cHgi? ؂.c*Zkl7ң49Y}]ZZ9flAMOŢ:#WϚdDeo{g)Q~hAN^Z0UiEUUnE&herU|w+Wrm]w?<5nk0I!vßWÕ_n/*}cJ;U *4X;<1*J,{T\,POfӌov?)E]C)!*mU2a.mTAE5k)7Vy~7L9ɚ?^3kz7P2VkJ6Ҥ3J &=UjE7%gaz<+Ŗ7fn^ jzM9X=G(eJSF,BW(5x&k\A yOcB+%FXZ(.EQ6XU<+Ė|l%69i!]552{+w >4)l&MPjX&и /SJ -ج%E҈ CE#\ 06C9,{rhaVᮚɑJ쭉}5 5D㢒46jR'ktQ@#bjxFOCcNjH, Q-נ\ZZ#mPGjRRc<5>_b5&.R)qo%jd%ŧix|4,ޤ5^JأNh`'P-?<*?we1 $n "" 2,0QNHAA(MqZ5q4զM6mzĸ&ƚXa9}"ΡlX?m _fK1SU@Y(/ir'+; ,E&C2 2UZJRSdHPR>%RBNJO %$HrT#,g= 3 -boeȜ6RpeE+#=ItsjLJ26(\MG'qA;Nw(4bS:F @QU5IVcwU^56=VS5Y!r>><ekzP -)iluOy-P0yڇ>+7{4>]5o_pS$l7SO7=ϡ~z&j"9Ff3A(h ܚ4K}i~i<[dZ8ZL-P kygຈmlyh*^/|3Xs"kĚC 7IÚ%%m,1ϵxXE# C N01ҾCP"p8iFjz͚ 5Jc{Jj}?@?6f p뤰;YT':ppzybFcI7xZZ+ow^BmxBP\wFzw>{pbGs֏ ŜC9VM(gU8@xuq?Nx;AEquO/Nj[9WuqN ?%wŗ̺75f/NLN>V 1,vb{%Ө;[|;xR>prWJU}s_DщTMNΨ@Ə7𣋼:~ŏZu[8}D|E Bm'|.85go-/(t"шZ:s_lخ|l6bsll29=قldsۮ"G'#$:D b]Pr\l.`w,$ -ϓTVWUD̮r]9 ];A1B9 (hr4*Ѩf,Ry ZDd+G#r"pvrԾѿ+`ܵ^ Gk4:ıT-TiL\Yn0˰/2,3,31 $vcxKʭk7V괪*RRU~V.Q*Jc;R{;G: rq+YȦcn:JFd)ﱰG}VuWj폴~UeZr6f_T=/F|Tg"S8%S[K8]ͱlsrx[}嘽,Lr fÄce.vLg2=&> 1,wvi9Tk%?k5t2Y$Dq"nG9orj8`!E8\IL&1B(iK{SH9#3jJCq'_vDSyʝi%SK,'r %pj6iLU1݌2ьQfL4-0`tݙ2y_ d2LG_d}>'.zi{XdU˜jɌf*3Y&w/4i'p y-0ws_c=om)]Ɲo6t=&ezX✖.kߜ,ȔjٯZ͛ٗs J*fwa=V|En+x O=ūt?*%o^ΒVGaֺ"tQޓDY3%R=V -=xz1{GN]a92k=c`~53tRLrH[(m $`H#Ϸ\_!9 -}ue1ӿH4)$(~I$ =5XE_Z#_t ^}Wt,RT$k$S @:;I Th$9")Obp/ yvOL\Mb&&+#rrC|ǥĠp!ҮZjBVCq$Y!6BLaCSl aTdo1'"lgqHLݢէ9(Ji+"J_1uBp:ع DSbsMa}aܰnBywx fkf?T#VJ٭aH=Aa+\89JI_4)ҟMDZYXI׃(ORS_US[Ƕ\[U\=%=@vP5,O8"Y=%]6mzI0H_)K0l>.wR )ZL-vj5!/Cp'V54Xք,(z۩g C|D' z "9&5xZpT% -vz'57` BcㆎS}&Tyi0(:5 : HtRwKc)j<)^xrS긭Mz[95YiGcݲ9S OkI7e.5ӍB 2{2ceey(Kk]XXXv]`9DPEEE-}3Ѫ68ƨǚ&5UcըʹMG϶&iLL9l?qg~e}yG㣍 Y&FaV[O?r&4ݑ Cƹߢԩ~?pҪ 'Ki.g]l穋 LhݷS c)+C7`?vj $ur.{gxhV.37kznP7I7M;*D2f;y6U+6S|}.UXzM|;]jsrE5zH]< t9}" v@ Z3a,tS|=t}M>|\sOzO BVȆB}24FQG@Ǘ9 3ЕbA\Ru!u>}p?^0zݣ׽C.RC('~n>_~fb/%||% -x6Otk?Sn)qG>H^WBԟqsϨسu8Mhl6uF*ާVc%>V2e e摍ϯilJfSQM49αͷhf x%{Z1p"ơ4-6o,P -4jИTmnq_x y-5+8{wn}W0zh%KdhVWfvWc!޽LӺR8MI~Tc&X[Us<1=/gjjb(Gˋla5øph?YCif5iJ_&U}M (Q]HѸ8C5 TFU[UWo<=ߏ2pFqZ#-93#gjҔ>(BlQmp֘~+~e_UC,dlְڪ!T~q >O ИUEktI"2¡9*PJ4@);҃i Vgd(͑TG9du(9YgdrF wAF2:)SB}ځγ$:P^ ,g3_Yٲ5(ۢt%ggWk̮*\Jp5fuoQeEຬ(]EgS WgђL1P%PR]e`Yr#+sY<9Sg<);S2Ez7+;y*sIaSDn[X,4&rP ^pV,o4 P!2WdU薡PE#Q4NE --ZE'̃>8dY]p9dj FEvǮ"!fRzD1j56$HӚ1ZsL5Gڴ4uSv~LLJ=}}}J,}Zҗe-=/kMي\!iZP[OhgJ(~ԏ0h.CM& lXoӈ`]~񣇋5顸{ ٽ ]k4N>brK $B])f:[`ki8`ogg~rr9H};¥{Ev$9P,z)YJ\BcU?t-=7L0cQq-)8ť|?ct$`]9sMxB@w~DŽ q` -a2B5XXQfezE|^&WT_?xNDH x&@QGՠoLNי1]e -?>Ǐ?Y>c2D|oI9d 88>//w@<)3̤NL ?>ď0՝?{wgROyN9%x%cd5^ \{%e3)/&.lخlln应wEVوvϓ:^<@G!.b(?hDcy2ĶuDڄ]?Sm+_qх*?J&v%} (nC -D:\fkmt*t3zs7]/Rk3ɰZ嶥jm\Lʤ"iʒUTZM8K[T`T}wj9ME$QnrvJˤ3i ƗR-gE)v8T:Lũ#5-u&0PiєA^MԬI_ ەO_ kx -G҂Ҋ. `+ܔ9"T0k#Qi*7eyG(AuY`w]`e]]6xM0xD⠉hhԦ:M4=$ΤvI۴;^37{y{wiJ>SMM,)O"t]-)n~]6pDo}=׿%؃ -M|!.oNP9M1#U3&_,UVSSE嶶i] u.XwzHb=xpgيlAS!|(^UEUY\QYM29m^a,-<ٗоY.e|9)-0pvӍ*-M0 &]*pĪ̑,Wi*-5,TRŮ:&5UW27j{/h*u]9rFc3e.KFB|P e;GYli*.RQyVe(S^&OF{f)ӡQ]FV>L+y>FG*^3T͑[|oF׸[SQ5SӨ|3kWo2|ەۯ4 \UZ FoTQ=Fh.& B -}/P06Fk[yoHCY2uLRz` XmJ-ocB2)f(= &rkxȧPPɡf%*!BCC݊S\bo+6znڌ5]0Pp]W>mĤX6&*%p¹J[4,p(.ܨ0/6&|f,4b96Dx5ƌ@=|mA{D'Rb45AC[R@pDT#EMaP<0iBSBca<}P{{$7eh6ugrј?v6ʜMncښ 0mx9c8GXfH⽓1[s)V)m)nql( ".ɣ=åM$wc:<_O&(ӧ &⩒iX tSK(kRˆpp [eg%yt2'9drcN/8&s-[ֳji'7UjCm^0}ƛnr ]"W4y&걙ztG7B=V6,Ԣ\1ovaM]QD:Ro ig3tt:~͍[`+<(f"$#I̯e'{5N1bhof=Cc@~ Wad 0*r޸ΞqM&:$fϼɀ$`8dA>ؠAd,-=qB~#M][}wuO|ʯ~g ryAXzEa N -n2.SY4yy]C4b9eh'{̻Ja,#tZ\S Z!}5}L>U3 xG;h^ms{V3]8 -Je|INS4hTO[}?#ĞIybZg)W*7eƻjArz}}Fwㄧ ShGV4\ԭ~b&Tb n_}ث ѫmM-v,ϵ'`| />g,ƒ8B-^T*G_L|7{٢mӉ9:w [iɨ Fܤ`< W;k,ExNT2yg?fۈ_FtA7 -Z9#9NZ֓I:Y' -\9yv2È?#KBh&t0UjgBF5׏p6XfƱZtR'e]o;v.p8qNlp9&MNv-mvJWrT+[v h5[@QZXA\1& -  -!:'}<_+Qˌ7ъFQ4$M,c]OxaYEVW^eN{{J;Q>!ctM:^FݏNtf6R;Iha:fmMEQڣ^C")RQXs< -uM!}*FjT tj"W5=dƲ7k 7,jpV7PE,+s_ܴb%4J{JCvJ.Ym\)Weʘ&+W*ߩd~ -Z4ZHAD˜*@#S4hтk"6P:MAZ]ƴwRIJfa X<1ٔ0974dnҀ9~sb}kIieF˜, WrFAeY*]YzJ9ZM `<ĉeȖ" X-V(b ֣.:c -7(hߡ} -Skj.7-}G\ܓ<:B %CYXc)O/;Qb-SOYrʫYVI6+^UrD~ǤZ[ث&xFNjr;^Ɋphƒ8$:j0.kQmRD5jq*P mZjj9Ffy|Bu|A5WU| qOPٍQ4` z=^0>Eü^P.Z\jvW]/ۧv5GT_?(g\.&9=A6Á23|43 #7964U_.4&ab1۸zsVW6t-ribAL"c+ǶDObIcN9TYPs46LJs;0c`w^@nwUf 5V1!a5&9f6Ԍn&لnތc+Z$_-xIL|1yyuz8c}:`?GgisyǼO& ٷ=0ۃ>9g4OdNi8)<|.[O+q8O^aX\ūÚRZ#u}g\"ӿ30+FHaW MqM7-:uqSu_qp?a`ә>^h^; s͌I.1_^ }C~w=ue|>r,!݆!ytVLX1K/W[e2c̦Z^ً@'~yy_=ͫ O8v?;NDZ%n;7zImvݺ6[E֪] Bҁ( ʠ*kT.T`@`m2sQS>w{y+8!hn X_8wp@7)82}]c^e?̫ -<߅o79|NFb-COoc\#Wp9/|^u¹|<~KhM^#80lO1|e.c_ރw&2؉_3/^P'=C%i/pZO~|1!} -"zARBLy,|>Osyx4c$csyy0;G{ W=hϳ<*wnY6e6NY]adZyN8K΋eT/·df }?edNaA{)tg"֣=Sqy9 ܯ3 -OTnawj~ m+'`6@;vahO0y$>f{;{n2ŵSϰހa<_֜B~c7EE]TK2/{]B?J5hgI8Zrs̜y)u&x"<参 ǃ-hQt1"Eo2KnB>@6X=GRff}6CKc@ ZbKI~hyYE6VhF~ , )Y}E SQiT]ILkiS;,>Dj+>V%%9ib"6N&!ˀXf2ez˪cU99Ty:;QޣeJZV2V˼jQAE-\RrU!u9Eqs mohn0*]7t ԵTiU)CjꔴXSҤZnicƄYEyj0*h|JTgX>E:'?'n݅=XK۳|ý49u_;-s)(WaQV+TѦhEJgάkpnr*[yZsrW^Ru pSngN5pwoc-u@[>C )VB.1WljtU(r+RW:긂 -ܫuonkUsJ5_#9ϫ}*s:Ļv|OA?tbqo&FxL -y,j+P[ZޠMyu7)6U>(g9|'e="|Ruޜp-ĺV|e:^$Z"s~|KwF@܁rҪ d%"#O Y_%xQgTxSJ}NBw3h&hڡ{Pa\a.UF|rFBt-:'kt,=2GWY!D.5Wi8{ 5سly Cc~;7zUSr cN1d5OQy|Lj78SEc*hct U -9?ހڣس^V>7CPǵIrag+Z -eʖʚpȒp1xiE%ɔL%I$1ILY( IpB'Po+h{$qh~\r߅uc H^"sʢ!Sʩ%) -S jV `V4NaRRRl֝Iّ]hϠņd6h3//LH/S/9t5Hu i࿏{vw #A<0sqsc,1|rl7mF1f#+>i<>]s 4y%lH*P_rsN0+8t&ܧH()^b)e`.ɐц?:񣛜M'х.;q+\̎ ')'/aS} 0Pc7!g y?QK9d% .5u!}0klVO)^ތ6)`{`5=0XI}ƏuaK}u\kWr@nzcyGY<D^%-ći 5M7a&X90Os6&j>괟d+V곟Xl!y}K؟6Sϟ!s=U|R</hr뭁H(!0 XBqaC*5?+8plI>| L}_cuM;9`ͅ9x7Z}k -Ǹ(dD\,FN?#'')3q˥|xCulb3׻Z>W]yD&Qp$ U\0!Vs%q@ϓs ,QTg~)!ĻeW9IнFsƺFA}pC&k@&0@>r0u-ys% kTmr YWIe{1܏-S׀CX5ȵG6(пјwUH}r:~\eM! s?ΣijOZ{$U1#1J ]v[>_mpmu })'hЗQ* 8fy ->=w$) t9Ïa|$љY;6f_)b 5خǶ&b{gbx O)5dt;mG/Q'*;)p XUf{&wѺИPn.NVjd ~E=Kx:\?דDtO`X >-`U2K@ +\gQQH/5?z ORz^Nl߰Ǩc~g;h$i= lYnl WP:l7`{'!n-n_%sŃtAzDwm_P|ت]>`tdJa7#u:IDQR-4,MGZYmbÛV͵ǐy,G1C,E'9 'F;5:KQL䥅L>f2H6lq~+93=\ssAOǾٚ5E^8BpDJ8jnV_D*P#ĸc7|8V3pw1wG6Q)pd‘GnRx੅M؟Ld4HR1è:g(UW^1DwAýxK#>6s13:mԐ`ˀ)𔰓U W\ᚈxC v~nw]Al}`hi`, Y̹ßI)&;U^U'4$yRTRLPij݊.V8uS_T(u)G9%RQ}_ι_m>@xV˻JP=Eՙa2åL2TYrEm5WEA{kߢ^y䶝UrF8Xʸ HjFJޗO4:Vđ,Y**U" 3X|WF\~96>>`b:ɧ20ہZyVJ)7WJI*vf*RRY N@9U*!k]S˵HNZe^+쮳9ALk=YHI;cQ5WR> BK?/M< -*ϗ'';A׃AA?L pew^g;n ,$$\ T -D8V^Bq2ZN6#2Ң >q;9oyn'[鐫%g+{ ]Il% -e VP!d"Z "8<<]LpUq-@ԉhܛ_! -c> ) $Uc֥ &Sa -(Hw#)<as29C>q-JFP .~1͵~L{ MHi 4 -JG ll+@5c`*o >40E70cۭ +W/pdK,1!a7fF3bll m B&xjG؄;@ |Ro.<)> ?:cm9&'4^6O/3JκsܺbCg\o3@jiy\g6^g8 9@/}o1DNQCbwD&AzkN# -:Ncnx_`='d62!'#FW?r&eRR;㚅ͬU[uv ~&v6IZFPI`%XEnE㮥>yl>7 ,f=F5\3KTh\5!%>擤!s`1kD- ^[csX|0>CMlFY} s$A n–Z5d||X`5?b ߝ%b&&ϰo_`aM<~H{xy71RX:8{WYIň%@#_&A%WL$u8xWXQ>8B>0uUJ &^pKd|G|FwUV3]6KD_PLpoFp*%U~/N )ڇGNvSO8jQv85mjd+~Ɵ9D!Mǧ);Lr+jOU,U*.V_ZUbRmP*Q!y7^'q~&>@^gUcS;Y))*wzT0TjĞb{*tT(Ѭj-JsHOU/Zl( "Tr O%*HV^SSSI++5W0*7BMJ3:eK1VmlxRS4Na\ɑJb1ǐ' A9J@!%7=A9$e(ϗP&#}cr?8ʫ -o6$,fwI6l~vIHBH&@J$ -$AkJJJRZjŢXZdZQt:0VvږaV;0/۽=s}o -|ӷCyd}Ke+{y3݌slP⼫`M2|ey*(!Uh+ت`>9ò7RN-F 6`|KZi -|A|lr :)wr(4KP -Q~RpBpNˆ/B׏܆hDѲ!|PNc%|a#hpJF0ߕKżbxLq㤸Sn~ǐ Ѐ (%]%\a8g|JHlHOq4di X65|ՆoexhE0W!Д./n{y೎Y|< scZlŏv0 :rEE0&u٦0k@3nIk%e o!ya|HsvB!'KA#KYd>`]*Y Ճr\tuL-1GlkKx_ o8I/9kA!h.\c 2ꄯMS~w9Xeqrđ&fNjn q/X6,ao=puV?&kyGC&g3dL(9!Qjgky?ۇG>-})wžk) -!#6ko,c\ɊA(fC~yCv&ړ{OK߹F*JyW=烀% qe#3pH\΀j<9y{@&/|N:gT "bc|'ku4Jg-_-__߃?[mrrz{ҿrGQ --@t%"}v̨N|StLF8$P3\PEM/3y^b}"3ɹ#LV92l+C -3l3ԑ)eX%x?<>j* - --tL4&qXsh^x_xONjqJtR{L(P&˽v+p^Z!3Ne8qY Squ sa(C2M~] -{mf{Lm5:'`6?)=|w|_APŎL籟.Li$_y=Bz?"kzDZ}p_!B%}'] J)(<5kn tb#BŅ9!:NwpCȎn$|_)nSV"xfO*xlyxH%k7xxSspd;I쯇o9r8+[@ -ԁ8cҕhC|E\ -;{Tn6ٻ4wX܍*ɝyyrgEo/(3?do%3$$`BH@ Ud(Q"EED -TPM(Ȗ-Z""Kw;=4s3_sg}ߖ6(M@rAk&Ь%vJ^ ; KgM@ úZ|u9I<9v,}l+팸 O8:C_ mk<b$J.!)A-A&.~OHtOHZsѴѪŭ$NVi%M["VxsRܢx:{u>4 gqYBzt}N}.ѽzDEģgq%+ġ~ŢNy}d8/aKbrg*bNE} -A3A "M~K[4[<~M [[%VA[rNj?]༆ey|1G@(h`*]S@K!M>b Gs)4 N_(| SC,u%7$ђ4ų `6уv-dwCaآļb1a11NSaȤϋ8!5F -ESw':{U!<\>y0?*>⎤3&C̙",\&57K?GӚ -4JC96g! -dSCI23!rm3A{Z"%I cfqdZ$-*<|6xcw!^"0Å("qkNƤ5!96"M%3 Cso#:24s4/%RLZJkM[f -ESjhrٓ\gRGB %xPEWjI],-VI^T0 GFZќ^IRkA#VN,c.'ZϕW:g/\hL1$iRUkkuRG[bNڱEAΚh˺نTIn}Rɻ@S3$( 4[f\" h /\4DSGwΆ݊+yލCF3gDv6gTT a[>u 4UFhF4B@?hI| baX_MbHДt%0>BS .z$f*|ըj@8:FF0'YPyH`pΪ4M LH9:KFf T{|jHh#OS4puddq'qm*i~RRB7 ೛%ljۛ ZoIq@>CRM}jP~D&%x8(D笚|9*Ŭvh֘Ws/wQqN2,AI5F(SB)RV$M׍luxUyd./(ǘn+ДЬB݆j>׍l[ {T38؂r99<cBvOUdN[`(Y9y -6izEqe-Z^Yqխ暶U_WݱSv7٫w8vC 1r17~¤Snco5{gκos~?.x?.|EO<䩥˖xz3ϮZ k^Z~Ɨ7ymn߱s[{o{>Og𑯎~}Ϝ=ϟ.\JJ]IYWQdg+/RKrR+kAݔ7) nƃe-ʅpa2b"NLUV܉w+3~ܘP~< y G+K<Ô+/b:&e+8fMy[sP>| T}<:I?().^J>\ͻ%~__b2lvǣaO G8#1<\|LҚ7?3' t뮶;f[mq&O6}ƽfϝ7 [xe+.j[ȤƟILiLT*Nhj~o'G~83gϞ;w?]pƶehbm֮-;zW_5a3Жj꩛sӲZdOG. 54PCC 54PCC w +u%^]/9 _ԏ-~kwe ܝVOѢ'~HPG VFծ=Ͽ1}C&|ww>/n{y /Mٵzo.Ѳ{_d'װ6Rk]/޳̾{ttp|gvzffgi;fiNд2/AoF)TLP. E["-)'-߶g/yޘᎀN"_ -)Uka"a>W~ՓĢ ?J!&vezzc-̣>$CkSFkCe\ )j3J-)|ʉ鱶d(;nZs>w'C71}fDmX4 >J6 3O;F.^hW}F]υ -{E"f(/c`4Ѭ7h^!}w>85KhʙHAΡ 5.-F\ |{Gq{im=/ZtUppdK*8+#KD0 -3{717@AoPa.57d0~DK2qH9yBCOmHLU1tՔl2"8dX2, K%e( %6@du= -םj^A\ˎ*$,!2.KGv[=ZP -$A=]+#zw^ XaF*bZ*SRD &^\4h`C͏@v~'x<\վAGi]8^@(WI<}IXA-edYÍDVa( e Zg:8QCHz,I^PQ%xI-02,탡2Ad jk.s[g-HQ$Xi}yJ&E|Ne2@ZFO AF# zw/؄9Ќވ0RYeJ($9J;C`M􂜇}0 P/69&Il됼:y*LYT~?W@lͥt%SYBfaC*Pn;ӑW_ހ}]M*'(bN)%O2qbzȅ)}^KgX $'mo N_u_q y[r=P"fUdVp=!:qܴ.K``ZJ s^9z5-&i *ઑ9u(I#ObDQHnƖP VKE2jVwn '\G&ǼԲ֠m0NJ\ɰuUH Z %4Y@" 5Pog1ip`䉳ߦq/g(MEɱZ,T"V $KM2TjA})Ï9;g/(Ė>Ȝf+Z5b m @92v~ jl̆q'G%7B#~̇ސt& n磛#XB. xю?S]1a^‹w>LpP8:H"Ol@H4@D E> Eߧh x 3{ =p~@bIb)y`o%65~) -}OztGr( yĆ_ x {L|@mT+5s7*Nȁ3GR]xڅ)|9x^d\ \dyb.pPdmkkm_"8'q*)c{&B?P|5 -b} \hXL35j1|%/h`?b!4У( ^@9 Sa6r%'Pb 5A(=)|FIS|F!'AcIn#V4jBkn    {C.bE aԞ=ag*"tVP*GhHLf)sUQ͚H%PY~5[y6V!zgkhpwK -Ly}\DM3 3]WdkijJ$#d=U$yA -7B-P%P_6`ׅ3$}N+5AIL62U`#%yWFSE E[V\Ks2[nh`ԱCbx. 蕽|Đ -Cű-NV>ߊ=jVy& ޠe=ή0ۯk@G -*h\̰O^LA m(U42fwO'pxa0|YPa47(t%1 Ο;\0^vwvgԟg oB l;e^cdUd ~Pb07(PfG?^;87rzĸ~_|)8Wх5SSrITdC!b@ As/=s߼tD[gnyQAA$LN'3 c8FBm}.)u#=g4b4~noUc[Q8ܾMYBy͇fBHOI8t8:K - |H{ȠLdT}ūoݸ\7gMӫ[e`Gp=ϡnO"@EdYs@\4yjlflV/o.=ٴBj:*n%}lNmg[SeJKn/T^P@QQQ@@PA/],YinmyRؽ -e[ -C>yE@)H;a#ssEfKϖ?,?_V3|~lEfAx8䌃XH?Br_({Jh3[^^0_S 3`p^AkOot7$磐dmÐА -P+6/ -f^ Gp1~)$T1|RB.玦TMI千.YoA777SCkCɦC ?#4wPO?Nfo0qZbNYLn~(VbOKmkZeu8MB ̵Օ??#Ȏ,kNDs:#:'>V\9Oe t̚R2'L掞8Nhmנ镡1!?mb#~GPqEfV 7UO$K.R+ \f9\cLu%uMXyߪoNhkGWF 5Ak(9ԁZ$)93Ε4RfiNb]6*MZInAӉW2v -&Ġڷ6[ɐiuL Ye>3YK@e6rU/"4 SjbMCb"5b@ ЇIUBEI*w:SW.+Է[i>9Eߔ+UKr7Se@p^*6A3x!Y!,!*y-vANEM&ACӫ cuԆnvC$e^X_/.bm[rĠyb g \)ƴ&} IQRVmz;hgyn46,bhغ ;WB;b>tv/KWt:A`jNmg\}CEŴ6NΠ7Ҥ}4E111t"/,1AaO\4FٴC AJd2ȫ(8Um3R HaD ذ$[n+A? - cSΙ# ͺvUD֜Zא )F/ -(F;Lj! -14! -rfס^w Y]1|6QHUU5gvŹ=utsԚSͳe׈2xRKFEMP81H|ZOgk15zq4`.dzXFPV(3Kd&Z/asbP+KVPBCǎOf{~4]=|RPIZ-` I-|M)z圾ЂxME os?߻IocA?c)ґ]쉗RtIZbAe򺣕EHE)B)2*AW8/1/o\#=s#ǒF#l{t%/NՓ % ʸtM~aB4|}MG 5 qtl^44ra8((>' ) 1tIDIz*5+ @};XpgӻG\^km'#!_ٴ_DTXrR,-s4A8K`qqY9UX[~M6®QUA۠]tw \ԮUGg<6`**9{".#u 7 '8́j');m{k&h ho''DX_A!NW1K)LY[FfZy on: L㆚ P 5ۗ@+@t =  򆶤YIVS~AƷST*e\W;^^'cF:/n΢wt@s[\d FPEt$H3>eOsJ0)/(kh@>Ӭn fvhN1{vgo'h9_ >u6EgZcin=aqWu7h4(N~ ="l'h0SFI721MGMl/ 4d`B mȠ84'<@sgV;5Q9Ts ny*rQ(FRiھ,&#{ZsJgK|ݶ ۷6@|ftgB&'=TeH[H}U{˚6˪Zs}I/S9K 'h߷ -T7P1!O I=;scPcƪQm%WY.(IM7ـ Ad|LgGX"nJVx+9J%rS}Zd5LV%THdHm/6%^AfdP] ={}-*[[|SJј*9(#6a"[R)|Υt9Xe*\of{{8 o@eЅ փos{Ȑ選 WtEi2ȕMe*icAfa<&ZOki*QCP:gZd`"/zn߽ʯ'mytSqф̚t^s4{g%wQ5g,lmEڬJgd୛ m?gz݋NP*|3I;! RʼnC䖸 5mkey_goMi#֊NǺ_ъbZԊ"( D K! ـ!!@BB "ua(nXQHU^h?ܿʪ@-g{~o٦w7iaݯ'^ EQG TŶȟEa|1Hx]&]-E"͚`^?eܡaWtLmqu~)~?;I _)OԄi_hY=A.3+ݑq+rnW-n/^2禰gl}'=$qϛ2 &[ftC2.L?+N -z*)ShSes s -)[+,vU%8Zyps T z;v6ُ.3 -#0l&. . x D ꞏ|ces`"5^Y{JOD'"E5 2p!8 ;Bq(7n\v{>F+,Uyv.5ก -.I- -vA@Dl 8p}!:.uXb,15(`ռbYȅK2Uw ׇ _ yC7^R@qX;o;w]8|6s\FV[a4,/Aqp[k=;\ȯ f+7@!H26:C6 pm mlO +8{q\ׁD!P@rԣag -BdIR&ԉqMYϢhc.ƓޜG{a87Nso5dX݋`J#o;A ccx⇿LNHVvL7(I sU g F3LcL.SITS󞞹's1{.bXܛ|mz^y3-9D^鮒d L4T ~m8d{嘳@_h[;V'(PJIki)%F'\WTonuwWIeU'z+fjol/c}I6K m+ΨU\f\VnFeoÅwE*I> fh:֥ݰ˧֚.n&(袔[1Z(>D$h $k+{*%KGuS[o{d<5mq|셽qj??gpzB9(RF/oeV[׃ZE-M]5rI@.i' 7crk]:_Szp؜q봋sd 2hD Ӌ>n_ҧʫW\[1(\Ax*P& e~Qaўw5rr,` )||dh2e"1!>LpW1CBzmM><\( WyPzѿdf--hxomP1^R#g¦iIIVD6)/D~R:.rЬ,N/TV ֭],[y -)u߃'/RBHoƒHgyQ0 -L=ED] -DI(>݂]+Q[W_M[f1-cC\ÿDa)5:6`5\,+E$Eq$rV7z߂jZ'W ۄpN%4X`E3@D߅P Y &( Nv /Wm FI,ˣF9"/*J~ ?*\8 'C| X d}51RL܁i k|s'Z8B$1"۳ uod8:;r8 8DC+D8CN@;)/S~l ZCDݑA5"*{&#Ud8p@>3Nl ]80 {`ma CVsX@s`5Qd3c&?.n)TC*בֿ$\)/]N`,w[V6/SW1F@g JUTC4$"1 Bg $*AHP ' `jAj9H7Z $d;A, Q^jC>Ak6*8$l(|g<59jCo_j@nEDioK 0W, `{kX3_*yBJZJEZ n $/F.D>y;5?5HoCIH>,1Sd{jC<, 5ujS h5<:y)!j@Ky4@ݿ4$ig>3MM$" q:y;*CaӇ,.1ҽ?'qL.\|Q&$NzEseP ONM%O_P@<Ґֻ<eh@!Z jYu&o5C\D.S^GU$ͅ`̐n1p=pS4\:9x Va dYˤ~Hg/$'gK'd= iN%  t=n?e5&S74!i HCJ9@ї^\Z;=z4C1O# - FI%>aOЀ~9x,&i<4А͛lG68`H7K -ANmtaLs)JM - - -.QY2%Y")u"bb] -q@$8@50Eڿp0̿bv9YCu7DrV,8dI6Rr<ĵH i(ߴ׵G>trÛV/,أO[C0L]5SI =V E fKt XBkUSjOL~Wi_  鶅 ^9k>=퓝#ۃ͑QqMzZA(VIXb>Yʙ,uIr- RzV]@j -齒B  dW'`#g! ƽßo=UǹC;|{Z#"[o]MIjRE6') oTWV(VX5֝U[++h(\Aj|l>m/^7K>fs,ؐ'NYJdXʮK2_f dzh F<ߪ!zA=P4;A%r@Esw]kЙM? _p8#,-:Ym+jQYņ<YK G*hez}I$jp^ixo\GJ9t[ivO=W{y{7QUmqYd -݄/4s -b)R$Ī8V}pKsةUu_8t#Tov4t_6=sꋈw]`X ҊsdU4a|S$$E#LMaT! LdN)σM~kcK_o}vvo8~,x8<⻘4j̒byƉ_Qy"Z4`k0mz{i4hހ&ǁqܵy 9O"n|@F 'gR> ݈6fYM\d2m&Vp73pp,gnWA8vx2 5c/OOp>D962{"1>m"S^gEYQϸĐ҂z6 -v|yl@jGr j`bCo+ o=]ޜ3a93WgC3"㧉1ԸkxI!/)uJTm sE7Cj?EXzf?l^s_);xًٳa'fKf`cfKʂCgy!$a~W}g{e(]P;# Q7la -8 -` xd( yBr&gp>;~`}juBR*G!lu))6<קix A;/CԞPH i =H1= bPz\Qoh<-^(eCUM-tZ':-"%,X8.λی-~^m灴\qJw֮ udO~q|2PG( ac>lpNj2[Ke8vGEłH "BH)$${$!H*(( X.l"(3{9W?p.Y{ofF0  dI_}Rb/Wx"xW]^ <|s8ųq0}<Nb8!cVx} sw[1,b]YHLelQuҬ`ZdY-IVQ¾guDY@< ␋ -_x:[9pˣ!5Q-e'& -㤞-Pq$FDk -(ܚ|9ǻenkxn1P` #|"Ȝ̍j]w{MEP[[L('1F:רgKjJPER+.4ŧ3M7XN-Kt_>kDP"ga^c'qqK>˞^=SgsוGŜ*OJ)*JS9ZSXW -tr]:ǐ,ȣ+*,4EC>UuӜХKe"[q`/j, -IgMk@76޺|tŦڳ1ѥ|~y -M_La˭LQM-àͥXL$}9UBȹn&;t$=)Y-0epD`anj{9vZkgoaGQudC g Kv1[F?!RS -zdH4%Y0aN8u)H d9s8g[lIJŴ\u]I㚚G1hhjsP+]ռ\}xn~sDr^G{TAPI =uz:ڬ5>tk7ͤ﾿Mw/uk zDs7u#)y)6YAO9e;푷T֦P{@!AsSwZCRs?U O>Rj&;ߨ}M[Z -W}^w76MUK,Ց=8RAbyڰsԁ ֫ uTqZV"D '(`A^Iyݿ20duQ琯UPi5w["I^OjfƵ<ɕawY9*y;zZ]k^wiT4لݔxwg 10dBVI۰ՙ!NG|=xa~iw\p7?W^)m,m*m+w4XƋk/ TA!GRpn .q.qst [q3c>VFn=RRL{ e"Ibw:C/8hΎCBh$3b\PpJx֮CyK2c~q_vdrT]ptInpF"Sp},t66!l"FMl I3Ff9X!AN{H+RƍQgSwy*wlHڨTG= cpsdX"[,G\Z $7@t6KH  -/im>MKH{ -D6XkBA2]d (["O@~bN{@i 9Z F?x9 ϙaciǩF9ݬۜ{1HH@?!i&Ri#g.Qi@sTnBz!<y1v> eJ ?Vެ#Cbhw/e=(}z,~L:%|HŞcdA@6}GnRŨj=˱j*n_J2}rcf32gҎ$MIٔqQ~7לG᜻ vfOJsE]Y*HPkPNaZnZweCI~T~%c"7*kHNT$Kc͢ܧEw/ sGxvt'g@B6$7ϰ&5oT#G:i)E edY$oH I؄ld)C@+R>}/Ç}07H^0iƟRO~O$,i,K0)QN|BȢ`z@`/A\$%%!5v_k]7t 7S.lt9nF f=ް|܁Uǵ6[B!ڐgiznT[$߮sڀxoʐ8dgWos0f3iApZ@bڢ2Mq? n.a~DX+"UP"  "d&R0 w~T]sJ/)h -k0x QbF-&*E jQQDkbaĠ8?R9Q_3kỵ@` ܦO_,Z_t86]aɿe?'#a dëcV[L:@?}b#o$`W{tC -5@; A_m@%kPkj~CfeK0Jjn@A((g4:I?|kXyI*x $%Rtfffjj3Q*jS$bZ\uab'q(\} Tp0zSs( 2A hBmT‰c4탱!]~^qD:M"!#M)Xag -'d&n,D#fa$ȋO0K!G>(B'j m6s+.\I9MD*9N` (7Fx!$fツ^kx]2_K,GT-t@B{,Z_]$$)\Na8XE= Ìzs\2Nl숄^ RMVBd2ePڠfV*`u}P\\cB瀿<JmQۂG0ց~Ӯ^ 7Pz<^O$B°7yi}>Ǎhc'|>B':8<WC𼍑2M0,؀oNXׂ䣮wvkʯHH|;čWH^: 4.x#=h1, -GrR:" `q'yq~=@$= &j ڐw c!o& 0 *r4bY0CFsȒ,!M[t=NU")3`^D`0~폰I𱤡-YI|89H  #D:#eDN3afȎ\E%+!_q U7xw܎ pN}!kH) -'c-uh&W؁/1("B`p7Yke9⬐˶ETxATGLroc?KO~K RSS?{i_c#:u6ᐼJUOjoSp -'r"Rqΐ1QcM#)'XkF/%mG{~B?d%KD.vX5u3Qi`slBE|q볢0H+z/}+K~?Hcd`v1n O ?dh=L-6kq=NƙLR -=d,GJfb *`[%ƶh>U^ذl`=>ԧٝG0odg>$nޤ__I\2s)pFn[lu4v?5c5vwֿ) eG+ ˙%5oDH:2p~LξɹΧ}⏰O2t.KC 7:y, TzdVG[ʾ=VF9Pis.)/w"`8P#~}bC:1J"n!ȼ=sSbMsF])c~.SPnrn(W%3ʓNcžQ[=T ,BBxyɮht9e5hp[Ԋ˓vja̭J9jsT}vi.|oC#$ -$Z-2dAC.q {'i:&C D,{ږ^;2(+r9gJ' -*GUYs[eu-FvAdOse}N6V i(&A;}_;c䰛p­s}Vt*YIVe˯W6嵨~[TsdJiujejekq@H[2YD,%!iAGF>s:jh[i~W#J:Q#gW *J-eٍŻuMj*UgirYB?uz@Q5B];sk:~#-4)A)ԡZ I - -*HDP]@?8*~Yѳ}ssv: {:,{~'ŠBzjZƲԨ3Y i%9ՙp0W(D/D)췉y@4!M?a{g6-—KR.~4qj4h^\:Y]_^+(.*N/gd)ŒԌ 񟱒@:mCySn~c+ǯx`q_8ΩZAd -ёTaiEfFajŜ¾#E%/KiG $I;8-88 w>\/~e*=3rpAO^?۶[cK8!)LjFU^Y\Q/?//[>_LRZbٛ$8I rԫ⾶oý؁{q{nvh䘽a^k]gOhV0qјĴdL^M0TWõO5Ki1oxU+q@6\ET)I}QFˣ{*޴!ݖ17ݶa LjiO$3#>$Mr,ȅ#q)MU2Cu6d7m\N ;~8I jTDfl\o,jo: {FeDzS{“zbb#; WקjHjNgv̦_ -8$t%diF4;$ݑFSh䑎T^Ŗ86_p& ׄ!q쁊D$߁!c`V761=/{5JqP)^^ >;JBf6gdtmB᱃F՜ACƾ,ǴPOhޝ6wBš(whñԉ9mb%~cPI _}8-ۤН /οQKrk{5.T@%uR=w1щXE_R^K>KC  />/iE%FoZgaAլ HkU-ɫV"WCW9FHՔ}B[Z~Z/9})gOrveNfB82GuRbE| |#5lYwT [`wi} ӣ}x={ɏPcMeC0cy^a[I2ކP_B-7:=P&\hΆ80dWPh' bpN't/}hc{6m@]Ĭ Pet7||ϔA$י T%OX黀 >]4.#`\5ƨ LϬ_9,P-R ,?S@5"Ib-adVp'EBP>0O]QM^[TzYuQ Ɛ9! I@ @ A@(rUZPE -*Ȱw;9]笇ظm@X  o#D/a$vla,|Fk~`We0;xۜ{!p .B i+n hkrx[6?nǹQ'q-[FÖ8āh=н0 D Aq1O#pR=%~h@m 3@ ҵ@ez$|e[IZ؀ ws*CfV=zG%v?&W0e 'waO"w6x   Æ9~/ϸnl$;C8 T7[ځ|فa䮛 N!F#{4i!U!_ٔ>oA%W;9-<þ$`ODfhl<%n|TQG wN::>r~u.;Zm`.W&<AȍԄȾD WA3JJb;D|IoKIyO%^H>J3*dS -4p1:?,y7s_pyP]yW~1GyFԦЎ'XGE6&Z,L( %;Hi{I 2+F,,jB&)&:Wn*J.eW{;i4IsȒVIT|(0g-$Z.UíN2 +TU% iC -nE>rSiT՟՟y z ߾C7u27ۉZ5/[|ٲ[WjʙN[QM*jmU-M-4cR<7U>42_%di> -35LA,ty ]lrxOgwۂ_;CO=aCAֶ2fS<֨ThX%B}0/D=$קUR:U)?RHӎ1thkuNf Gkf,ںkyWS:s-=hUR*S Y#0deIU+*"0$N%ǘq5@:g6t1f_Km^t?p#`:Ἇ7R4ԲwVW e2raS(hr+F$!ˬeHP<3Sd[X15@ cbfq݉Ř]K0W4t QrFVXY_aS֗pRK qb\&-O+=JA]4_8̗-,qi O -1P= f<^g̍Kv;φڻp;iSe #ݓ &ZJMr`:/2O_^*yNi7.*a^\W<ƴH=;af~.al̽s0W0}Wu8/l_t.ҳWl:j~IH (" ;BBB@aG(Vԩ#.uSw -,0EtVEq=c= bʎϼO;~|}&GPnj'Stbo~~́ՍҴ껥? eUe>6 S9Gg?2ɃVEnvK7rk. ^H -/usYq[[ 7sbMFuaӶ9Y k -U E┆u9&NMit tIn3 .3^9w^SǰVՑ|פЭ37\X%XQ"L{~:ܮԶʬymdmC9TeZl7$chI-if+ qA3$MScCV{n Э _}#/zq|εIJŕJ*-A#HOr{kJxBrA7좑ܭt~NZn2I##rߒwYQ۞7<{7ú{cDfknNS2KR2LH.$ &zrX艨Y? -^3C \?bY>.Ԉd#hݐky˰qooLlqd)jMlp-:2{-O)zIH8!J"HX>--t?x9g#0 ee:@i5 !e96̰p\C8hՇ" `Bʂ,R)!*Bk ;[s@\#/x7){4<ǃ.fqq!cBE1"ST,B%W"=U^jo3v+w)n࿡) ->HmW] f{!և‡ T\cMPCj1de6C!>Q DHhu«)5QʤL @JM 0&jTًH CָCR6 Qrq Zلq鄏 gLQغ|AACil2} fl)2HϠY_8!e+<8!vCKľāIp1\h"G$wH -.HpAFڕLw8(XahS-^dltf',rw6&`FQ4%oL::!Az;׈Qɛo%Cҹ7I{-GK+ D4ȝP*yLa5%B )mP1oL6Ɍ=~iޫԆ&7rGQo1IyCWW/dclLg)BCBt!ő,:飔c}!"LPƷ:̚ bϱMr6s_`kcN8MEqkKXܪ {H @ b B-@"D@D -A^VPֶ^u9ߞ3)1 ŌyD>$ < {>p}n0 1[ n32+$lw} b:XۯQ)GrU`0kq&LxO1 Q f#@O[ a#O}kTm=0}ډ}Bs"oףX}i$6hWѰV0+ -s~1e9XET2K^Q9A~E6fLH@S@V@((C^ -d!o5n3aNKǪ]/wt9Q~uqXN-Q1J8yj^NB03S?*?g$z$ {s羚P?llew]O~{GI=VkȉŔe&tir:NfQJ8Y9$Q)JRR^y:m<$HX|\^ԯsv-K.O}ݪ7rV>VANfgf1ӋjMOu^>/NPJԷ$?IIeH\@\k X -:G.5yionm>KWg(Kɔ4m#%']ƍϬfeiƴ$:7<-3.#%. lb$ zob0[=\&:7;/j;E W_v_U*є(ɧB-K^P•Djω^H;)ʋ*|˔|J d!"5.7 Eg0ri={vUM-ݥ :gv_cĄr5-4uFxb$[ܒ\A?LQGl2d=iv'poٻǩѕ7w6qiD>YP|]>&Q*4qw mWB-PA;?k#t{h5h0phUw-uHy^/;,1 -0idҌ,M6ɍOhoht#$1a-0 pF;0r]m3`fouw)^lw+{/J#E] J ˒B'Q:*(v#-3>xJ÷!a m̝`,߷A ,hrO-i~%s0ɇv9-t9(ax@!p`9 l ,n0aߌ@v;(ݎ[G%];1MοÞOʾ\O%(wƁfdlfGmrޟ~n^BL Ѿ"4 I\dLCpfbc!Ń5RlOh0P¡Ej9Nh8b#MN dBBgCbrDd9CVI;hdFo۸O@p꣞Sc>k ᳐ENCP@^ᆌE gސlB@|<:S!RԨ/Do/G [1|l hf;U:A=*$(j='os背f2N/d~~C]'^OaM)^Rq|m$ y$ rȋACrr]3CS2.TkyP~@ȏA~6dJ -|:a9z[ gBƄ>c8i80 :W=79>Эvc4ۂnAPAu,lȗQ!ѿ)^E*T'* d#d@G4LX( aaV4D{%1K튢|O"Ə y%~Gnwv?DsdڐT ߳`F5}E=z&L`dcn= -'\y0.+\2lZb憘gMOsN=ɪHӞK{*+y&O\0TAtLi/vNuĂ 7ucżsJ>?.\0s}Իym9,?-wnog\?]}oD|$u0R.`ḁS.͇=/4[/[$ɿ(*n)1wƎKNw=Rv<[7E)F$z".5,uL,Xo?T48˽oҐ17*fhiHRRF酒EMs-3ԧL4'L]c;ڣϳۋd)!J~r}EoY{|_y"űo2ksk._YB|Ʋ.͊c/5K9P|>wϹ%VKedZ n)J{4/#/x -b}_`߻FܽR|~vLU k,WTy|zߜ_);qc2i@Vs%dM}Q ỐOsڷYVp3? c> tF}i1\Ci`mrkU{*7iw<狹_(o3~n9h2m:oHXնf>L0?I8XUA)ғ`B(@( =jjA@P((2눸zQ 3{f{vV|>_NnMF*1&8xxot~ |NΌъXQuTY٭9.}|gWF>UVJoO&51/'&Tſ -NZ 4D#/C -+2TVkrRtLgve뢰%1Gz ;ryr)R~1)ܿ>YƪLa&KEļus->TC"{٘p#W7 ưnA:hO6zIw VzE':J 9U*%IeQ'Nt=h/L@ -TP![ ד`]tk 5]Rwҗ]&ok7BۣKq-IM79'LWBȎr0yL, -M1e?0Y~rD#CdUV&z 0_@]=hxVr⸁pD0`ƿޟ:esZdjJh*dAC1b)VO(P T{kn~x{oeFgC5='ݼios~)wC,D쏹k5t$9ǐ27zO17ml36E|blՋ6<ȕ~WNP0- 7HP5 #(^C}lgIqLO΅sd?8{ &`V`ǘ9f32g̠촋#:JR%n+Wq gC5(~/r!Z Ɯ% Ygf~,"/|&x6dtmGUnߣCnO6p`sY9P@ -HUY.B )RyLR7*71[hP),SOeNwen6sew,~^p\O;Cde.|-{2!aYb3V]5+ꊟJJMWӌV}(>o;6kb6ە/a+~*p<@k:> }Kې_|4kC:(r:k!T -5C^pZ>}w <H[_Hh \~:L:IvMQ" -ְD{P9Jڍrw2Iu|u &9+m8)@ g)kHE vȜ` dYTg;Av5&@ $$$6!)67,E*n8RA[EQ}k=ťӊ֭Uq3_ۙx;}srpig0 bɴA$ -ZH2E1ʴ JYec'6PT9I~(“Fp [83ؘǰ' hiCzu%icj&v&ON߃Ѓ`O B Jπ_.xzǂ6p0~b8A\4uxg3O>C|x\-,@0Yï {M;H3)W;=%wÔ/x0ȃ&|<BDd,H:τ(} Xict `)$- ?&^[?i >Th\H>D,Ku YB !2m@½V"i EknٓWB_ a5W\R'H#ݘZXc!F](#,2S֛CMʆd͔dpG#vg&W߉ڏux!px.S lH`8G!ք`gr{Qv4bgمD)t01&*4 _c3fE;v7{^u~%;4 sI\I>{7s~c -RV$4ePͦ24/-!E: >&ϵ|3So"j9O=w60G=/xߑI;vM +3 " D[1`@*&D3>+ߤL_$~YT|?V.z}nFs#b{=bwUywTyߥ7 Q> v&c a$7d;3,!7#ўL {g c NrPչ_Khȹ&v߅s1D <}Ip"Xˀ|ăs8Ép'4!ιtl2K %dsobɬ&?$3K/w)|*Ι=G :Pui㟈&LUw( dx CIb̀B R2 -{ƛ*WI5GneЌeJѢDNgN˽^w05@rp_Rhhɠj_Ȁ꘴?lww}Kop[b RH~6[EFVQlƯuNV+.Y*Ns:v(@Vo?,r=K%};;RC ˷W$VCؓ/M7&wУ(#Qo̩G06NX'3ZȖgaks&%C>_GT䷫I+&gRVRZfQ6Qmv>-"{9צU[^RZ*^Q$ސA.o9wGxS#VD5\j}\?!m,DPSO;!oQzR[3~:7SohUڻR]\Qo+/]%n.Y'k*ڤXUMYW0Y?U)aDm{gՕAP_&(TLf ֦CnAlMU``|wBmMIs2<;?n-_[])XSY/^],+oWԖ~*鏬(9]VrUQ.rՕT iiQohjl5M]_M:4:-p|澮PѶ[ZT.kzlXпBаliTW}" aQ(B @ؑm( ""PYdY(.Pjg: eLm 8ȢTEgǙ3=a>~s>9 -f?pfތ=!)B3&w7- :íT~!3߷1 ײ~\btqjZVWdx,ҬdX]~at,^}w:}.();x{Br%FeTA:']Hx uE:L8˄M|j2$Z%&EŹ;itK+L)(I:Z㟘75Qp|o~ ^BD&}8jh]π4\nAG byэWYoP|&lmM95qU;U.puVnTUy?? Ȫ=us5:r%j8Of.-lHa^ttz/Z}=b]Zfx;:ƞ͒G7(=:}B|BF:V7^:{Nx -۵W:?yO^T]ׇ^+F5);ǃѽAOﺴ4BU\ۘ{>ȔF|rT^^v=#}#mJ6'jEVH]r.;hHO2pl`)0?cWh-KjэcǚD&Zn*Q<ZG+2[2Q)'9O7^F;uߑ.> g_E̟d+?Āp{߆L3Npp~; ơwRL2,X -kmb>E !T*ք!>8^LI dlT,q*+N׶>~LW4Ӡg3s'|:Dx ꩻDa5`ɿ | 9_!(_SW"y֑vuc8aڽ԰ye=c\\tm2YYpO'-Ba -|P&(Pq%HђBW=iS `0F3 1 -Ә+{XY2kY|uS}.?@O߁2``Aa1 -5ZJTP+Л^4#h=up,08XKt0Ļ75LU$;x #0%uj}4d/K P@領F)AWJ) (t" EƖF;R!"Jh`8 AhyǵHsq'*.Zoω7r,ɖXD8(g?E,A660G \ QJ\ Y ?ψrȝ/j:YB(>\E t1QB0MƲ!Y 2Pͺ(EQK  gijoĨ;Kx,(RfBҜ0SD% ݂5%;_t߸Jkx(i ZG>b9 z }z3u< -qz:O|I~`V=.h` t "7N qQTM ֆAH$2Ī3l5c ~[>`-c5Sfe~ #Ɯ}Ƃٽ0L ƋBF cJjH}1@LIJQz#r߇zVM#ٳn'AF}xiۻnzЂL0X^W6!``U8ߐ4|3-5.!q1GQkG,7[޸VNa{rq&ՐΗB;_ y4F=֧#TX`̿6M{W"H7Bd]沼5_g.}ʎ{fk"f|*k1vWZ~޴b.#" t?>1>Kg O.Qx,ŀ^ `38xػ,|+>Iq峜DKm%8opks=}2f43J>}pIʡ^~3G 4@x{;W`2@_VBkcڝ"_!y٦9zw,;XýȒp>IdY>--\!BEݔjoBWhN(Ԏ}ɂWD+,z*2m;xBa"4hR~/C);ªțfc?]Y뫊]H[@Y1BVaߩSGB:j&Z4y/#g$H;$l61ױTW*H}$B%M\(/, - nOY xb - ;jp:DUʎ0\2ckY,ͦ&k\wUEbʊ:NFQ _r*(VP~[|(B0l5g>BU t]*щvutc%߱0Nkc,l 3R5n^Ԑb]P+uHd|&3e#30x=KvHU=ki;m_0ptn.>'n_Zm}W ->H[4@oƤ`GLspf=1Ze_LRs`6`a(nQ5 S≧3JӾU_zk;qolcoLc9a91 5Rk)C:{PWX\(nvW(hdDzs۵ DQ:8[3.O08ĵ}ݶYٶG1ֻ5]ƶD\"ΡKԼ -*/= 0"&\Bֿl!:!#ԑufq:': ;#;?:kXݵ&$F$W1h|~z=}?o ? n3b{˜XFӛ̊VsBs>)Kk ~ׅBy yV?Kv@x D? ŸBG0qLd0%c Mc{ xgu7v+{u+}u+5=Jp_A_F9\w`l7@0JttTa4F1ned8 Y8ebIeI 52@cs'?25P@` EԔP\ 1l1 l01LF>ba c/jwJRC,Hn!? ۞ Fz0EYf&\TOal>/r* QD('UDE -尢O\\DEM‘0Qn ƹ28_BX=&P3] ^"°O,ߨ[VeJڤRUUG/Tgs⧪+⇪n}Sq[{jVwF@/eP`}\zi=u\Ԏc|p<˘VtS~U*~QV@do}v5uv^ͥQw5y2FkHWɕ(az{tGh.R0#3{g$inuD;nݽov%n=N7coK;bOIǶˮޖ]}$7,5ƣSk<:OQ0-mH8&dհd'dXdYIgs3e]~õ5NW7HL4\rA׭][ަm}^9U3~fݐ{S"6&d2:HF'6Q7t̓МЏyTbq~t[]͙i{iBέ\ΥM8t2&}w }q_GRJEϺ4tKGtfmL,+zwNq›NxLdnG*/ZN~I[rMuG5}qIK@H &8L 5! !!!!B-D~AumγMzvqwHEӒԫ|90;Fzx5OռQQBgC$kP|sKMgZ;> .=w$e@q<;eb6tU!ŕFQ=.Q#U"tGr VMN|D#2fo+) ;i Dokvpa2v\wz`Ys:P{qG2ˬ6d:jH343!ZHXi\:!$;D0ut [8?^|WA ,9ai;d8У;^rji&F7Q*Vnbh -CJdCJ,K!).R.>H_RT -DQ!5({AW ie$J/wwT_ZIqae-Q(w=|kXhރk}twKfWvzoUk%ƜyTe7J| EueTam5-hftd֌W RUXz͏eDL5;hϴ`!@[+{} =L۪_9w^ܧHr+pڸVwU9)ECi6P3&4l6m&lbB&fBdk*=[\?ޅ;`@Iv0ʾd Qџ\ЛvPԓ}-bnV>h0-<m[8u{\r#?Z_#3M/eȐoewbp8S-]YrNaUy,"_M|Tn'UԐZ\&MaSހׯT%=Oz{U z9gIO1!E41C׹z. 銌hԯ-iw {=k aC,CRDNئC -GgsYg./1n_nߘ7wϰ_d8"i46[4X\3 嵄 37%_A_Kn^ ,Pisc ?\tN B`hDSEoOu̐&ʡ'Q <8H1&FTȅ?G|&^(=7ت.Dv6ltvS!{lOVԆ!aP~`*ZpӄqtL:R͠LCsR|I_EuqӱKO,^&?u-Ñ#w6N/►*♺2jw*vEME4ʈhn -ҵПƃL##Z3p'S2'2h,ď,Q ;mu\ݾU{w+igaˣlnsۧ.eqhWD>F` }lAmstl6+Bx4sPzd\yʔŊBb5e Λ]7w+w_cmBKI"KPUvv4 t6L睦y 4,B8,pc7p5aFrD{̔=jG|Ŗ6\!uSiz)kN>*ve]]q+aMLtX*b72):F[\B:qP?Y@PU/bT5?F37Y-gUYv|cVtbYk25X2}ۗiӾ-K;4NҌA^6 ru КHW?w|98/#j8g> ̛fM -KeKr?R|Z9E5.fo/u$F!@n ulJA@5@XYE#.`ǕxZjUlF2Z;sng.8g>>&u)1$~*2~DV]Y$ILLl'bopk9@[D;W"!+H^૫QMmG3ӭ>ȵNSWV:u.NLVH:.K$Mr"91{b7P.8EC`{Jm]inTśXVʳmʲ Y咢LSAFK^z:kQ;kiZ2E]\PUnZV=CU`QJV$YNM.)g')v'(ds8]ٚ&3&I*`Fga4g˨}=@W:Eh[+WV(DVerی"ԒJiRqì5Mh'*o{DZŜb'z|K}jpvAH{WALl:O^UniCan4:vfGɖiY6I55تzv++ETuQOL9DU0DR/i?WS (l BԶ۠rW~>oJn -㬖u1D mRUjNaug}Pw5n|5s U3b7%zCt}v=7[*J5PjfqoEz S:BL6ψiO3ڐk6V*Y%]ֺ)s`7΁-Zòf&^l'~L !߽PvK'^e.=ӑ#Af'OЏl=R-4+Y֕mYdbkufM_Osak%[F~mf6zP(hU((H"y5E/_fm7A|oi=3zj,}{=e{g7>=f>yz LwoTy#@D rH!O.tȇe|5r B<x GhfL{'0yZLA8 c< -0~2$o򏁜a?O@ ([@z0F=7 30z ׋z9cQ- 7ö́1j5򄌑+)?W $ïK(ۍ(0` -2=1 |f Lmo08qLJ8 ƍcGg 0H YG6.Yc \#'+q/?dyTSWK¾!/@ Z*,ʾHHXHԸТH݊8mک^ENw~NrOqw¢)^/  (sHlCbh&M+_<8 xKKO>Nctf' HbGZdAC6=|Gwѽ8}|K ߑgcr?F>c!SMA\=iOcOg#SbH5|'.5ԘhZz%BSE]3QDtNSEWG-M1fO u?Ax}aM>nۓO_)S 'zRC*}I d+d[}̛~?$'7$XW<.z60s;pv*f} τp-#k -,IK`btV`Y.u˻w52U&߽6]n|ѳMF<My~ozIfC޿Ʀ76# uAmaG-Ƽ\%9Zy%FjM0=favo}OOՀ)c>׬>~?l\Ȃ aha߿~}'l_o0'([wb+`50@hlFcYqeF9 3Йۨ(֑p< u}ֽK{BVq -nn -+ogY^G-=w[k [?0^c_t-ě:aqFbe=-V؝՜vkNo o ;(61'ǖg;͑ض9 -|/=7SЅt>LCO!l/5ѓc;)մ31bGں=[n[cm\L_&X'\=* 1X쁭! Bwa0$Ѱѡ 1&T,ҨCh-Mfٚޔ$7'V94%6ҫVovZC,nKCQQ}܈.K]¸c]"0Iiq' AR :Jm(sEM^ğPи(Ƭ Ų\+gjm܂RZW#P BUQVW-Su=#*x!Tc' jLޤQ8' •\CT" RFM.P1ha, 1(6-+Id,[MQPSV -;ej׻ȵe=nRq4ew8],X\iP%28Z2 XNvQSK髂X& Z:\Q-Qg9(J+FuiWIcn(YS üIwypB{a4ܷ 7XFU7(oE42 ÍbrkS,klEV^UM*U.$W4 *\ݢXq04k 3!A4(ADqpU֩Z -X+ -8"8KlUk+.D:Zu}_Z?y}r?hL1+'Ǫ$;LZ_3~Pec^:A?iÖ8g~&h;+Wƒ&^I>7AR9{u{d*`}¬4=f15x/j\jѫ;|v G X{EwϔLmn5l%$ ݓWoy?8lJeҁ529ega:__qڋQq=C89NwnXۚ]2xuj8QgCls4و<+al܃?/ b, q=0DGcr504/"~}Ts{re.r,EvܜGD7H}zQI;q-ri9Ѩ }>mmV ⭱5^tWtSYNq̟Xbߢm_6*m管;k莿+gs' v}8 .B- 8Dz 6PF mmmmdۤ}hͮnyc!xP:շn+9 -d ;H΢l@@ѺEA0[TV%=вdKƠE4++JDuIU>%Kſ+ -T Oﳿ&3{_3[_ wE .R.uCKɗ"ۡrAWY E ] ombj/e?fSXhf? rh^U?mwfpػ>pbP٭P؋!vI/3xG@S` -j'hjXU5@¨#񥤆5kxk ^]zB/Hf,d~Љٖ@ˀO&|P:t^;5o -@] a\:$dwXNR]% -RJ:RpUu~ߜ%Hx]/dϦ{̽j  ~O9^D.Ue纍.O<Otc BTPwk`w%襸MtlVGKf#d<3#Kwa5,Ն!]jr}va2v7Ἰ}[S-.R\ -@!nӀ\!Cu~a/ZlEY`<7"{n\$n q͸Ah?J ŀ2EyuŹf)4S6b*B:Ul| 2ۚ0#Zŭ i4UT$wT9Si̴MuڴWUb*PԅJc~ 2W :b\Qq}nE%󖱢2YQjPYl:e^Ɯ>iNs8ar8.hvO820|aj|tmGF8BF"xY;ը&(n1PO|3Bq"zQt8/ǃKGhE2 jĪ}Eb'{c\jl!B!$K@$6Ibر@ 8X$vl'Y&vL=i&I:Mm433{y9^+b?uUL$L(8/~?b.JϤTJ> FI l -|,Ki #ޖ_LAYB e"dDG_ŞvQe sIZOKB/yȝK3kFJ0}n3уL̽{T -rr\9fW 9eAEEr5 z!֜l=+;ŝ\2S cr0GY)kXP!JEBlkdJ'+RRD.0ԓy 5LG aŸ!5Gh@h@DЯ$a!0\̜/񨻍(#AḦ́˚Ͱy 4iӥr)uQL6WlzUDQs=\,+ {xw/\: >ulG<>G~=<𞍄r98 z1iVIEזƌ3SZPJ\ܞx"Y|RԡZoS'&>Ij){|K !hQ< 0*A-3^d hE0cJ!MaCqG_NU{ʭ.m#۩mv4BfFԤYJh,]KNi~ɦ[ڴ߮%'7؇1wޭF0w]żcX[kN&U&VfG TF4nQZjFn5r]FЮk/'Yt6~5F_EO,g50_.|\}DW1y+Zu/iВFEtUG9*=QYhc5T4sm&Z@bbR&# -ӏJ!@xU&K>zpu6͘79o=Flc 61]ASF4[˩ -ʪnX;恸Jqʟp|&]ՇȗIz"CG/_p3u8mx 8لǚyRHG"^mQlFY]gTֵL}qq:46ZGHX#*qe_k%xa>}g6ּ::1wvw ҠMζm֖Ljn=LnhG; --Zeijg[nAYè>_b9Qe5^Rs|^b;Gxa}x&ּ+?1s [ܮhhw~{I6W*֕IvFVvǘ:˩ -zy{-ns[ -[gDdZ$E,,siJg|XHCBr<(ds r뀯hf'07!_R:WƊ2B_}(VM* 6U M Me0?;ϋgnse@@Ӏs%`-TMP^q7W;AT(ĉff>XxkU@c^_ c?\p/0Qz:Ue@+ n:ԤnZpC͐7݀3!/o)ca؉?DZڏCKswُM>0U﵀&Ѓ)yocܤQ}E.>o9G윸x~Q`:ϞWXx}ͼ{~⦆5i`M󞬉"CFQl`.~ <_ @]Q }Fi -ͦIٴ66*TL';1E;w<;A&W E8>UQ1=H?y,NxdJ<2uQ-R.iOeEBvWjz/+/ x=K{+~rK NX2Z*L-!Kel%]ϒ%#/X -|* -})v\UlSl}Mbc#?4esZ 4tU\q/Q]}IEcdOΔﰦ)[+ZW(7[sUͪ #s5oPtU]*60>kt&T Q?wQ=F*Nm %4N)h"/_WfWdkr6hvج o"nYo̠6ABmАc̿B$Q~<)p0EaWHiCxڰܰъ_({NV ^ -]dLk$d>=H(aAha^S}ZO#=vn4ݛjfWpj/s'Ϡ?FJ׀7GbCdr#H91Pf蛤^'Ygi3lz2 h8;8R}J_#6{܎~f췏l:lvژȉ醕1aRVtYFtbaʅ&-jiّ" )+G7Niq4%CrcG ;ғ=FYcP'pFnXoEF|O v"-6Q͠hfLΈIM=ߐe41zWCR[c@a [5{砚}>)8 -|`BV `)-,5!Z>ʔULM7]?1nݗbWq\>r{c ;ғm|/#Y.h=?goÌX<5/e GAkТ!#@ Az@TBt]OZa]-3umn~L _|?~i扫t$))2k89ǹ0ՒJT2k7gk[=LڃYSL^&3iH$%QS{ Krٻ>5`:d1UKkR$iAzc~97⚣[XVu'4i^ԛ4#uNpK J?sYIjeC?14LӱظP\!?kԜsr2\ VAZwmꔌ5I^Z Iz-Y/(bkی8(bq1;¬Ay¤c> xc&;b|G:1SYQ1#:As9|ҩw X=|}鄓2v q~ x́GO4=ˠ5½ -PBEE(z<(O=޷z]ɸ-w "N! t;< Ji7N}7PHI2$9CԿp;7qBƝIS0"@!tIeKo4pe" WX0/#tpL.#?o05w1cbzx;~~ 3 'MJpT,=/^`Q|9Y0y\t$o>r|O~|F!Dϵg/PdcE]cAnArKĂܑlX Y,?`/G|b‡hEE>{F)[6SDϣ̘.c x6o>&w -C}1<%ă=&YEyCp m49q42,&$ Ud=LZțNr qO?/ -z%qx:)$D-"d% d+APg?u1q -xk%w~AE?4tN"|G҉Xy8&>y;uvQ ?uR8ۃo>?pnA+r7Fx@qnT\9C41$[1jlf4h:Ӆ/u<;HT}Pem:X5$p 1$$"B"QmCToB -~ZC j]FҊ6\lU~\_qQBYOU"1J F* !zR}/&4w|kuWa\QƗ#.hVs|يs=1|Nw'#k"uqb  $?-2zp۸%Wb7;>ŹU8ӽz4Þ8ٳ'z^m8k:CO`kO]"_ǘ٧1-O$.E&꟏Q8ÑEOg`f_BfOr2lav lpxixm71Fd7w_AB> ' ]8\Q|L|4h9'6{6`ٮf:S-ڙLv.Yݤ]nnbkwrܺ!g5CV_>T-ÈG<&w銿6ZY=[|0,Ga_pҍ6 [tyجs0t%zmu:vMl*[/m[bJ,ѝ.ݒ6x,m!J? -O?$[FM|@380J]b^q!ވ,fM\2]WʶUqKiB}YHҤ_%o5OW̸񢔐O%RkL!jy{Io$('ClH&$%IfQmNpM$2BZ -P )Ҟs=n#ڌ2tŪh1hNMaf3sRNaC1,36 -K5e0j*` -G11E٫`Sg~+Ofz^b)K29sG1sӐc 7_k*ԘҐi:A/OL_LoWUPQ*L,Ch>rp:>iBzeE6l r1M4侍>'d[PJYҪ2 ܤW(6uy8ƓuE^W(6ҜN`g!XK- 5?OY=1#?ov` UyvΟ-R%(ZBe“LUQݭqZ>8,;9,?y™'ʝQxɷTd8GڳX@~*P`ڢQ3a6=$fb+ -rٲWZPėX}5 + .ka][׫m]NVM_jUTXE gܤ:![G-^]4:u&rDiי; ^Q%k}j_ooUwj,\ub3^wY Gr`C3}Qye1LȸfnowKlE~F/zGn)\)\*ܮ6,x2Js KtNRS*4~$'j+텒x|Q䋃7q2 t7畖Kr!Yw]Q{;TiޣTďQV"_ <3:S P4vNO~%npUFQ9FXҘlRir* J$?IRF*ErVe*IXPT!*E9!{:;)`Tҝui />aB0H1șldBLf(5\ZO N$I2Cp0]<^PU T$ -QSo&7h"i4L#UOs: {\?a0G!=p:c 066)a ~nL>\yTƟ3, -ʦ0 '-Dk$F5O465"eE 8Hpj%&*.TӨ(1> -&y{E -9^٬IθI&9]hBm^]u KY+ǢVwdX'!-'Y00g#YT:Gaf)r -/lV&TƜҘXe\*T%R=PC_7f1&yeVr dia=H>}BR8Ο,$}oɽX{c?&ؾc~RĬvywR@Դ`5GQk׋WI%0PCi4K+MA/@t Cc4b嘆HG;rX/usRغv)XHk}/q ;z8x@Mi3_pz"©G3*ViDhe -B*"r8*Ǣk$T͆U[U}VRS0\$1θلyY&7Vlc<.=c6$z =08WO] Թԩy$&ߓBwp_F;~v[.vB-ӎxJd"%"SB ԩN 5j{q|˿C?N?D_/b"Od -fRg>u p6Q)\s;SU[whWp}+\D ZBӅ9 H^!M?Ө3m&SǎXC56sjnݸX|8%:Uj- @oX ^zXHo2L77Z3X Ȧ -󸮥F5*phf,Nc'Y@*o1zuAS;hvcGbl ^;CQ T6`sQl -n?Jp!! "',Y<8}hHBmcj"G:rĦ lZDB4zT픊51n(T{GUHOic{WT^o}kd4hg7Pih2X8 PbxņiuBT#'Ib9/a2a"axFq-ENcEv:Y=k=ן@|U߶^pĦXcBIXcզQ74QZek!0}$-3-rPe*S,1mU,65*N*$Pf)盅"JCơqs5>}{`%v,iȵ2j/e[&IK-Ŗ兖 y%[a)-%yjťeyޙ{D K] qDpFf`fD -5.Kq-5zXTkĜ4mz5m<96ij4Iۓd1w= |zemA6G#ulI1kLslJFɄU&3-X,VUZMI[a(wcm<+1Vl y+6"SH"?7wg:xuH?6#<MXmE%4X2EZ -S,7{2 -ۼZ[b~^*6o]BeKa?LK^Ze}%s4kahEI٦*t۲mPj+KlbͫqֵRul:lsm/ԬkCzu]˸9Dq-빮l-#QW -eʔ$#JLHY"8Xr]+~)W$/U~Q)ʅpEy'<[!܃Yż1t7|ۊQBRu&T@j:\L5IRԀXݭRYVxO^YՐLܢߗuJ@o/K} J#Pdc:9pHG#KPX&.q5َ,Gjo2;uq.,q3l>P/^0GO4l^\NGV G3 -w><\$丌X]9bCJLWcqҦ6H&gltҥ^եOuo4gH꣰+y|'{X[rzTB^i$1qO➉ŞdyRaX,|!S$.TFO&ͽNkpoRrFIII>KB^ޠgS@-H zdW BVHX+' ; <)XTeʆUVU(ebNL,n{OKqޫ)ڸʐ6'.S8\>84ʕ] \n ~OFo }HYSs >Ź͚پSX[hbBڟ8tf`5 |?` 4HnX< S1?$0o.f0fi8Ycc 1Qu@fύC PD3I&s[1efƌhLoiqڪ3fL ((@Lс<؈ =x*)`|W ~KwQ{s+=o^[6 Q1LLjۢ0m,&MSX<`*30`1FkZن;aX"FԎG=a֐Qe۩BFT'%`^ v>ۣ0} ڣ1}t'i;w,ǠF ؂ h?[?CAzdݛX'$b_f1G Dqrº+RW,] Lz?]  |d8paD8vs 0CK77[7E. ̹3_oI}^3vi=EWGA a:-Dr:0 3G_l]BG>Z{#=`7ԧ__ DQԾI@!j{r aCя =aOpaȞߓ{G{]E Ybj٬5{#|Dc1=GO>g`|C x/y=dO4 rjbE 20*;o!"\>'ug_KH2kDT} ** EZnnhYDQA@B"2bM01rRV&NRV8ff\*5qܢo~T{=缤O~ld!Hu'3enDٍ^ӉYDdd"d3AvtS"oq?xW?" ~ 1 1tKlF3`'5ڨqssg#>mj O9z<&ȿ?eg7N&qdOT@EꬤF5j8s#5P{8g;V!}i_2:2G;C5ķQĝL%_AԌ3sӨCBjF%5jH-_'QB//} Moq~$7 /DÁc 9}r]*|=c\| urQDUԨF-5>V9wd4o鋫˴wi0Z"6;ٙ0eG'\;kBq5JN&gͣp y]U -Dh9YВSG|kwqlCyeÆo$O^17x Ұ,\p9bu,ǙU85|z6S 9G#qGF^Qߠ1] sh!ȓx吻|!+ȍpy~.)DpM1lt-C[ :jtmD6toO$xm}qoc<6WL7OfRߛ70L.Ot%wW􎝆|=^ }`M.Ůk:-ScJ O9Sylv M=D+4xB y4O3 : -]&s6L*gsf2ϴaR4{bW*UY[Q?kP7S+}]s_\uS^})ZO.;v{{bs%}4h1' >VlDoj|P[*BoηUX3P>G\=X6rޏb|Y,yP<\{-]~tS\ `*aRJ=ʔXLAҎ"eBY$,W ˔br+-]--YtI#e?!,CG߈.10vƲ1-Zָ. Uc6C}PUT:(PLy!E_H^X -1cx@k[Hb[fB+:q#1&.헥{Rh2q<3I+s#kvxa>Y=DlvBP&-~,"d%ĞXVjI 5bԴc1ZiCvZ3\o1\r{y{lb>Kz 4&Vq.]#4"!RhX0&>'dӀ~M}̽5G%]3G%>4G%VhdeT>` - 38E<gTJ&;iHbR48%LSh@jT6Q}Ҧ+:mҲ+3m),)tUShShdArCc#˰ Jsz2gکOzguStV_ٱ -ώS -˙МSPE9kS+c͹,2L/RXݲ|އB}0 f8*]A -, V@a Zƨe|,3mIU7"ue<-\GacFgWA+%r:!-;klql}Q3dcMW2UP -#[yL@^RE7_W?7Hq؃R)`+5okTg/S |!adg,@PՑXuw\ xº2s/)kS -܍>iޖloaHa1~R=Ci}_CP o,^Ç<OXI-A GhFoz<^ÒsdwT2GvNI8Eag0?:Ǚg -hrM@-H| -/:'֣?<ŕldllj֟%hMFg&9GEq\#dG(+t|+e`؛=vEHrsh@:st4CjQNFi-9c֋]DNg:ЙCGaoA:N:K(gJm5b>i-mP՝ U|ǴUl';cWC(NzM=~WO2|u{7W ?w1ԄZY?T}40VEq*  zM f*7h+;8WYEYy!GsC+-)%)a_ڸŵ7+x(0fl#Yik͊P- %,@=# ^+eOiJWZxR#2Q>_ -h- ZE%Hy!@$ $BТmN!Zҭ͵{3nu;֞vNZ!~>Ͻ`͊O= S&',V iw$uLs0^5K>[R)G{Z -6g-=Xaڌ -pŸQ ?|mX -o^:"YDX\f!U<ຒX`d?|lΞH)EkӰ:;9:rLh)GCN9u]Q-\ʰQjIY̡TP/*IT80Tf?گ>8b팣E5yhV-O j Q`e<y [v&*w _4#2]Y&H4cO79rZM;렂Ʊ _39j&c6.N:tpQæ_/'EYQZ' ̆wd%["G+ ?Xu ;i& }60(Ӱ9lT4 -a+,ƕ(5`1h(.z^ɊLC2iTVh#HEc[LyB~'Z$[s8ܦIpf -bLa5eXX0QRBq*[`4(0zOd:yc/"ɴfIJG=L+s3Y&Pa0JR si:K0PTf̊ʽЗ?]yX}"z\loTBe(me-rA/{"z`-]c,Mb{,KQhO|+UA[YJ*WC][:l1pYUD+~g9 ۀ}M.G}\fN*KqC0TGB_]"hj!&y5*P9P:+ZlW3 tu WH=*gDjUO!wIBFs/QwZǀ'Ɇ5y0(Ȑ_{8CAGL V;V߈Vx2oR/#{Z$y HDGqKU(=C$ s[*e^ Oo*2}QHGZ"țRڔM*,o6`YUHj"ѿK['?m$4CB$!s;ڹ'Zg[#cR3 Hi@R$bi,i]G[Xܪ ;u Fl 11man% ¼"EB̺1q}~ux@s `3]9 ;v#%L-[Jpmcr60%&^JI$"|HL8x˥^ȩI @@ \*""^b2T@W=j>gmt]36v[NvݦsT|?D~;K NH#H3i#ϑm%1|I1G,Cy|G3y~g_2)ѐ,O"ƯgFCldbOajWL#>[_0o69aOƒ #5 &$dP/:jTι_72~w1N.~vp:kߤ0ڍ>$%qαRgrragaoj^ԓ24jZ}\ q>)tvpgp//^_ğYopjG708=]O͙xԓ3I<87+]Jjbf@FRcn)C\vV{k4Wy? C~9wyD)B8%3/ DQU^jM]c:ut='ye&I-`SGch"x^Qy1H}^Y:9?"56qj66LubTZGKB<kW)hVub]X1eG;Kf ?6I:E1g ~s7ڧmFeV -5f4`Up>V.X6!QҌ%!X50<_EugxG|Lw -d*g> Iǚl)X>#"BTGP\,SEsajTϭCFTmCyTG@Y̋ Qo -O}؂ձ!|u iKd煕Q~X=u1cQl2jPkDe qN̏,Q⟠Hn (D -•>.SL >{Hh%kS'F$ $Ơ\*C4 z$d(OB܉(L\|2dp:F87`O9Ia0x'29gIigk譞>'B>e`H![BIFlp&9H*F^r%K))w"KyUȢ(S`n:ظv``볎>VG-}+Ǣ$t(#R#O -J٪\Rݰ#+F¤QsDyUd _Ads6x:ْ>(}T"O -:X5)hĄLm6KaLAn6tۑ? HcNAF?V'.w/Zd=F.V}0,9ԋa+`ԧ!Ð -}Bk\q=LH5|Q4@A4 " F'Aj?xK1#MQ2gLdL3a Yt -ZL ԙyH!RU2d"9k^>d{|~y0Bc{?wp$(^ J5ři h!Pۢf"Ֆ UlRHqCSyRHoԾsGBl$va3#{/u+9Tq/𹼜<\z1:EPyCYH΋D# -rGd $:m:!qAEk-b]g|A#% 9i?wQ{">9*VK!G%=B$A ;y @TQ `NQ#"7#xŠO!m9B!H@+9Κ~/;9_ -4s]QQXWeueߑE=-fQ(̸ `T 0q8QU bզAlVMM`L6{bCRc4how{ xmcb-fJM`PW`ŘՔhSE(4\ldZR[_yE`oجloCkiYΧ6B}3UXO|)uF(6VvЫ -dά<Ȇ3D$ͭlJabWS2mzAWڄf_0'xni]' )vba'luPC!d|R[Yp156v)40wIwvjQ:jXG .@Z.Z}-Kbna14,ttN_tb\KK34@ o/uahj!j6pENc$\bq'-%r?= kgY,zA&Z@q.IX4iÁ=9]lix3o'3#MF{- ~FK.wuNĐv>Q@$M1p2 u1(}\4׸7qț|m‘3}ldIƿ>_{[4Ү)yWP(]%| [6]?>FC#c61qF./l~ `0)`(bJzآ~d|isY;}/\pedZ AwH0Ŵ}k1˰_}- :55u]|gu N|OCx̹7T} c ضa{.0.S0I v͏C8 Zנ"ZIJa/`߈"ih~1/Ƕ \M?Ч<~b*-a8k7刦NƠABc")}gcfcߪ^N*ȎSD2P-T+nKK_ϡ1L4ʓIg#?EhXrc;YvO^Ö}51%;JUhi#:cFg1v՜\; keҧ.]:6k 8qW:Dy{+ePvw9] ƧimZqGiV9hsV8s\ -eJ]*TNuA2_T=z6k\FXᷔaw͆SUnZ=̣U9R%3EiI *4,\JhX|~C9>5fSvVfspN_FъpuQ7N :sh@ h;3bʹvK| ]9ʎ UVd21fF ֌=Vi)=MSf)kRb5)\c7+9Zh|qݚy};`sآ#;EXojz\kj|MV*%~&unS5Qr5.at_7W=hTbF&6jdѳm/uT@T@S2 0 ]`H䲨1 `y ^K$Zf*hY)=Zֶɶv:k%ִܓ?>y}}˚ƎL}%q4bb\9\0 -_EUG$+7ª\eGڔYQ5ʌ5EJTjl,5?NܛEra #NJ + q-z -)?zrX͎1*#&U,*-ήԸjYR)JNإ2%Șx~)S'FNm[q88GE9^2LTaJ3D)Ր KB JI,Pr\%ͪiV'4˸Q2ː.;?^b911AaaV٦0QG%#dɔ$cRf%*1D ɏȐRfřE[*| w)<@75؇~gא2jSHdd8̓d4*yS~NC@SKoޖt/*zXlȤ,bI&XP,cR4QE -*(M+NTV) -M-Ճ%4CJɧ䔼K>yC6&35‹JzYQ΅Zz-X҉oya+>J+)5I0=hD{&3SV$_VqOjlyʳ<˳:8e ,\~Zʹ4\SHl2y1!P&JOոJ? HyU%ʳ*UcQe{"n[FVKիUF.wZVmhȠF΅ǩzr@LI1Z(7T:B(GFe遺 : ;лX_mQg?ߎI~%g#=Rb|J cʥUÛйM\\k1>$mIgiໝSQ;vMG'$]0P`C@uQN w+ -}|7[ًO -FwJ]#y‘PRa#> eԥ8 t4v71qzjiW|?-/҃ -܏WO1xNA^SIAN$'gR,Yhmy׵u/`ͅ35b%Ұ>Z ҅\Opn!p8>c"5ec,ýKKf+ų`ߐoO!|z-Kp\uCѫ 7RnWosܦHv;; PeP hfh(MEyEևb7:󺮢gKp>5HCax$q`\,?Yu !yaMZ`{!`{9)E h̏Qh;:.iofp^'Ѻ7/}J3G~1`9U~ YKm@k6Ӣ?ڵzGOѺѩlS$8AQn<r_ w_pYX;|r"𓈏4-"el -ֱc X:V;؎t^*ׅ5h 9$ V,a߆};plՐZ| -]ɳ|kyF;lݘ؀m@an_L b -M&kk^5SWUv6ҤjTiViӤݴnUNC}>}}.Wy%z"Y/_{Ob> -ۻ3>wiJ>EOOUE79𓣛}!\+q~F6e;K 0"WҽMyޑ`HRsxx/Yڱ8]c~9Xze TtOҢQB|c29wxz8-RLSγhqyi'Ooi=lff1s c`4!F?јop4Vc:Wy,=|`oŔ>1 D`1*u`6ƎjLza"ΏnhF0pC LÒ{_CI"%M{MlbdK II%LTc,QcI%:0,APڀ!i H;0 EldcdsI^EwUtmDG{+3wLYfV 37C;1"##) /ՆCГք6tw`z?:GϘ2іyYwz ^ω?9B x6`uKlfiq'L) (R‚@v9NgѦUGޜ!4LE4?-xo s@Ïy uQD\, Nݿ{xmtMc[:oCxhdj2q@FV Z' -ܨ-ZKg1TΡRav+(7~@N<_&-7p%~X Rud h,LGz}jTpp2Ԣ؄ -c;E즣(3@y6uX-/>K%"Y=r`wps:T:&9&*Mp a7Qn.CŅRKlm$iXga]GQ"}opKcm*q-$ RG7u2VP֊&E&.wm  li&IX9㡭BS5uv۠T!ӆ^(Fp -Ho"!R䳈=%.p$[;xuwIE덂99r(ݬ«CׂL:|Hu!7 yI$lBr ҖHlI-_Y̷۴?77s, ijڥZ Qn Y8H!ůܟd2pAф;! !3 OqF_|g|AfY㼓#VA}FK=J} io{eD$ - B - -D !L`0!J{e7#bɽ6ɼ0Xa,L|qzJ] PSSm$;8D'!b8 --,FI> d0 1y7ȹf{5"Iq[\9 N98|_%~ / .) ._\Z!,8 ]u'0B(5wN FO3朜>dPg\Ҥ}jCtrt\\ȯkK8D??8{=<<wrx\O &5y vh}q- t=! P Fj0ؔf/TdV [=v]Ku_}K7펝ץc+ XASZQvg+tB-l7?ckncgX>Ntho+|+{n* ^k踂?t\B{lum29wtt"w71pyG\Vx塿ۏa -]x: k %^i optDoq>!;p(cv;i w|-88,~>^rlWaد@Z=ZAXf8Z_m&:-D`kwp~ >szK?"'f)X~vcN^F[4Eт&tl2!'*,42"^q6Q{rר_\1a#bP Gcᨆc2pӜ.E(>;Fvf|¤n 3a#<H#8 --F"t)rkKwմZ)eZTmjKU}*{lVEσF]W=x2undy>уnOun5W&h{j3T힫qCU1Bc=U9^= y.RJxh~Km**qtS>TgYB*ݨ|V {Sy+0w^s6|;:rT -?Oj_J#5ߤb*ꛪa}sTw+?\Co50hv++2*3䞲B#u jv}L$7TA* 2 (F588CB)7P9!_) t21RJq%ڕP -xwۜC^_IqD7g C"De(#<[JԈ -DNRRl٣Zw}L֘Kp(щCp`<9k6d>FBr<̨~J2(-*F)QJ+):C ׀r%j"ǭٴ]&gzWq2}61dZʧyo":*1CБTCd3F*'k\T%b.TLje΁kJJ%QC|`jK0~a||}XzfXd/,`0oJfJj_5 TE -WQ%+@3T.¤Vބ;@_Kڕ|VKH F7D`aLr_hvȣ<ȣ<iFF6wh es-**12eXI3b3Ism2Q"@zcn^NVN$)I&O/\T ypײ ~ h -x Nw 8 ^o7h:9ϚQL3xm\|pZ+>V4X9np 9 -%pb]79E|Fk.=tqߣp_ ~ @z! 8d -%8b&qO, 7G;[s}F7}#8>oDX׏xobE.!}F'W\G8?#} -y 7{//x8xB/?xxd!]ʥ?8 -Jqq`2ϓ9cʚv鷈uXi<^^G~_['228}@-1/i z]@"b#v91::f)d̲%8 )=`A}`7x#vL*%x[fEA>Nlb=Ӊe2į~xVav];aA-63ڧamFnf:iyZG1cW6!~>gbE,C %F3QVXn8ױwl=>t 3mIB6wh=X)p1b8{V e5YЕ(އq#%Y/>`ݍ.F($ p< -G - 68jȣZӴ<G UJ\ #J7á{6h^b{?v[!{8v -!J$D @2-Dʂ xPW`k,@9GY?[ԟ0G^m8rК.5~a_\0A O:YT W*N.gd m$VM{Mn+rޓ+}GXo|/DA]U9fy;kfTW5-hr,lSNCݚ;d\%X mh#aǕ~Iww[~8:ZڲE7*HFyb=41\ T3f(8NYɲGNWfd2"+Y&YMj:.,/>R+цhkknтҖQ|k9T(ƛm,S/My2̣d3[n\F)%fĬШW#^wh 8ӂ%mhY y>̠NSikTF.+_l# 0 3ΰl -(0.D4Dwq;hc9&٬i&VLlkXSi&=iZcܲUt=}kPqQE! 0ԩ,+7lFSNx1WUJ3nUK)rF7r+%.^nrn-d߂Y?=N#_<&0ҧzs+&OQA1#RVg&),3]Y -*հI2dPp<(0C9?(8/<39AM֪lTi&Sy?;pMgq$*rkPHnȐP`~˿̖qHA>+#C *B ܼg9G0s%\*(EYX'btTP%b_qq-OI,WWҍ1 %gحNՠ:iV4x i|U<}/!㤀A+ Р2|ˌ)h`yr\rYX -0嘵rCƠSW.jB豉4/Ɩd%ӛ BM -0wE=\.BD."c'1!Mdb61;-s8KpG`O+yɇK*a@ȡ3$x \ \5\t5\@5д!`u+-M_M;"88Lum6{&P\ U jbibh[6ҋP@/DG=lyC2D-\X:` -XX G} 35ã9p5XᲈXĢ.$ml||<[\ -nm 5ʡ]ֱ@!H]/Y@ & -VxҏVx£%RZq.|j&UL+q4+ZOX9HfF$|6K[w+(݋ < d۹xvzю(8r965]@:r;zgAK2>Ab{婋t} A===uh $߽V3u"o%9KɓFbvI9V#= u̐ǜc@E?eb(Ea.^zCU>_Z>QA\%!Կ_p55AGy1~ [/ g?>q&8Ǣ%Yzq]9@"g 57<Ǽ=f/΀w9Q|P5Xr*.S 8yP  q-M\׸p@E~_).: x~B>G"QUmpA0ҷx̯5c=U K+<.$;?1?R>@k?eέx -^?ni 53|5ezqA#_L -^.{8 3w𗿂8#=C=:n$2y?t,Y?8VrEr?أ8G:rXD^]M2m~A馲.= ݠ&救GZq+YȑLLV8DDRKX%_"6cvv'iP6Դl_+u:~G-rE.9ϢB1į DWc Ğ2 YNy: ߰Z_j%yWx=19v-{E'{Cf$Ilq1 BjrԑdkL76`0`n&&`CbH'@B(HB[Fi.K@%Ye (mfi6AZN]5mӺ}m6MӦM۪}ؤjڥ4G.S =z?y99『w f 8$7el{W('ߡܿ$xqÖ8 1Ua#f<ߦg3q;cX5#Df= MSw)h5졅p$v1iL.x -8K)gYBDim` $]v>NK<n'2LY%u )tY='e*\v/q~J M5+ɢmIښQ{rڒ˵9%M)aES՜USj61m"Z~D XR(j ?R/1~ -b:m:r"8+GS IږVQQU6`(VBZ7֫޸Qu6Mݪ5Ri3)yNU -VUX>T3SKH'bCطEȓ&K"L3TgU\Z_5ZjUm(hک_Qgͪ,mUb{Sg;>S#{Lo&Yg{(C$;I!Qk,ekͭ*[*m媰W^2GJ[SI39OQsWޜw6 %33IcuKZ~vlF9{IW3SNʜ.*8'"WH>涩 Gyv?ʬQ5` Q)-[J&RVj0vƟ^Dw;X҃][K> 'dMSfI,kr@ ʨVz(PRB=J -)1N0uR;HfbM ~f/w_ዾKax e"'q!a$|:xĞqbMG#a{i{sp mx AY2`͐ѐb: }0q8k]A(nbL4n"LvLavL"&i0bK4A<&?åC){1ǎJw ցJ9>c;cܘɋ9.?7FҳB_Hx| -:;_ U:G;0\|Hv,bb,R(2 $y{8G^~;?oسEi㗩WH*_%p p Ǎ' 67%X,e -2X&8ҫ>_{Ŵna"r܄*_a |n]M>gVcB~PW -Iʊt9c/ggTW6\ۏ_ݛ¸oo=^I/G!R6\{tƟ6%inmzK4IIKKEZ.E\1AAȠ ás)`e2q2&sӝYiOs~/<Yz,GG>ۇ;h -{mf5*c?,ks51#ꋚ b԰>_8?@}^Gnx7u6v̀/b@2(CAw6ڦq-gҿu7g8?R<7{{BGeER?.jK?wvT=:uч踂89,C%tz gz@{཮kz _>/߈M_p귪һܷtɜGG8qyqa6WqR6K'Hz0v]_p|ܟ>ݛ,::)tGsc88#8Zܬ}d/ _R@m!B#_y \b3e'"֯MzGek=:Bt5JR=pt±nѽ(\Sݰt*O.r?b̘C"f'Q~mmIG<4vPAo ɠy#ynsmEo - 8,OUB$P]*,Od_ 2\G{?vX-s^tSsd+\x -)c:h_P -~/k$?fOyF>OqmrѺ!.sSc>;\䱧"p᪇pMdptvZf^w@dG\ȝ --a4uAL&cjHָA9ʂ͞*P}LHuª4Z59_'`K0\RE-U$Fp+mw_ղqlI&&cqjHNQ8:CjU`b+4$JUI -$5ȗ4VH%oUqOxBwU`BSDEOƮGm%#P1i(bPɨ!Ft94y4T*Rjܤbs -*HW5r[)\ʱ\zD $#F#ϯw泥8!7#kȍߚ -YJ-*RBK -UX):Jn[rm3/T}RcxGi3-»[1nŌsJnFS'R*U`cO۞<{r%r9|I );AY㕙>MNgҝ+*{^2^5MlkH=Sl-~@ Fy24+iSө̌\P -93*=+4L={l]< K7#L_O̔zvx75RxeXՅ|vꤖz P#6(e3Ǣ49\#L*Yek.{LddHO*sLIs#>|o #c`;3 mcHrSCn|Ĥ* Y|vY -ke,K)EmJ.+x U\Qy|;rȻ chiCG3#t27^RL%VJe,u) % VRYH 2*ۡXxK^n"/˴2K-pg]9]m jF_-CF2֓b$&@>*-JLx_b}^ SH~gCcc ~cUEp>4q*=NsaXFh11+)`bA MhPi`0MA C?Vj)x6{LzӐأVBV7q7 $K%l\xa0t\x ǸcBHuhcC걓zCON0yy@0"dF\1RkRivHMdM4pġӄ&45GoLLk.Khhh k\ni)![ 9<h#;?;: 6+Xy#tp 30hs1 ; 9tG7&4nrхU]Gy,AUEpܳ:^J<a<2h6ƺ gGI'M/uE賏FG.Y'ṿ; 1pa0p{Lߐ {%W@Ca!WқO c *r1@_RqpfLtLRl`ut^o$6hVӐq -8.sfp>rFqخR+_W.0Y āt0Rοgjs;pH}A#GGs"^@ aG>|Tp!X4T |pƲ~kg88K8G<N]zS'u/ >z:=E;N*ңn<7U#` :._ORܠԍp/h=k!G!^7YJgz\hDt*bn 6^ 489x,؋h2GM>:p6Nv4#ԥY EfUR0we mXu8# teDt2!Ue/Z"\B.j(fmV]O{ jȭ7\~t \χc9)2xYŮC-Z@泳R\ ,F}9(48ĵ5xW:EiU5YJϨ.&j$ -n1 BxS(fYjC(i>'{ogG;k}+l$n9C5rxxK;\p%'/\p k4\5hr#{#PN. -idgqedY1@3zMaL$?r2C&X5>ȡ1A.%jTPFgiD a!w+'tCV:7)5C)O( 1|!OwDt.Xm)1PANO!ǁ紆*dT^Ur .eGxGRZySbdSd{< =ZQ1]!2YQ,jLN\r,rNi 9~LSeLȄ*W*,qB=9  -NUHO]pwL,Xߕ|VLl)f9#'CNPEyLxl2{2yeLJUD0(-U3Ui0v|:ɮL1v -ͥB+tr)D]᥊y -ݸ~0)\*ָɽû{Xfmհ2V|ߵ=růĔTMT۩jEZWj^vqq*B˄ΆKZ[µo5c[_U`8,G bK^2ٓ:hh5i|1/jZVXA>ך_,N7Ѧ _\[=_iu`xD@yy_2%ʹx>r؏{Թr`jf>+Te$9 `cU: I ~%ٱ/袁/h _s)qqlK3[j ML_>7\;ֲc4QkTT((kx[w -ሕKk4U@{.J1P╢4 ŗqE`ƎUn\ɼEi]l'${.yǵ1Ja} !Ϛ:mfG3m4I3]4E35q^'$;i츎[u r@ -1T<ȸѹm a-߉MKvǀz(j-|BL9~3p.Q3 xԭGn߶dN;|ܛ}6'Ѷ$3'qR<%&4S|qJ~DzR>ދx/9f |ʸ'yj= kâٱ ]0!,ڣp~ӳq0rN<Qٗc;ޥ`|<\^\e>PF<?WOcq|xiorM_a{ u| =&RK忚6W$dv}*1?X߶i{#_\Y3Nmc} 6>|d)];__/9Գ -3%OlOI' 3d,mB=E;bW8{; -,g_^U*IltBtl x( $/g :{'iv6l`gv;8hûCQO)͠s'I=. \x)9)#+yJ9ۉxs'5ۆ Tx>)3tSI/ WB)t~-vk~ƻFvNZMsEp]z>Dk;ddI8,ybi|ENbWVf{crVրco5(Xe1/sSG j+GYvꎣ7b%8pTȊ*J3LJY–ٲ_h9 -ukTz.?.7i<%oD,!`R8\)`. .jȥHB@H1%폎@TXb/&f:.cK4#1wsb=8|LfҖxxCCxt $2N(mt 5&j0T?CpmG2aEh9K(U/0q&{@AkX = =Y&zfͺ uЭ>HV^iPfPwމЋlxH9,4ٲ5f` ,x808!qM٠)]I l"10BTI##P$Ccba܍2Sc5#&F&G;Τ-gҖH#D >[3F5b( Ab${izз9&l^}p"F;b2!{asE -D&x#8j$,byb!p,dLY]ّ!1CHlp\q .U%NLH-Rdch -^@D3Hvgxq|Dp*жhcHu}67jʌ -?R#3I3< PS,> ؞Eq\=-R'6;9IAzɆٜI6|XdA,@W־+Y?[ړC iBF-(ӊ -A[(oq@j ȡ^s8j$,AE$h~?Xhڊ>ǁ-•a0|!St+R)5D@*zmahCFnlV7qm͐pnyQњ+{O#Ok R>5y]Nbs0 ;P^84~EJcil)%dtUY#Wq€rFtGz](9dj_8`]భKJ7HKwsؗ1TT..(rۮѵ}4f>z{ϟࣵLAϻsƌzfzkfL(քC ~h?j}CJ3E%/c_TVJ*pT_xEy\_^Hڨ;Wi YA"ҭ[l!Iv^يR9$Vd2nqy>=/<y;s+Nw $ ӟmWy0\*c<0gלuN@B! +G[Yu?R|^rrH/坑,~$K]Kn`l=Z5[7q|gUnr"~F8ߛ-cY đ\ೖ-K1Es)`[>zyH]PF(볫ܤ;dqFV Lk-zPߔJK{wWy~P'C8d,ߴ. :J@7 dzqF@` V" 6X ##  ZeWŔԃN~a~qfu#E".lйy.?Xϊ ;m HK=`(tu4G!gn_:^!B@zhCLZ8l$@ -+ @ e!OAx C8~ⷎNs]=/I֣3ѡM*{q6ljK~!}9Ym!!_7Hlް(Qppj`0GXs,D`+/xGF@ҚSШ -s=t##URuMT?|zq+[:sMnִ䂹33o\P7.B *OEtO1o,N4GO\ٞ~pc݌)GR0XQAl(f4 M)h@<׹L"]NJYsr,'%hݹv - ݆/U)|JnPW -x kFEQ`0|=t[ 1x}fpc3A&ŽpJ ~ 7%1,۰PRND,^HU0uf>7웻ñ]zQZVq6 S d`0XA#GVJ[(9 -RWvHo^0x3 bx -p`+gQ(^1ױ>9ږ騬*^x#qb ,Y2aHwcVMOb/f=-ȁ/} - `=瀾}k) -4`" C!)p3:mu@XoQv ngn3w:s+*qBV- M$NreO{}v R` 83JyMO4)XZGyQj{DM {_πY ̸Ӻ|)weUefᨈ.A]]dciI~\w<8/t Pg+e >*7E`S# 3\GHpχHn aKS[K 5uk;mɶcVރ iEHD_+߾U\'9GVXJ¬9M<~̨փI+qijL9%A0pcF"((`77Q#'q h[:-H,n#*Z_YXO -=Vy!pLYzY*K;x2}{"w7er"Iw:GSy\V[<6'Rչn%:溬'5mDtbZL\&$ -ܾ~vן{}߻<%E&gINDHJ"NƄdD] Q!c@ -d *>7 8PW% \ h`3^l:93cM|;egA :܂8XJ[7XI|0|N7w[{EkvcJȬi%J-Q#u|FBѵ<~ԠVTw|_JvV{J,͓ɯ)l/` R|Vxfm 96pL1c3Y0ߜ,/NP[@Qt+eKTe9ۏ-p -Ȯ|BpW$ %IHO޿y:~0?_(gD,rE}KcШ+)J_*=I,?!4l=Å[Pծ=Ğ [ }g OZO$o!xL=5dbBC) Oմ>RIr\r"#;@V2[kclzi5a#*Xm?;62.#:ĉ֙Li_8L+ -endstream endobj 265 0 obj <> endobj 293 0 obj <> endobj 294 0 obj <>stream -%!PS-Adobe-3.0 -%%Creator: Adobe Illustrator(R) 17.0 -%%AI8_CreatorVersion: 22.1.0 -%%For: (Patti Short) () -%%Title: (load-any-start-page-let-users-make-changes.ai) -%%CreationDate: 7/22/2018 3:12 PM -%%Canvassize: 16383 -%%BoundingBox: 24 -1106 746 -47 -%%HiResBoundingBox: 24.4402151107743 -1105.55978488922 745.475070788551 -47.4402151107788 -%%DocumentProcessColors: Cyan Magenta Yellow Black -%AI5_FileFormat 13.0 -%AI12_BuildNumber: 312 -%AI3_ColorUsage: Color -%AI7_ImageSettings: 0 -%%DocumentCustomColors: (ms-blue-dark) -%%RGBCustomColor: 0 0.470588237047195 0.843137264251709 (ms-blue-dark) -%%CMYKProcessColor: 0.741359531879425 0.674891233444214 0.66359955072403 0.859128654003143 (R=10 G=10 B=10) -%%+ 1 1 1 1 ([Registration]) -%AI3_Cropmarks: 24.9999999999955 -1105 744.915285899329 -48 -%AI3_TemplateBox: 396.5 -612.5 396.5 -612.5 -%AI3_TileBox: 90.9576429496628 -960.5 678.957642949663 -192.5 -%AI3_DocumentPreview: None -%AI5_ArtSize: 14400 14400 -%AI5_RulerUnits: 0 -%AI9_ColorModel: 2 -%AI5_ArtFlags: 0 0 0 1 0 0 1 0 0 -%AI5_TargetResolution: 800 -%AI5_NumLayers: 1 -%AI17_Begin_Content_if_version_gt:17 1 -%AI9_OpenToView: -372 -44 1 1544 914 18 1 0 1998 154 0 0 0 1 1 0 1 1 0 1 -%AI17_Alternate_Content -%AI9_OpenToView: -372 -44 1 1544 914 18 1 0 1998 154 0 0 0 1 1 0 1 1 0 1 -%AI17_End_Versioned_Content -%AI5_OpenViewLayers: 7 -%%PageOrigin:90 -1008 -%AI7_GridSettings: 72 8 72 8 1 0 0.800000011920929 0.800000011920929 0.800000011920929 0.899999976158142 0.899999976158142 0.899999976158142 -%AI9_Flatten: 1 -%AI12_CMSettings: 00.MS -%%EndComments - -endstream endobj 295 0 obj <>stream -%%BoundingBox: 24 -1106 746 -47 -%%HiResBoundingBox: 24.4402151107743 -1105.55978488922 745.475070788551 -47.4402151107788 -%AI7_Thumbnail: 88 128 8 -%%BeginData: 9839 Hex Bytes -%0000330000660000990000CC0033000033330033660033990033CC0033FF -%0066000066330066660066990066CC0066FF009900009933009966009999 -%0099CC0099FF00CC0000CC3300CC6600CC9900CCCC00CCFF00FF3300FF66 -%00FF9900FFCC3300003300333300663300993300CC3300FF333300333333 -%3333663333993333CC3333FF3366003366333366663366993366CC3366FF -%3399003399333399663399993399CC3399FF33CC0033CC3333CC6633CC99 -%33CCCC33CCFF33FF0033FF3333FF6633FF9933FFCC33FFFF660000660033 -%6600666600996600CC6600FF6633006633336633666633996633CC6633FF -%6666006666336666666666996666CC6666FF669900669933669966669999 -%6699CC6699FF66CC0066CC3366CC6666CC9966CCCC66CCFF66FF0066FF33 -%66FF6666FF9966FFCC66FFFF9900009900339900669900999900CC9900FF -%9933009933339933669933999933CC9933FF996600996633996666996699 -%9966CC9966FF9999009999339999669999999999CC9999FF99CC0099CC33 -%99CC6699CC9999CCCC99CCFF99FF0099FF3399FF6699FF9999FFCC99FFFF -%CC0000CC0033CC0066CC0099CC00CCCC00FFCC3300CC3333CC3366CC3399 -%CC33CCCC33FFCC6600CC6633CC6666CC6699CC66CCCC66FFCC9900CC9933 -%CC9966CC9999CC99CCCC99FFCCCC00CCCC33CCCC66CCCC99CCCCCCCCCCFF -%CCFF00CCFF33CCFF66CCFF99CCFFCCCCFFFFFF0033FF0066FF0099FF00CC -%FF3300FF3333FF3366FF3399FF33CCFF33FFFF6600FF6633FF6666FF6699 -%FF66CCFF66FFFF9900FF9933FF9966FF9999FF99CCFF99FFFFCC00FFCC33 -%FFCC66FFCC99FFCCCCFFCCFFFFFF33FFFF66FFFF99FFFFCC110000001100 -%000011111111220000002200000022222222440000004400000044444444 -%550000005500000055555555770000007700000077777777880000008800 -%000088888888AA000000AA000000AAAAAAAABB000000BB000000BBBBBBBB -%DD000000DD000000DDDDDDDDEE000000EE000000EEEEEEEE0000000000FF -%00FF0000FFFFFF0000FF00FFFFFF00FFFFFF -%524C45FD58FFA8FDAFFFA8FD55FFA8FD06FFA9FD07FFA9FD23FF84FD0BFF -%A9FD05FFA9FD18FF7EA9A885A8A984A95AA9FFA9A8847EFFA9FFA8A95AA9 -%84A97E5AA8FF7EA9A8A9A87EA8A9A8FF84A9848484857E5AA8A97EA9A8A9 -%7EA984A95A84FFFFA88484A97EA9A884A8FD13FFA9FFA984A97E5A7EA9A8 -%FF7E5A7E857E85FFA97E85A97E5AA97EFF84A97EA95A85A85A5A85FF85A8 -%85A95A7E857E8584A97EAF5A855A7E7EA984FF84A97EA95A857E8584A9FD -%0FFFA8FFFFFFFD067E5A7E5AA9A85A54A9A8847EFF847E7E7E5A5AFF85A8 -%A95A855A5A7E7E5A7E7EFF7E845A847EAF7EA97E845A845A5AA87E7E845A -%A9FF7E5A7E7E7EA8A97E7E7EFD14FFA9FFA9FD07FFA9FFFFFF7EFD0BFFA8 -%A9FFFFFFA95AAFFD04FFA9FFAFFD05FF7E85FD0AFFAFFD06FFA95AFD10FF -%A8FD05FFA9FD11FFA8FD09FFA9FFAFFD0FFFA9FD11FFA9FD16FF5AA9FD05 -%FF7E7EFFA9FD05FFA9FFA984A8A9FFFFFFAFA8FF7E8584FD05FFA9FD2EFF -%A8FFFFFF7EFFFF855A7E5A7E5AA97E7E5AAF7E7E5A5AA8FF84A95AA95A7E -%5A5AFF845AA95A7E5A7E7E5A5AA9FD2AFFA8FD05FFA984FF7EA95AFF7EA9 -%7E85A97E7E8584855AFFFFA97EA9845A7EFF84FF7EFFA97E54FF7E7E7E85 -%84FD31FF847EA97EA9A8A9A8AF7E5A7E847EFFA885FFFF7EA97EA97EA9A9 -%A9FFA9FFAF7EA95A7EA8A984A9FD3AFFA97EFD16FFA9A8FD30FFA8FDAFFF -%A8FD61FFA9305A84FD04FFA8FD04FFA8FD07FFA8FD09FFA8FD07FFA8FFA8 -%A8FD08FFA8FFA8FD18FFA8FD09FF0D5A2F0EA8FFFF7D527D5276274B527D -%767D527D7D7652525276527D52522752527D527D527D52277D7D5252527D -%52A17D52275227527DFD15FFA8FD0AFFA9365A850DA9FFFF7D7DFD065227 -%52525227A8525227522752767DFD06524B524B5252A876524B52272752A8 -%27FD04527DFD21FF2F36305AA9FFFFFFA8A8A8FFA8FF527DA8FD04FFA8A8 -%7DFFFFA8FFA8FFCAFFA8FFA8A8A8FFA8FFA8FFA8A87D52A8FFFFFFA8FFA8 -%FFA8FD22FF7E85FD22FFA9FD28FFA8FD0BFFCFFD04FF7D27FD04527D2776 -%527D52A87DA82F7E5A7E7E845A7E2F5A5A5A7E7E547EFD39FFA87D7D7D52 -%52A2A87DA87D7DA87DA8A9848584A984857EA95A5A7EA9848584FD28FFA8 -%FD13FFA8FFA8FFFFFFA9FFA8FD0DFFA9FD3EFF7D525252277D7DA85A5A5A -%7E5A5AFD39FFA8FD10FFA852FD047DA17DA97E845A847EFD37FFA8FDC4FF -%A8FD44FFA8FD0BFFA8FD05FFA8A87DFFFFA87DFFA8FFFD0DA8FFFD09A8FD -%38FFA8A8FFFF7DA8537D7DA85252527D7D847DA87D7D527D7DA87D7D527D -%525252A8FD25FFA8FD12FFA884FFFFFFA8A8A8FFA8FFA8FFA8FFA9FFA8FF -%A8FFA8FFA8FFA8FFA884A8FFA8FD38FFA9A9FD43FFA8FD11FFA9FD06FFFD -%05A87DA8A8AF7E84A8A97E85A8A9A8FFA8847E85A8A984A9A9A97EA97EA9 -%84A97E84A8A9A8A9FD05A8FFA8A8A8FFA8A8A8FD07FFA8FD1AFF7DFF5252 -%7DA8537D7D7E5A5A5A7E305A7E855A7E5A5A307E545A7E855AA97E5A305A -%7E855A7E305A5A84527D7DA853A852A87D5252A8FD23FFA8FFA8FFA8FFFF -%FFA8FFA8AFA8FFA9FFA8FFA9FFA8FFA9FFA8FFA9FFAFFFA9A9A9FFFFFFA8 -%85A9AFA8A8A8FFA8A8FFFFA8FFA8FFA8FD24FFFD067DA87D537DFD33FFA8 -%FD0BFFA8FD0DFFA87E7DA8A87D52A87D7D7DFD52FFAFFD38FFA8FD70FF7D -%FFA8A87DA8A8FFFD05A8FFA8FFA8FFA87DA8FFA9A9A8FF7E85A9FFA9AFA8 -%A9A9AFA8FFA9857EFFA9AFA8AF8485A8A984A9A8FD0AFFA8FD17FFA87DA8 -%7D2752277D7D7D5252537D277D7D7D52A852525385545A545A0D5A2F5A54 -%845A5A2F5A5A842F5A5A7E545A2F5A5A7E535A2F365AFD07FFA8FD1AFFA8 -%FFFFFFA8FFA9FFFFFFA8FFA8A8FD0AFFA9FFFFA97EFD05FFA8FD05FFA9FF -%FFFFA9FFFFFFAFFFAF85A8FD25FF842F5A545AA8FD057DA8FD4CFFA88584 -%857EA87DA87DA859A8FD31FFA8FD0BFFA8FD13FFA8FD52FFA8FD0BFFA9FF -%FFFFAFFD0DFFA9FFA9FFFFFFAFFD18FFA8FD18FF7DA87D527D527D52A853 -%7D52A9547E5A5A307E5A855A7EFD055A7E5AA95A7E7E5A5A7E5A7E547E5A -%7E2FA97D7E527D7DA8FD25FF7DFFA8A87DA87D7DA8A87E7DA88584855A85 -%848584857EA97E7F7E857EA9A984A8A97E7E7EA9A8A95A5A7E7E7E7DA8FD -%047DFD0CFFA8FD41FFA8FFFFFFA8FFFFFFA8FD0BFFA8FDFCFFFD0DFFA8FD -%0BFFA8FD07FFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFF -%A9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FFFFFFA9FF -%FFFFA9FFFFFFA9FD5FFFA8FD0AFFA97EFD55FF7E30365AFD04FFA8FD04FF -%A8FD07FFA8FD05FFA8FD32FFA8FD08FFA90D5A5A0EA8FFFF7D527D527627 -%4B527D7D7D527D7D52527D52527D7D27527D7D52767DFD29FFA8FD0AFFA9 -%367E7E0DFFFFFF7D7DFD06522752525227FF5252275252A17D7D27522727 -%2752FD35FF7E5A2F84FD04FFA8FFA8FFA8FF527DA8FFA8FFFD05A8FFA8FF -%FFFF5252A8FFA8FD36FFA8FD4CFFA8FD0BFFCFFD04FF7D52765252527D27 -%76527D52A87DA85A7E5A7E7EA9FD43FFA8A17D7D5276A8A87DA87D7DA87D -%A8A97EA97E7FA9FD32FFA8FD10FFA8FD057DFFFFFF84A97EAFAFFD05FFA8 -%FD44FFFD0452277D7D7D845A7E7E3085FD39FFA8FD11FFA8CAA8FFA8FFA8 -%FFA8FFFFA984FD37FFA8FDC4FFA8A8A8FD09FFAFFD38FFA8FD0BFFA8FD06 -%FFA87DA8A8FF5A5A7E5A537E5A5A54A9FD4AFFA8A8FFFFAF7EA97E857E7E -%7E85A9FD36FFA8FD13FF5A7EFFFFCAFFA8A8A1A87DA87DA87DA87DA17DA8 -%A8A87DA87DFFFFFFA8A87DA8A1A87DA87DA87DA87DA87D527DA8A87D7DFD -%2BFFA85252272727522752525227524BFD0552275252FF76522727275227 -%52525227525252275227522752275276FD12FFA8FD19FFA8A87DA1A8FFA8 -%A8A8FFFD07A8FFA8FFFFFFA8A87D7DFD07A8FFA8A87DFD04A8FFA8FD11FF -%A8FDCCFFA9FD3CFFA8FD0BFFA8FD04FF8454FD055A7E855A5A2F847E7E7E -%5A5A5A54A9FD43FFA9A97EA97E857EA9A9A98485A9A984FF7E857E85A9FD -%32FFA8FD10FFA87DFFA8A8A9A87DFFA8A8A8FFA8A9FD05A8FFFD07A87D7D -%FFFD04A87DFD04A8A97DA8FFFFA8A8A87DA8A9AFFFA8A8A8FFA8A87DFD04 -%A8FD18FFFD047D52A87D527DA8527D7E7D527D52A87D7D84527D7D52A852 -%7D52527DA852A87D52527D7D7D527D7DA8597D52A8527D7DA87D7D527D52 -%7D7D5952FD047DFD06FFA8FD12FFA8A8FFA8FFA8A8FFA8A8FFA8FFA8FFA8 -%FFA8FFA8A8A8FFA8FFA8FFA8FFFFFFA8FFA8FFA8FFA8FFA8FFA8FFA8FFFF -%FFA8FFFFFFFD05A8FFA8FFA8FFA8FD05FFA8FD12FFA87D527D7DFFA87D52 -%7E7DA8FD057DA87D847DA852A8A8FD047D7E7DA87D7E7D847E7D7DA8A8FD -%067D84A8A859FD047DA8527D7DA87D84FD1AFFA87D7E7D7E7DA87DA87DA8 -%A8A87DA87D7DFD04A87DA8A8A87DA87DA87DA8A87E7D7D84A87DA87EA87D -%A87D847DA8A8FD047DA87DA8A8FD067DFD1BFFA87DFFA8FFA8A8FFA8A8FF -%FFFFA8A8FFFFA8FFA8A8A8FFA8FFFD04A87DFD28FFA8FD0BFFA8FD04FF7D -%2752287D7D7D537E7D7D52A8525227A87D7D527D7D52527D527D7D7D5252 -%7DFD47FFA9A8FFA8FFFFFF7DFFFFFFA8FFA8FD2AFFA8FDAFFFA8FD11FFA8 -%FFFFFFA8FFA8FD07FFA9FFA8FFFFFFA8FD2FFFA8FD12FF7E5A5A855AA95A -%5A5A855A7E5A85848554A97E7E5A855AA9847E5A5A5A7F5AAFFD38FFA97E -%847EA9A88584845A857E7E5AA9A87EA8857E5A5A84A8A95A855A7E5A7EA8 -%FD38FFA8A87DFFA8FFA8FFA8FFA8A9A8A87DA8A8A87DFFA8A8A8FFA884A8 -%FFFD05A8FFA8FFA8A87DFFA8A8A8AF7DA87DA8A8FFA8A87DA87DFFA8FFA8 -%A8A8FD0AFFA8FD0BFFA8FD04FF7D277D527D7D7D527D7D7D527D2752597D -%7D7D527D7D7D527DFD0552A87DFD0452A85252527D5252527D7D7D527D27 -%7D7D527D527D7D527D537D7DFD1CFFA8FFFFFFA8FD07FFA8FD07FFA8FFFF -%FF7DA8FD04FFA8FFFFFFA8FFFFFFA8FD05FFA8FFA8A8FD04FFA8FFA8FFA8 -%FFA8FD0AFFA8FD10FFA8525252FF7D7D7DA87D7D527D7DA87D7D527D7D7D -%537DA8A87D7D7DA87D7DA8A8527D527D52A87D527DA87DA8527D527D7D7E -%52A8527D52FD077DA8FD18FFA8A87DA8A8A87D7DA8A87DA87DA8A8A87DA8 -%7DA8A8A87DA884A87DA97DA87DFD05A87DA8A8A87DA8A8A87EA8A8A852FD -%05A87DA8A8FFA8A852A87DFD08FFA8FD11FFFD05A8FF7DFD04A8FFA8A8A8 -%FFFD04A87DFD05A87DA8A8AFA8A97DFD07A87DA87E7EA8FFA8A8A8FFA8A8 -%7DFFA8FFA8FFA8A8A8FD07FFA8FD12FF7D7D537D7D7DA8597D7DA8A8527D -%7D7D52A8527D847D527D7DA87D5252FD047D527DA8527D527D7D52527D52 -%A8527D7DA853A8527D527D7D7D52FD047DFD19FFA8A8FFFFA87EFFFFFFA8 -%FFA8FFFFFF7EA8FD04FFA8FD07FFA8FFA8FFA8FFFFFFA8A8A8FFAFFFFFFF -%A8A8A8FFA8A8FFFFA8FFA8AF7EFFA8FFA8FD1AFFA8A8A8FFA8FFFFFFA8A8 -%A8FFA8FFA8FF84A8A8A9A8FFA8A8A8FFA8A9FFA884FFA8FF7DAFA8FFA8FF -%A8FF7DA8A8FD1AFFA8FD0BFFA8FD04FF7D277D527D52A8527D527D5252FD -%047D277D7D7D5252277D5252527D527D527D7D7DFD04527D7D7D52527D7D -%FD2CFFAFFFA9FFA8FF7EFFA8FFFFFF7DFD05FFA8FFFFFF7DA8A8FD09FF7D -%FFFFFFA8FFA8FFA8FD1AFFA8FDAFFFA8FD11FFA8FFFFFFA8FFFFFFA8FFFF -%FFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8 -%FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FFFFFFA8FDBC -%FF5A7EA9FD4AFFA8FD09FF2F362F5AA9FFFFFF7DFFA8FFFFCAA8FFFFFFA8 -%FFFFFFA8FFA8FD08FFFD04A8FD05FFA8FD2CFFA9365AA90EA9FFFFA85252 -%527D7D5252527D7D7DA87D7D52767D527D767D52A1A87D4B7D5252527D52 -%7D7D52527D767D527DFD1DFFA8FD09FF2F5A3036A9FFFFA8525227522752 -%272727A84B5227524B524B5227272752527D2752A85227272752767D524B -%2727F82752FD27FFAF5A5AA8FD04FFA8FFFFA8FFA8FD04FFA8A8FFA8FFA8 -%CAA8FD09FFA8FFA8FFA8FFFFFFA8A852FFA8FD1EFFA8FD11FFA8FD05FFA8 -%FFA8FD05FFA9FFFFFFA9FFFFFFA9FD2DFFA8FD12FFA852527D7D527D7D52 -%52527D7DA87D7F5A855A5A5A855A85FD41FF52A17D7D27A1A87D527D527D -%7DA1A8845A857EA97E85A8FD50FF84AFFFFFA9A97EFFA9AFA8AFA9AF84FF -%84FFA8AFA9A9A8FFA9A9A8FFA9A97EA984A9A8FD14FFA8FD0BFFA8FD13FF -%5A5A7E845A5A547E2F5A7E5A5A855A5A547E7E5A2F5A5A5A7E5A5A7E5A5A -%5A7E2F5A5A7EFD27FFA8FD0DFFAFFD04FFAFA8A9AFFD05FFA9FFFFAFA9FF -%84FD09FFA9FFAFFD16FFA8FD10FFA827FD0452A876AF5AFD4EFFA8FD057D -%A87DFFA9FD3DFFA8FD55FFA8FDFCFFFD0DFFA8FFA8FFA8FFA8FFA8FFA8FF -%A8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FF -%A8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FF -%A8FFA8FFA8FFA8FFA8FFA8FFA8FFA8FF -%%EndData - -endstream endobj 296 0 obj <>stream -fW}CZrĵ/F}OdKzKX},n?~ġ.~)8 ץ]lz'zkzU#?l _Fiã*jJ=cG|?f(~d h, pr3>v[p즅vQ4&qݙ+,KūxŨ6݇ڰ]w/Ϗ|~i!FhPB۫Vڛe(Nl3VJ v%6ɶ ]7c -԰ (!*~ƥ\rrsu|زfAќ,1|bҶpU틣ړCa][V!LU-&?l3 -Ta@K/+ޝa^U=[T RU4'Mq賍qw?޴ՕVL]YQ -SE5]o3, w8ܲ4}An;pƔ53n"3j_]nj?׌b"4q9"AheԈ>f YZL=ǩz0.Ⲳ9z^V+> ʋG`_)0#k#5+z{s)fRɪRg~hzє>~[ᡕRpɻk{`S"kͻmׯ -wsAaQVbmbuuMԎ 6xu#`ۀHV!Y[6h uҴi͛#"fPC.i|acgӓچp 쪧劚Q6^HJCP~RRT[ͽ@7*zy8;H3/Lu2W+Jd¦n-6KlBb]Tо -; AM >U/èsBźPlY!d; {HzXB@C*Yq^6ejVѭy&%lJd캇UtQM;9ӅBs.|5%<-$ -:m5!ќ_ ǔXikMQ[:a -PԮӚ9fO0=4 W+.BFEb &\tr/U쓷 !dK_K՛!hY/;bO]$=A Q|oVȴ~Ǎ21AlZ\5{/g+s3KLO[y@t_\5vjT'G4XW/$m¥.[8 *`:{9Wd>i|ixdqϴ*>)Nr͚RSlȬ5#\m=O{`3J 6뢿Ɏ sռZАh/n"4nE_I>bDZ3d?$-/d ޮ_x8ޏȊ:~ lÆ,00bYm|)iuĮ YyE۰pAՐ]m׶BcW-+tۅwQ0>h%/i+6/b.YV7Q? 4DLkX*r"Z65;]_=Yκ&6>ztvڋJ#cj þ{=#0x3--mUݐvB̽Eee_43 -/ae/7'FEOLǴ'i|Lw ,iE[RWDAuAplljY7E!kG5{C@@7m;"jYTE-kcFp;#L*SE̹G9[1FѶ u]G@kvTQ\с[R -6GhMvt񁏂` ?O0H#-7jxoЀ/ %!`a0ܵxm;b`!Q%mVKι$`1+ZFV 䖛 -6Tš W2rd-fg94ء;c|\چ޷S;CszYiͣm*IR!6bٲ;Uǐ bMϓ,ƶg}Y0 Դle4.iI+FRɷݖEݟrLLz~Lp_Y&giG}NubS'YzqLXt9b~<ޏkiz8/vR$W«o X̫`_'-~>wG0k6B |m;c<ڪZj/1ɓ5*b)<8),ﶉ^|K "D[mH/6nÉnTwVŧ??LJ~X&r_.nٓ6Ї@76.GBxvˀW=*^Nw:愻Yq3tC_{5wMը«w'K¯e>Vq^]ɬwCn@#8sVX)qNV3n}''ZpLԘ?'*W2ʹ)VV;)\>XR6[W; dc!H|Hs/1pڎ:fآ53 -@$q|ݏIqŀ8E,cFkj|y)΂D.ɱIZrYɮXrV"¢Y$.0IM@Eq#< N}2iYVA7gw ACSܼ̆q8G [. ԾmIjD|EsCq*G{hFYA׍G03<yC? \Kpq6뫟c}4LB(XΏ)I&nN,^EF5vGp%6 !-E+ȹnyY󥡺y+_w9lB/!'4AEӛ5"g -Kyֿ6X3@l"L}+-lxuA#bx.~kFژѣ<4I7J\ -#碞sN7WKI*renѧ㔌c70oN?%GV_G$ǜU21_#Ğ!cĦ\uh nis"Ͻ9_}h~@ӻK6zAT.YOW]1r/[J^Ğ"PU=CCzGHܖꓖuK\:EQ+_JP.>/m~೗^w36αlEyW59%!kͩfIK 5p ,*k1gwѭɮ닃[vb4;}>.!#.+ \BVٸ}dYmf-C"k%މxeLHMh%_8w]1O~le6W*.x5w)oO۔M<؜ILbc;ZG=~yQOcM3j^rHꅠ++F\ͦ1f^VvӒwQ=wZH}.|bZܔU%Oq/Or}:ka7>0^gF߱ 2mym?ZwJÝ=Xp󳴜?T7I i> ~?9)}rlZ\\*~}nCn[894O3=1 !b5y3'ÿso4ҮQjvU>& љ˙/<+E=eWaϠR_s}rY?&o>.{Cm9E]ҿyY/YoӝY7U,>p`iOyϖTAHTHHٶc\}3&cj -u~u y -hDⒻFz59 ?S>{>A0Z養hP읭j(h8m`Lj>t+&wes+1T{΃='p0vˉ/O;>JsЈkxRC -_պݴrNby4u@>su8R@ S,1 -48B@5hn0)kФK=MQW&p oxf`$LЬ]`dTq_'-{$ hݰ5yY!{L-[+G~X1j=P-(A\AokV?ZUcʇ:Rޘn5`r\}i%9M~b1ج952uY/\1Wm̊>`PoDtoՃy[5)]q+hVŨ"PE4zmSuRKYRjy2uՈ6՜8sʪ3/ @/"=Z3a*fevt9ٙ=-ZlQD-n ĨClWSws=LHΫ31nوYt,_r ;ow>cs =9Y(_1ӯZ01gt>#CF6ȅG)=S8!SKWͼ{N:ݲjd.鈅KirIӦ[.‮!XZ,4\j]O2+ڛS΍^/ ?Mw?=gm9#~jR685bՉ+Z2f#V=xՁΟգgt~yF0Ҫ7m -b1WZ#Y/<їY=vB,XsԴe 4ދ|SCZlxݜ.}Oԧ͍QGa&ȨAd졟I ķ)ٰsƈ&)`BT5+oxCM]@8YȣܫG=W]֬۸ddM̆=zJyoG_0qAcm[^>(rͧY!3.7'n0[N -~9&D%=" #,ɹ3Ä19yr^1ՔBg݂`FhUJlҼq'^ukV@IMG>vRM 99(0,`; 'd_RȀ-Y5b7PIi h%[-G}=kc--Ý8ZcF$ugh菣{mS6M5360 -u!h{n&UϭLY &pvME=o"C@,Y1s!KZf)ߋKq%#oV0@c|AC[52Ӱ9"\r6iIqɻC2od0jQ@-Տ'^\E`6"o8Do/8ao]}u&YǪ>|hHP^qU摱_fu_g[~yr6%m;Q^bT5)?Й>xύ-r_M bՄ/EiM;Se'q1^pB$-WINFY4=1Es*je ^q.8dW٩h5V႞YPruR6g`C,my{hFǭQ >~mU4Km4Ȯ8lD[G5N6_榁|l=kgLM[qzFq9*o) /HoXMek[Zm_toRй#BWZONL>hU}tXͶ~}Y B_+U,脰M۴X42懠>H츤9bNkv!cw{{TXZF>d"̨9U3w'͔4MUkdãlzkvJѼ4e -7}.2;^u+d>Ժ))h. hhEQ#k'ݤZhb=ȉ|B@쏙\e'psk.vFϞ&j:[١mut0p{L8'[ F.$rZ-xK:Fps#gA8mx֎nzQt٪ n (_jyԂ!Jم99'0;L^9۫ͶR V9;D -0oT$Wbgl.5 ы6!)dR| -s͟5+ dV-…H@%l.j?lZ hMW=BXr1 eySrbʼ\LthCR}!8m 16nJO)Xs[s 8%3u1oc' ~L8e~],mM6Fy@}k+lδn͵vDSPä\(&@mW=o fj톇Y #Ԛ -MQʆ57-  7oj:ACvr{Bb1gez|eu`kUd,e'~uC\ Gg`S`4Ԍaa_P t`<ֶ]5r~aA: -Vr2#{0)$C@ҋ|rV[N*U\Pֺj}+QvtOxV} -G%^lAH_6˗ 0Nj{(>u;ԯ,Zp3gmgܦQ)"~v0&t_qd- u6fH'\0u2g%SՇq"h@YsɹjZqMrV?L͝36ڔkiկ.nɄmƩaR8ͷ"Q }GE,KVL亳uABvpR mYU;d%^s+f/EZp[n6iACkL6>H'[z6\jhZA3p^OX=9bmXԜ;64@G\{(ycɪ,46 w@кCltZǨ( |]̙4u-W\iC_Q]5ڝ:($vVZx}̒ud`93ֿ3% z谍 &n{Jڙv:[S ڂ1o@=Ҥ]짧8 ~%>mᐇ^r`z>zk\$ٛmMVmG ŋv&2mzq6iՅ/ENаbզ_br vն_ع3-hø9~{F:\duzĵQ{gE;.lݙ$6W;؋pqn#rE^NHasJ}TM7^:I3a[5,w!XUKv>rJ~V@(u -F&+t:e=`sooYfzu,}I$Z,E.9 ^j!7CG-2Vo|E,}k\Ɓ7R+W)ŭZ!$h`=,T`R3-:}?-nY̕Q.qwN]7 4TdSnYB -]e]8ZH!Lʈ9֣ݘ۝lO]_݇ tr - v9 .c>em3R $Q gGD)gi[6#F[XxGMtq\\/.+ HJ># %w[Zޛ.2ޓmh,ZQk~׼h'2 Ir=L&J!|굌N0L6UC]Cխ~5C2,/^LG\SS֜}C[cS%[e^\&u`{[#ߴ0li]&ۚI* _. _gk BŌV6ʅק,+$ -G">x5qs)YEq^:zYv<!+rZ>6@ruMt)W^;o:/؟vfSݖoଫKviC8y=3X?{Q黥iZy'`V;T%G.i"RF^0˙ bP0ǡ>2 ,>(̣rF7#~+%QÍ8do,̖Kr+',FWvI}{* (>I 9«*r0V.g$O?{{Nl,ȸ _UbGZ~F%eXUuZ.:Q0|!UKN效~)=Euإ)aWnd.{ 6u{:{fl\K+ )ݭ}sp6ފI zd|既2ř|>QZ6p,2}ڰḰr&u^L!i:AJ}PPRp"g[Xv -<|lO铢cW.G=2獒'ݽzAyS*'UWS-}.mR+ltjtFU:]5]0d+$ZԻ3?RH̻+oaW-"ܼЫ夎>S C<4&d*~$O̠69拢_zA^xj؃7+wR'DsEpk˶( r(VDt832鼘hhX\xZ԰5a׺|0Dܱo?WT / -rlřH|^^+(&w2q׋ ?KNԜV= :)sl72~mJFQvG3`̒qS]=4i I*ݩob.סGo4"n4JNF'rNdu>vZrؓϫ.^O;=8 WJ< "V G5\kcq5_/>Ÿz},>]x<)Cӛ(O{yZD,%ڃ򰧱cUYu4.Sو<&Qt{LV`{,ھRD@ {u`݅γ/߁O\Wvֳ{ a^ԇƟx<>[z"tJkw V;>,31rB\H+^[|b6|[=.}Qc" a4}\`6,w*:},sۭYEaYoTL Sd\ -1^ 5*t2" N*΋:dzyezC-#[!JƘb|F3KW=5*3@,<;,@p*LkLd:"NTy7>HO hA+zGN;E&mYB,CG*/N ]I Y? $׋k`I4Р]D]4{c6XoSbȑ؀)7Sc=PsÂ1caW5]bԋDaX|T1t̲Ekg -C^y4Rz*X35ލzZyeByo]S%$ƃKgE|@K((ᑆލuKVj(`&G($vCف -IaZMSZs+HXر<Ʉ UHïB[r=Y \tK84lv ,־'SdO)pAI̊;i̻Y%0=iF0<2FV5PFsf9!ϯƧ3 -i__ E♊0uNmߍrqWqؓEƗ/xnQ53M=CctYIfޅ,Qoi4.*֒Ecq0Z -RvΜO ~5#S!1qKVe'-8Ve! Ojﲗ %?aB巒 9G'a/foՀ{qtF %豾7ֶ^(bT˫ԩIW2/ESgDYfZFY8* -?xTQ|PK[k)_P<ĺQ\ņ ť-.)6"C հ9 I%]bW%=GX@(wK;z%5`l:EAY K_smgvTSRiqwW(^BB%tHÓqHW{Dq=Iee{mGQGtCvfxpAgl]UTj&?&z=u]GP?4mjtY&m"ܲu^r57H]l+|#㽻3,a& -x3L=^u"Z2Z%E=-O12҉ܪV>qʽ2UY/$K8qɖ1L_Ww1A1X hƻGޮm~xjMuMEroS'e*bMBMʼysi׃Z[ɏfsgǻIa83ak֡j*tyY)|䚘>-u}mMxID6WGO}#)MբLC^ 3i[YYq4/i+kI6ѡ)kw8'mcL,.cTYz_Mz#*(@i Dnm$z]`SyG!agQߞԬ2 92TUlCߩӶ\ AIj[З\h幩*B{L=Z3OeGK:3ePi5q֣'Uy@XxQ>Yյ位BSCɦmu6il+&򚪷w],հZ!gs[A-0OϥmJkZ.lS.(7ȱ[SȨ%|IB8=&W+?)&sTHШlcjqt41l*ZJxaRI~񝱭bGquT0RYdm*nTz ;0.%-kZWRBY, 3җEc^TB/14̌_DmXP]8/63hQ6Uly@=W/5Zst,­ :ld[,YUrL*vSRm2&dGqi`i+q ^ö'(qG{Ej':fy~Dbwyλ(Hlj*8ӳ{3H41pO=[*\-f`GIƥW*KRna&%$lt?YnY>*hJYʂ -nnN -U<(JOyw{ abbZjR72ЇBfhmwn-b[ޝWKLvÀkA@>Z6ִۣEaCYwD' eMX뚫ٚX|oe̷>[kw.؊$f̺MU-<[ٝ"|~~d`TTб^z2_)؟JN=ypI.)= %:Y=\81,&- QreadJ7(S(XG5oŔAt]BIoVZs~(8-EQ"5+mR⊔T}嗓3䤭AٺKCRfB]OOZ&-eD]:7Iz#OG( ^$6vPiE~-uU*9:Y֥B${*Nc5}kc%yUr8ꝩBK=4"3~wCZ')3 0K~= ybrZSo8fY&QV)&.#&Zn%!'&[m"¯Z\gvȂ -jR݇՚ƭ lUWs%:'II\[K2e" )_3pѕ2Xz;`?͂ڳ.:MLgLOO?1 p`RSr3WVN%s$[Q'B㘂OAެblj!hVjmk2*ꊒyʣe.Ѫ`C+,lk$ho']d$>z 4ZsOs3>~c0evwЎz܅}5u33HK>d#eM{o? <͠IdzyrO)NWZPE[&`oӯ ݗ@Ct^Qmbt{h8*&Fo ^z9B{='pQ? Ęņ_?"F8ߐ}CW2Z %^9an)3>*|fjIIblHZt%eYf3ۧ0Ru>0Q{pa?l R54YOO㮭|SBșjjWN- ppIy5˜vn`63zg))!hZUąC%15}7\Ԗ{k9/9z&2AU3n&= '=ՔQb(>ޫ=jzhiz_=E؛ۦc y#JڧqYu n9d_LCW &XC) XtWFH)xe+rN@ÎҰ՞Gz!ϯ \oB¶ .)ottyxxuR%h9؝1宂ixPYuT]y!S'-Z俷gFBE ){ic RBOE-?P~5(5 -vHa!s׌%o`BbNuك rOr Ʃq`]GapKO4}#`½)>UEξq&kal⎘~f{@>%*t״d=TeG:ґ2Z+k;ù3nNjN];8,wcnGO1(66):4Rk kG<πDзZv))G >0,|j?8|EYYW+.^̻J#z )ѥ_ ]~hjNv}k_G R\ӐMT=PYpf띥w)Y.%5)#':$7ֱ }S¥iz?-CԌO4ukvíRy3H]^=;[ZoJe{##ĝX]=~SRb!.yAvAi?+* ~s>A+(")EG@owCl YWzot\RvCBKBh.*")K D%<  [үkb.pc/O@ZcR=S|kr"gF374d^="Dj~ޟ:&*M֙|OTfrGiȉ.nYh!0a]51`c4u?!^DeFxȱA{{utq?g:p^yWGF&.DN0&?"lY PG[-wCh#>kOx=᪲ݏCWUB˔ -kA'zU@BN_}'\S.Qn9>؜{HO/?2o v̷]4"厬߬"諽aLe&N{)k'.9pz6N 25kFEjjӮ,ue6}L20pc]]%3](dYhο/|4=6[LdυKsb>5 <7>ƈq~^EWݖ -nmaZK)+S/Z5c$ w}.xRhsi,x_MtNR\S+ɿY4K~1 -]x_,N15W$t@s"}gD&eD ].{Y|䕥,ŏ9W?e].ӑA%Ө  ,Y$>#v<26 6%CxTx11=ķA!*=2JܳgNbc{?d? -YBO\S#O 7EwsFh #ɹօz5H e\:UQ\@ms-i5~Ylμdju |o[5<@Gl ]]m*ׇx$;roO -y.ͷso4B.ᣮ-w@B6I1v-u"(9Ԙkryi5Ȅ R1V:[dhciu~ J#=\hhOO-}u.k#~^?mE8AI6@[oݷ >p[)L-ZV\~aO"z%QPӘ*rث C{mUSVlъ^@WSa'*ZwV ~ܟdM2s-s ŷL97W: -z#'7_[G-//j#_hJl$15CAh'I[ޛeHn Ƅ>A -?v";s[p 7품ua}bXȰx䅩ڒ8V@Qb5kr͵;&@_Ie bk 0J/$R,g6Wyw1SR-vs;)̼+䵔@&<̫$W2T|fMWDM!#}jZ?S/mg<+a'sn95\ EVP'$(%NAv=DYExB؞dQ+`ZvESۖ~Xbc{[po5ijD$Ԍ#drw'?L1.P~MKygYWs2hxwu@ͷ߱R-#uW-盽1b'U߆|܍ywڦqq\kq ;^н˟߂y/塖}En toF?6rc8"[F06$_\lޙu}2)']/m3"BXu3KH[mcΕn ЗһIL\O+9Vyf`O.@}UNٺz#I ^x^hǽ rnzTj/Z}x!_ۧI+-חnwn@uײβ.%8npN죅OWZc?pHI9#w)点eX9$ƄoL=F~#%,tļl[\U*ƣ!z3n.Y&Q0][v[_Gsfũ'p`OOAYFIRZځ ߟ&yiƉ#1)0h*!2F_j-)&su0+Þn}B:V99e.&F}̽c? %m,ɿaj)}b =mj/zRx۫8\'$H\l D+$L?Du1A)bkj9VS;ON)%P*썢:Z7={@]{}PYCvC$yee5Х:z :RSWl%親79զ %Y&P7JkN|ruqre}ek3=͇j֍ S7#_>~"g}jZ<6=.~ |w:P,g]е# %o7|m֔[o/؄AFEYu8UzcKъП)7T wMǥq&<<;.5ϾKYQ8T{/xCʀ8XizO݅Kno ^)?ƒtHI>+`? ,zkUhi肿CBI;`SU -kSJYLtEy6Pb0# q@8Yd׬!G W-RTޟu_tO2ߖ6YЀK3 O>:ߨ疲9?أBÄƦ%̨_Z3ɠNAQ3z&hבszJ23'l"%[!b>|WVQzʥug\iHbe1%o8%w4WAfRG΍qXyZWbKڕ!Ciz[-B{o9UuO*aB[ oLɘ!|GB=pv)%e xcM9LJ5Y km7 /wzQo2Fc??bgQ)DuhC59X{\\3Q&ﹶ曥:3r~5 wWXh-aCw{JXbJ8)6ҋBx)^>)٥< 6bV6V{TMdž:#=)*?J)yR_XLͽt8!3ELN`c-btms`oW1sح-::x6t q8Vt@:D(78 u.:/\_(!§IooX~6 ..d^>0rG|K.PS&1}GYXN˝q6Ur>%)2 -[>j塎YV 06[Yb:B]bDķE:«'Ye&ezKUSp][uç~%f-2 qgXP>-ff,~¿7B5uM,ϫ]CHSS -?sSUs=ejrZO͍[klcCL( Cbs݊J8]"皲.~1TuwDtu3>We^)l&`".4_\a7yѫgk%cN(~>es~ /Z6xFs%'8#-HMwLavF˟s.V2L*P5#/"3 "H.wH!@ا+rϗ -@;NaQLȱYtۇ}α#C=l=9PAL=TT`eAQk#ӹj]ʞ[o<)fTE3#:9SxH!5͡"3q>c~en..GZ\CZЕ~_ךzcη a]YQl,ڇ82z6PyfI7iLGFNjw ^PZd?[䤕ATp Kp=pǭtɨ;,ё~5xbܯg?\pIMz@e<@&to ES@)>e0*F񁉋sj)YN96:zlmo'B:@Me= 6b|챶>&' B򮘚 m!W )%ge]*Ps(pik9&vD|)i:[}ɧÎ*ൎY׬` @MYeV3GL)j 5:,'Je.0<ʣ` ϗx9. Ԓc˿; z7|zr,r^5SW|PsC}%CmίKkiش#mqnȽ|Yr8"9ڛG8g*R -~O@#R|`íIh! ] 4x_O#̢` t(~3 *bt:Q0_z.5C?1\WQtRGo'{+eGxtig"t*e?Ajj.7dE䅍>hJ}YUU6^CG2r.oR:.`SEjw=_s6jZOM|ο'g6Maa83t֞xl8uIr5Ԃ)Zk^V6x9[b`NW)e c-׫kbؤ;cE2dQ|ldCӄXgwSȰ޼'KwQ!QȂzT\K'YvF`oW:@ovɶI2hhjqqZj7|ciFJ^c%!tN#i- 29)#-2JTקڇx7-'k@E5O#.e% -(}S6taCWe.šֆq:-8,|_ -uϔ,v9\ԫ0HW'Gmaw J_K)e̱qd)fs@ڰJ'4@* h-%{g$b-zw}ì -YAu-#GqMlEUίvs-cuum𽉒gIKhbmfjkeoT8u.,QK,2sjЪ2oYZlU֜Y.-.۩(- -5>7xe& OMSM(~6+D9&11_eSC5m_J=SL`>= 4A@pYi^()ڨmchycj֡{\06 nwՐ-q3&Z[E;d}3{ 2\] -kθԜz&* jx +CT|rD`0$=}m/IBKŅζA_KO,k؞vmw viwi['ޏַ=9A"SS -D=[Z5LKhg|VK>^d:DRjte ># m}k: Mb< -B邀~$#Ct%gm֬;7>;*v١=]pRd@<%(<3޹3ĤyFms`_πwi*wn.ѭ(蹨q\_O)>_1:F:x4ֲrZ£ħ |S^5pk kPs}q/C",YJy~o>BX%G:"KɉZ.%#8$0)ZGX;Im,|;B(ERɉRGIz{Q |Ǻ+UCazna G@ K\ҡƧlW7}Y[ǩA*Њ~#kT%P\Ka> u Ғ~Tf47 x]5Rrk<oa\R',;ÀRS܁iD 1 - +㬴)AQ k.HG&'zB@ѳ%`me 4Sh<盹FMۑ -=zu[Fm B; o-ut )_o&.@C(q}%>}odeTzL" MaUOG?oLaVx\yZj`v;:2}>5ԁ~WUZ낽v'Ur Q)F#s#B. g'+ߟBl< ;|'ʿ)%bO%uKo>e>] ٛ;e",S2'FN"$<~_N9x5INxCB??T;So~u`\j.\}ЅyLF/GFr[_yԞ|5pRm[]MSeoO4y.h頕nS7T1ЋmrRg%e' \KIJ2fၾnwvg왢6>wZ%t-hmV)gDlfyz!~mglC<0!+g{fȾݗ~;M;RΗZlRrY9]^pddt `5pmY9nUǡ!yԜ##D9hѱ35v!@τx4LOI83>/R{2&xqzZ} ){e4hF偁 -FlU bN"n+JEa ]OEx/seg -cUʎMu >=VZPabx@-QYowkGϞKuƉ -3 ys>-;|9vc<*̷˪^m5ɥB7PW{!wDNYD]ƿ~eCNM<"Q.g&HiNMBA:sG:0Ͱ-"DPsp)b.H} mKbdԴ!Le>RԚq3NUsc%c4%7C$;wi@O01~=)ӣ!.0qçcC҃:|]_S=2i+fBD8|w*هzzɷeDe+CU#CK(.2(pK*ʐQ.' ozA BՆy!9KIzīO"]$DzԍYOWݮb×&e@o|ΡA$ڧJCzrjǃ*|@C#bm?X9f*6x[B/?85 \Fv):1;cBbŮB.pʯ![',u&Sį呾׷ -y -k?N#$, -F<ľk(\kt3SO niZh7&>s ;0P -=^49M6G,RjѢuBY\PQs5uj:LԖ_Džzt^rf xr;A|::2xsfIZrG|j?sHa ,k!$uL<,P_׸E:{ hզARCey#{BL̷U&ʯ%9dgsy: on,ⳁ?Mm'Z2Z>vOU7{寀> ?RP 5#pe}"TL@^m^,z&\ڿ܂ݳH7Qjw r`Z,\XI;0KTLl* - -\c|N9hgc-uC9_2,J "x{tL|?# U՚MAs^6YY~|t#Yk8 dYiEqYulUTR7o-N ȧ\"5epOk\ we÷qAa)9nxfַm~sD[ R/t@XA;Rګ9Y\"WWhްJ@|l2M4ٟ= ;gKTdPR̂Qһ -ϫZܭC=W[ <_*(pE:f916bb[89JUxxu 2@,Et A,Уf`0x+e$u,m"GKp+n ܥ`| -QCd#1{Q|'[e0t62t^3*c"(~,"&PI/{aLқ)ja\,,<#pU {SDk G{pRCS[C۟"9>dg3|ZbΑmEqY;V)6|dWqje~51ӯz n dGDį~:PFFٷ%dh*45qDA]jl{;]ancWdez,t Kc <\f[ -s:t߹Q@]qgZۿnG:|Op%ݩ'vu+OG-kWPu[| -fհbjSEfvzXy6Ǟ˶B﫱;R\S@|8]|ߣ&I9~cEgs\.eXs4j (Q$Rb`  ":Lbȩs΍9ޝצ=vˮ\e-,V,pw^vE4F<;S_K_š!5jmB]{oW*3NX{f2D7Tݜ0vMk8!kŴq^U~TTUIX۞Y -:ZN5@EHܜT &0E0 6Ǚ^L8`-ew,0C+^:D]xy$(iWvLr$(_#h@@- 3 -pck4Uif Чb̾!؜f V =὏ͱ o4k['x'#qxސݴWS?[YĔ&b [+97e=欛73^=xȧ9YOϭKM_n}þB&b#v[,aA+՝&;r4,i Z|'CNKLM) O/FEAۮ /̽l;I&ΣiTt)dqq2=hՏ˯<]jF} I;.vfo=6P|7 - T8ߖ]Irm̂;`7t*l7Q67<+9V%! Eڵɶk#v.<ɓM"X~GhIP5&ȹKԋӌC.Yr7qEq*bU݁ZvjnjCJޙ0RN <&>6fe|ߌ7ͫoJDDͫ}Twhs#7f4DW5sgpm<hI;NsIoj NsA*W&U 꿂.b\L3yo6U]TM i ?V=jX~/ښRb̡ZUϾ#Y`n~|jTK/A J=v9`-1'ϰʖN¦(Wz^d-LT#lFvgfW~gd뱈<&#UMLI.$ f \$o/Y̅mlLz)aV&]}~ZmWЛ!y0%#5I#)ϣ=j΃t>p9Dǡ&19ebD1î{Aˍ>&"s~)28l dtliY5QG}s#i!zJQTqieˑ1v bVQW)D-#木p5n!lN]ǝꋻbBo|Io4|w?Xߊ:E [IʺPP5C=vqJA+L}8r%agN.6CiqV_}~?1 YZQ=1o]~tUYxMȩ;.nN4Y-I6~*15$d:/gmM5ۙQVMS;5)qja|6*.0)s=h81y)nfT\ֈ:yC%nM>+ZzFQw_|M4`sZ6.Hf†׼9F~x`eax,\(L1L*|C>͍QZmϱ-7A7IiIT'VM]E!>W6?f?aj>) kdT84aUIWW^,8p*4u2;eo7Z吺#s_- zkK'_&IN034h3W&4d -[Ir~O'bz!u}Lnxh-oJ" 2A7}8~ɕFtgF7m9 հ\4P|ZVyHGmJ8hu|))PLX#VYG7YwW%gbNT+ED5!̿h83.{uDXy-d`5wĬrivg$*3VjEʥ Ͱʽ2{cw޿}Zv)e2-0q_#6!e}Va7orjrꄕeÅG@KY7Uto7{iűOpV"A=,bv! \q14{2k*zQp[0 -pIQqkF^sTˮ9mO85Q#f*cz1> *4~09aPpf1xORXy%1٧gaE4"\Pũj{eS2HA];S#z1#le⭩Se+35ݘڀ:A;/.(o_v`^Ł1ŭq$bnL+E}Ìko',7˾pݮ}^\ǬtX&(eWทLjٌ:' -yHϩK01*C-zzz0bS/o]7dgiX?a}Uu98%\^{^_^yúNP5ETaFqǑN… m>t>aV휶ԬX݉'wq!q-1?ec4xD,MҩALrv{o/jtO_{9jfCҩNy!'鹇8dM@J:Odž̤k-GP'#kC1zmL/}OX;J/h=¦># YQPnIs"ah]9wpnyHjcX]?4 bqʻRPQ# \@drS&LDqR|g]|W&ޞIP'h>8Vu -!Pq#r)7qCZ•[!]77ÌhIDf՜ʨSmUB C[5?+%fs#:!5mMFEC<ݒ/W\}C4,>5i0PwOa*f%45ֆj .Y|ᖊQ|Re?l7KZ'[u4=SѴ:Ҟ}kraKEE-#=_a -xk<b*"!&.-.qE׾ #a|3(C:!. -X2 Q5|iUu)s/H93ow$mʌ[$IvIP#'U܀2B`[G[o~\rt v)? -QGmۛ7eֆWqGܪX=e}A-Nlw{VY]uܭ.i)V`$b4]I)G* }, 븍sRi#jЪ!5wU{ gz51bF65natkU#ykwKK1ըt 1iu($iRs5,]Zm3+mɤ׎}~p $8ttm+MsvՎWߙSv9f>p7C+6Oe]K١>҂ߡjaLK-hU~5ja;复մ6pUlѯfqFƨ1JⓚC*GB2R}6C8\{40/qg&ۯv^([8ʛ-Q=zZ>I8a&֤Q_&Z􌊠^Jڜ, Owo%s-N,_Y4w*$t﫦C%cT&mMB*n}X-'}csn&'~8C13-g6,\啯F9o9Xpfrq*{R.M^-%akV> =+=7qZ1+uTZ$817>%3 9wstUŪhq33a6;so\!}>Uyrzgi$$`sd3f%2vUqpt(CZrdcsa\MsH[SkAs2sIZ;)! zgŒB}UH\ԀkU˟OYŁ\^;JqsϚnNgRNΨ @AYJٔ|ya>s)Y3&nS7LD,iqc)J^\KR)at6ё }mSgQƨzQ$ۗm^5X~x2Km,쌙m돛W`?/WZ]<κ9gޜQ+u~woNf={n_>ͯ8#kM Zh;ݎ{oΘYLۜ6F9q3eVnޚĝW{1&"^ -Vǵ*:Op&p4b}\X2"(_|N8qQ?s?XcL)M9A <_cTG(O5{iVyb !^ET䂄Vݲ265VZMs!ڎ|=nf7G,"B:xkFNs=%^x;>t$-RnrYjK;Ԍ7bWG[P#'i} (R2.ek]m:zRxrv)7@|BS7G&ɗ|S Sʹ #f\{z?EG-B"jw2wDX^+?9Z7#i_ Ja#[\ KŢGMyteܠy;5Ϳ֩|xzE#`hÔs)"D̫F:Nm<r "_-# sy/TM)|aW^i=3k#Fpcǵ"R\#Xx~fXpIY׳/g!-mmt~먚\2NVkod]U&D\.`7GuBXӜ ɤws[3r<)_.N}:t"U ^bQӐD͌*i_Z3OZmMI\3a_Eq;^!'#nWGE_Tw:~(cEnD&T{Hs-<+31=n 4vAǛfZM:x)b#%gBЊ,u}jz;9 1f2ޞ{ILߘ\0!!XLé6v:q6B8x%n:SɧTmMjF,+|#׭X~sd]&hׂ·e_i?[zTm7ICԉ":NmʨjU?gfX: ~S%*_nIۓc2QjZvJ)Ӓ -^yrWē > RrIF)Psox%Hq)70#۞-;:Z9M ;ż딞J߂}*V}'gs1 -jSъZzb3sjJ$-YO1%iY.%g%m/ձSˣKm℞׹U,?YĄ}\iQH EŗǦW?>ߪF REpH;m3ҷg:T "DSy_|؅[kOFRN|˟b_0Kc&^qVy%fm{dиQs텅gyFL.f\kX-).e!K\Ƭ]"嬾TՃKٙYr_rk羷Q !xUUl2J*OsS2.EtuLKΛ{q_ݏ.#}1#{*v}}uQ0tf -,pH)¯<hk³/^4r; ;뭆nACz甃QLS9F9;aw{K8vɳ ޠ%}4 NlgG_i'z%i(ިw__'S6$;5∨_7F5UWMZ}phmX }P{~.uVH; =O1# "5+cCBNw|Zm(>n?W3fWew2߸ǵ75cE_; 'U%b/{Kd^"-mnDv[%b/{Kd^"-mnDv[%b/{Kd^"-mnDv[%b/{Kd^"-mnDv[%b/{Kd^"-mnDv[%b/{Kd^"-mnDv[%b/{;}g~R_'shT¯~(| -Ε~wRIh;Wƥ(LeUg;þرg>#S/CN8GO=}':q'>u3>䩟O8|ı'=~>q̙ӧO?y8u(v3g:sԩoHo:/8'u~O?9s ~2=1ӏkzB'L5a~KAH$\Pֽi59fv}GwIlIm??O;pdz>#xXm;}P">yMIFje_4Րrk#ZXE,Q K!q}럡] LJzajՊڣz~6J )a(l%1}&Egr-n?0)a_nFg^DZ)f1%Mr+z;vyk:/mLN5QQ;&"^U +ڤ츁UKzڻS]JZ7JI7yCG|K Vi eD5"\xZF"QpyytMw+˾ Hh85NBL$ԕ kh>9CER/լ[EĔU!LؕA]ǯRP7; N3j鈛i7r,XU $ԬQ=&afT/W:Z4iUd,"ʶS*Le|dmtycZ7U!ki>9? kt -)DjZu/ADĀ^H$9KHG|b'%Ψ\Ӓ&LbH-q9,Dl֘2ЮG --̚MHM;EkOڅUHi)Ej՘ۆ:.1/f`ʠ*%}stnyC^҉:npו77 ;3m9+ois;HqYJER:b1pNEJX$86RO-J8I5 2E&C :^cpW0 -?$ʿQu'JzeMO JGDEPtY_%2oOd\쓂/*:#^NHy(` jFF|G%*SN#nSXiOʹGٗB?552bWƔUSfULͫOdVגmP !!ӓ6 #i ΞE D^NE, ->ꖉ+3PX/ĝVpC^|ݤWH*o`#zR.8i&-p9$䪰BtCl"r0'jdV'ʴVv2jIܙ^@n>ɺnJ8Z!\q=zWW']7 ΁!PK#&jIå .֐r*{PRڥ쌛ےv]DMY.hڔ]1K*vNTu?nL5 )7>NeW,"OPa SƌՐ0 -|ӸSZnMS fsu^8 wh5bhLXU1ǵ HI?#^Efsp_rZ#މ jLں7fzUh%0j6rioO^7 z)15nv=֛W~Ȩ6n sQ/Q. *JHAף/^6d_Q)(fF7V^5 L_N)%)S%B)ߠ:K.JD +6}:e,V+EWkImY&8.bqY;4̽=A-888ELEE%f-Bb"@/,br,g?+Iu fzSn)?T -| de敷;{,¬kq9w.fn5Zsa؃MHB,֔لIE);0H51c45 !=1b`ŭIО[L.g_MDK8()"t&RF,Q|Z^ `ߖU3[3vföx-2/!KڂzJihYi!d[a+Hi罙Qv ҥݐЫvv3j4rQޭLXYJx 5xmjjV n]:Kk ie!5>526lL1s7@ǬR.$n[2JFl0:\zŅohVy`r7J:Eʸ]}zd- x\pC:EB@0*e$.R 3̄=''Ō`{ u)v}I8$֮ Ꭼ% -3 ֆWBün?4IMUlVԱ칕/)ru{L9v-b11mR$N;jfNjtdbJ2ke\„"jmeXp6s2{rm[$IBFCcffzu9tV"@=RQ@_ &||sey$=+' -%6.eBƶWz쬀rqp!M12+1)UWR6vK&gՆt݂[vHHEDDvNK^TKI$)E9f[@̃=FlC U KcQ"n%VZbl<1txcx!Ҳ=Qw@s+*{ui10C2+N 7=҃3J:r^HIuSS7yum"h:vuLKn=:JMs+F1qe~\'x8aHa *0 "zzi̬ٚ_X|q$8zz؈x#$#_ c c\<,clBe4(<܋)f;ϛ͜Άu?G4 ?5'ê13u]i#Hvs o\Hy6&\Xn=:{_-jJܨU9zdE׋*X|Z0(>rPJI0#m' jIW4+0OHbGXǩŰ%i/t p*u|U kGD^~^r:F㦚pysU{X~ވMG*аz╤Uiv)w0qp 4A4ľ۞ -)ĥM8$K.ޞ+/{XB:A-)X};;/lqے6=aQUt̵QQ"v0luSL{df{a#We9 2R B>:'\/)&MNv#Pv<]-`eSĮhCZr~D1kQsM& B=}\ʾɔaiW&Glגѫږ+Õ߭V_^_/l?Q3?VuЌQ /q ˶l&g"ƌ/_p]Z!hY5a`DŗkC:w*Ii .8(M΅&;υg(WC3|D癸RF CD iiE[gmA E6,⽋ӹt &Bjo|%fHˣm~\%]M`c`u>⋪LjVuG9ns{€8@hŨLXx-w61%8`u' -=a^O9{QG@ur;JqtP[[9w:vkloMYA)Q(Ul\p2|om m2N8ɧ J@,s,Ȕ+;󲮬W%JfʻHECONBOQ0ۋɇ΢'bFL|lP7㐋 o=#)c&fU†A4M[KyeW.OY*8=+W{S ff2}pHJƨ 覭sYOeYq#jV^'1E+h;eM$m"FNsTǮMyi6,Fu)# HYRӋ&g}Sċq#2i4LPC3*cǍƵſx;5?}K\kvIEqL3I()2J&K3N1k{N3Q-@g` -"aQE%6O8{y`3Z{02Բ[@:P%vr%6|#;xLkxq*iWύN򀽮  v tX`Iˣdb bc"vf=+v$DRnç\]":s۲ BnzN>XJ{%$hňV R e>)7l_al0">RL)oWO#..a{Q*%=헙HQ摺N$ z6^ֳ*1o:|J1xkX)W!b*Vv)3Z'=4X8 ꀆ~-?I)I -:ִǓoP_0"SoBܸFT6h;r8t]1R!-xu i葅U֐]9F LҊT,Gܺw-Ǭwk FDC-D@'|c-GBSm91t[I:5!!78p(m96Sf$m OPE/jEHIejɨ h5ܶY!M2?"NԢ:V -+7. 5D ":j0 4]HL~V -XhKĜQBOyC|bP -&nRS b1:+CmҒ$I2z?M/N/6z9 -[J?o4 Mr}uۖI7Q-)}WsS 5nQ [S)"΋c[BbHѵsi\q({[P:-1#>5p| (4m=SK=1p2eW 3& }<Kcg)؏]OBDROPQ{/O5 ;S޻YLD Y-ِegEJ.dP]zn*n3iv7~=f u*dIxXdKw[M2!V^DuaI֟b!.y:; uJ8i5w"PC&RL,7JeHϩ Ak|σ,c#%f稣; #Yؓ\ZۜTu --3>kq~[rnZzIA==a!]M!j:OϬ3 -tL0"*Raڊ]&noVѳ[Bc|>/ {Iqsu_*VCaI-|됂gW HE9]|zj@qYIkS'5fW gD3xsrZYƌxMJv޽$Z(X~K<QQC< ՄYu Gm~2HS@HQq3U򢚻c ItyHaY(@ bU&O& L}?rsg>mQc7c>୞cMB̮nD$楘vIyiXA"|#J8ʄ=>!j@[rS!9as3Ԫ&=7^^ ܋oD -Nݟ}|v?e•» [C1G߽v#d`.l-`״,O. N=[뤤zt.ĭbVowDǪhkOZ1eӣzFEoW_4v>b]{`y%h|!ha*ŝ%qvn}$Un.NظK 7\.&M 6:^ ƁinVƾ_FӴkSU+'^++reOE+G3qgX/%lwb(V!)TR|H#Y~ Z(en{oo{oXR @.ZmygkH/&QK~ Y7)͡{E{ոw!n" 9U0Q l}}ԦK̒ ic -^YL,He[. ӸV(| rn{zz4dzU'^Vu3nyfq+tiJAªiEq+97Z+ kJ| 87 @Ve8賰۲4~k÷IVSvV( -G3 -{vm\T/G q[jfIb!.O;Nbny5z܊%fOOߘșZ(4IJXq^{i^뎣׆9Dw{EáA]q2Q YQ 5iή.ԁ ոok)YVǖp9nSψIDNhOZ%LZ:?($)Lz j6WZ%'<%lN Z#N( NŨ[NƜM5I9{5(;VBA2q cM -^$&e"AWϏw\~3bƶ^'$B*.Kʟ{CJxoUzo; G7~ ૻgAVnKXˮEYBMX-:Czr$JPu-.l{]x n]SKȗ!avr)fٛʞČXyY6jkBԄa&D=.ԣOG- Ƹei\7 -+9;<5@RQ^v޲&\M8 0Mz NΏ RE -<4j =f.ub΢ 39Z+Q2J$!mj-FɗbZ^1)jDTʷ&yJ3qٕca5>bUPkh)NaN,tt -4 (Nʦwi~*aWQТ56av0\1yvq'pj6){ohG~ӕu+VuT]w Y;|s0xI[[7J13)؟ycgMص*ܣH@LG1ztU/ċSHkPc _Vśδ3[BR  !(nq!@ As}xppkd&di2+Ǭ`!#Hgd6RAlVفBʱ*3pl.#h*#Zo>s-:ʤ]=q(3eFcpQ{2,AQ=964CP$K9 槚{7]i{ qF 1I:)r.ZT@G|چ`)bz?+n}tڬuwGh1r8944ixmxՕvCy 썓&i#Ibls~ b;0R€Lr jZJž+Eh#u4%99 w |&ǾCb|K1IQ{ -6xZk~8CC54?C̷hue}3' ym,ű-:kO![=-PN߅})@MK9!F/v#6GAf9#ui =5Lg=-=mWQ'ٕC5i>c(K>Ф@]@yj#x9҈PGT̴s<<9gXtQ}wJ0M#&X4D:#ԥ4!J ԟ)zWD:,6ڏ<kg/4dxZ7 r - XEr,cb,Т;z aH =վ:x>vBV?P -j(-@bIτliNoE;TacO{=.PHۖỵ\9aY eR}(G$gTc-#IqÉ2`gޗe3`þB@]$1@c*c-**Fʾb{U; -qs|F?Z|41(9 &+feټ9$=%|<Šy6hJLB5.<3=$ x&gK.,saV3F)QV*dXr!/hHћcx]q2S7$h ;JBÇOAaE}'3E o.4-G`fw5Q0_ cDzN#5=D&g?{ÙÙ0}-nVq Sb<ЃRzM)-bN^|؉:3DKsl<l//q4]q<'(QNt<&mropq'SS ꬂeVE.@PҾؓcMc$SllF9GJcsM1=_C`$Hm!Bx2.^1!fq&ǛQALC/'RHgo8P U'OTyJg$?B=PQ/SMG:xgHtd tfp䞚g E<5邵az̾|WQiVC>ؤw}- ೲ̪=mȮ&poJ$YF5az\[SX1;Mqvy2U~22"3+.mhVgn'g :ڬ >^/a,&9᧖1<A]Gǥhf5pgǸi)>ʞ6#G%`@kP˴H -'MYI3+}5"g &@/i1N8h[?PqC / jiNyi 񮜝O *o_%`>vԍuoNyڙihaۣy#] KFxޤ;Ԩtޯ)qLK>*|W!8R N@N.0I&#qb&A3io9>|O%j{tؓ2>ӡ -oR@>Rsʎ2 -~Ns?ԣ t/2p n OF׺1n*|Y!4E*_ks41ӾK#}  }n Q`l9$o+Q"{.6q9sIL!&?=9В-Z ~ g9mEVE @@)9#vU&MnY]һ)>e գeE퉷[& -QYtwpy@ʞ&#(iy]-ik eCh ̤go>ĂGW] Xåh)jju\.d2/#4X8PI*REAޞOW2SӁLIܖ"=(#y8 \b,p"Oypj/[M£{t6p64s#%`eC5/9]tPj_hG/8 0?8zMx2F9QJzq\T5e -@k -LL1o[׀9u4Sw8mѓ5\ҁτr,=Yd:H]jyj.ʢ*z2Er@/<^:Y,9〿)qf9%@E)(pYqqa_]v 0h8ށ`M8P6nKiV;ߖ n /;CԐ!6f?m-rsgRB行ߗ0-?IqJ辄w(c 1cGTؗc0= PBCdF,w}W11w9tc! -yBH0Or |{ 9/#EmR }c'^qr Dұ?Ot|$;uk;N EJIiGX&Et<}{4hҧg*9;D]8cNt EI77>gā79v񾊃Wc6RL`ՎQ' v&J<_6HL>ざڛǀ΢BdzB '@ Y4wc6,ޖUSL tL$)0vۖb|Nt, _y*<5p*>*ȳZ  .ZdzсdQ][0=mn%Gl49.k[Jo->N^fEf=f٢~|(1D<龂G,0ÎN<:PF >{z$a$B=GYY%кLN1EIyqJZwʧO mH'lV 9< yn4e/}$Va`FvJ#,_Й !i e{/Ƙ@^0b6yzJ 8̈Z&z-֣o-+-i嶺Ԧٮ?{bJOڗ4{)`go H>koMe C72Iٟ \vzS>&{cȍ^|=iҚf9iu0A5 ̣x?0)x;C< 3I\"|[iK[D|4`<'f)vExɑЙYIJ!s_N;V3Q_Ce%Fv\y$CD~ i <%71BZ//i <Uߋ5qs}M8Re= w16; - H6J3oDД i:(m4;w3VOu܂_m::)^F/W]d+͇?XoAuԌ|l v6J };z+JS%~!7Nl0!`NkˍD;OMܤI`Bi85[gEOUV&`e!y ?N$OyTlꡅO 6%ЋsΑvǸiS?OEܟЊwZKK~5_xފv@ك:IZFpň糵@{"t|𿱟EzĢC 4԰ fO+m(a*AV/ml꛼4恪$vx3]9gQF9ImmqSu8Ҫn$6C)Bʁ5v3, -J.sۊPFźXp̷vԧ4;MiSYnzBwi -iie@rD٭5d/=a/0}=pؘv6yߕ~AMyFI>&י'+ 4>7i˝쨝~ 3fi冤7;=hWS/}"R R+sC[mNշ#>lvo"h_^nHu)P\o^nI|F9{ЎPכ>RjiH56ETt%歶4|m3@Xk9Lrq{r(_ Z~ߢ`aM1]z+mYérċZ 3}'4Ȉྮ`LU=|B]Lp91n:t2}n.tU(n70z3u&z)孲80Ƅ0⚦(bA[Et$\̆?%m $/S+RmR^Nd_WF[iF}TvCzr&䮄aIs\i,ڞj//FZ 5l)lMiV?~m46T N'Ug|߫$g7=nv|=R dvLU&a^c #`:@r}'<\}:#ZmʇF{4+Zb"^CsBB CHZ,RCJSbCkUiqq uqvB=iwHH14v3uo4@K @},J(v1]LY{GYso,'ni ܊_v!VW`-/+=]xks0wF8k]xOҤgioW GjM Ѓ\k~]nH{+{d<3J;C?$D  ;8'GîLfYr\SßTἯ| tz;M{psszcLrS$=#z}л_{] -(}09<ǯ ݴ7;#+cY1+r"a]}.\\LPt f&d0UDzxNJ#\VG'T翉.`3qn1.iFўCH{>n]IaI>~jTF#8|Mi:V6Í5QX8UtK|%4|u3-xЎ҉wKz-/ -M2ux ٕF:y?B#\73(j7B+|8 -oc0;=iu dvkK=TC{Uɮ/zqw8ZM_k="Jst>^o2Ҥ粜;H+]s?T:̇Vl ^W/t[Uh@ۮнWH+ϋMv 6觓yV!4Mbyi.N|)M|&ɏ{0(_:L؄u_nx) G3#r/dޖQ{ڑCcJ#A +$awn^cte+֋>&].v7鉆~J: e z -A=L%vQ -ٚKdUY\=eIj7+YWQR;xWw47̏W&3R? cJ_/4Ig_!auEAérь't3"{[ݜFy14?7Ӿ'a#Ϫ_H^tdSjh^CO)IA~;ȎZl;{c@PltnX,쎮8jHW΍'6yAZ#R n&嵶"4WM 6Wi(M۝D-v*~،sΊ|0\qk7 -C}﮴I[R߁ڰՔ<݌| -a۰V)9%*̧4&̧Ge º_jϺunmghMmp0AVG<]m![35oSɯs5XЇ?i qIuEa.ei͕ŚĠFaB ;y5|NeC;a՝|#LV8vc(r}FgMYM Lu[u9⃦<`e[؈.y+yt n)vjxY~Ci^Խ?YNM'X 疾d죅߲ޝl)6|aLqe6s1>(H!wCԈqXkNY}-AxNWz{N-}ЀK^m8W.6bߓsߟ)Jr=GnZO|[]qoa=^B9e~D |uF]p]:ZUp(澦(ԪrIE5=A!z}@Lo;j3}gD2le#(9;;𶲔3W/S$=͉+yԟxD y6SNѽ%awAV 5yOsD†Ksiß/r#W%7?e9g},@ܕO3)1@ސ%>n`:F{1Hm^*K{)_~ܞ/nb|#ꃺ,(J=DNQAН:SNۥR_z \ga걟3O5<5ŽYeM|C9Q]IE#ތ7kl|i*neM 4ڠ z;=xT{y:oc+goGa. -m7]/a]'<5b\x𗬐Wgʩ^i]â@W][.8ꉦ2F(m3WOy?[ -tqDoy^8q o.%H硬8Q6N߉_`"zw' #:_$_kd%Yo ns I6a#F:F ^MYiH~6j_1$R#pɳluQ}鬽,Z&BL5qD7kΧu%KmܤG3tg-t$'ꎴ0+]G4 -0 NfZ';V[eGDe_fF>.{.f)NҼҬ!We7V2,0Њw#?wRCׇ9ifܷQqԍɌ?0Ƴ"nKs/0(Jj }҄w^ke$8D0'5#u૜[UyH{gfFJ1/7{g-dcn.N\_~<( -yu~y v'bF7|uyַsӕQDžT& ,RÂ}ϿkH.P^,.{m "vTc7#`ln;_JQrs2b ?{c0?0@ [8ʿǽyԜb?WZVzOQC[lsgZq9o@o6X1C90s5+-i>=S'*NT$Ͷ";O$Yk?l!M#Tyڕva*4I"/5>d_]z?\lNvΏt ҆tQ;Wj<#F 5iqk=]A* r|Sr5`ӟNbZKàB[kJ.~, 끔3;i*̭!1y mM|=dO p<]W]rS',,5앥 /jtMtނ$FRU~j3kԂukLy.Zm/w??G>GZú8~-0VRz2Q_!pp6~O]h/v1B4ϺR \UD?[mqیf]Ix8ZTdJ֦} -9zc"ﹲw鄙{佹F OZ #POy ~%n qQ3I7gփh%mw wM{߶GxЇ,?UeFt BkmLC490٩NCg["K]oW^o\zhM$LÕxV8E3V,G}7SZCocվ|?TM˹Tԏ]X6J3u\J+JSb7]Wxqi%'q)^Wu;㬔nR;i 4tV3xd&F7֛E^'nO0SL2:rk1΄ƅ:-ya w)fp -78v$}9T?gs'h de{Ҝ\h:y plſzSؚC0tzY11Fb |3~]X5[mJ8Ur9fgO2Mq+N|8NZ} tzLy P4Ui_U%$+aj ^^j# -*-}6[ _jD9n1#gɞAr, JsQMg-L5=`u~$4Ki1Z;U ք>ƺ/cP"h:}y} -L庴"]F7bob0QAVBWAXsk(΍P 'mu}PMhVXޒ[,wP}CDoc6׉K -Ar.{{ʲ7>F}B>:b=_(.{9JYhcGmdQVXQ겴M@Pga~r00] yԛsu5ǯ Uo!1U?(,wu IoVqޛbff7>؏oH4otAACӰob WݴjYqܫ2faQguBg*QoehV )dKXDq,&Yix^1ӆs6 ?@(ĢZuXD^RI{6DU@VҢyJ04'86+Fxgyoh*-7ȟgk^Ð>. (v?m pa!ncO ]j%,м?~Dz_V57Z81+m$]-Wx6SM^"j~yIrh+>N>`<މMx)|J~ٟAXh9 3nr"%XrImԋDKrܱ"/ZoO~Мl7ۂX&MSw)'՜b2׵N^^ e)]$J򸖟r2%',OqX@O&YǘhO\<0@ ے?&WZI |n;ùb=.ck7/utnii@_fyg;2Rtm5ASFy{x"Ӱ}5_} DCsr1#U}%ė=b~%1jVb9<'T~dPL_ߩa{ ~[ 2^1&`&vCjj|0BQ- -ˢұʉyqCN~KxJ~Zvtܟ?9<<}uycґ^d`d4IPˊѼt6A-!J#1f~PK=9ro܄=r o-GcEX' Mڔ˃Di%`~Fq^gpPby>Ωw6gq.oGĴ,|0~礬ϴa<%w:7+LԅJ25ȕgYlnuO-p]p%X7?:IʌGL(1RnYanɲ[c!z?HGe>y]̉?Ov)݅oNN~Q]!Ԣ٤x^D\ĝe'ĜNٽ=G7Νv0ǰXwʐaDzz !k!:HbϖlbBqrYnLi)W@އ۾9<{7 Ë{ g_\Tnyi XQڳAl UkPAK@vr1勰n\݇{vŸa0ؕ?πq_}k{77񾺒I׵G*D~9,2";yr:)waqm^lo[xܸt ]&cc7ׇXhJK Ĥn`{.U1>ozxi)W͝0+g.y=<./)D_,IzԃsnOEVߪH;0Oki xөnh70_0[kW]=rvyӿso`f11,ޜw$b>zT#}xw`7n^^ -sx؃Ka7o?;{8^W -ɟfZ2s72ܰbFn:2%+k[a݅9>z37^ pOث7`hO?: 4 HلYQIiѲZ@>yy]B=S/o9 `.| -rzQQt]KPħekbl9f|bxD߿~s+k ݀=i494r1h ꠮~ԏc"3hI)i)H6TW؛w`o%ӳG`1ykswZJBNAKM#_RM6O~3R4PCN#Rnr9X?}{t::xNk/o^ݽzv`w/\}{r 8_}!)$Y~~>3#m_N+t!H8n613;oݸ }*>׭vX<߼|g`.8pmQUdu Gx~yDURNoa߇۾s/{z.˰¼ct6<঺NJk#{4]Tϲr&>Q x v*'Xw07vw.>}-ְxq nTKmh[ 'u[&bTHя񐳝4´EyؔΧڀZ]|ϳ߄];v 7nì>9A>ZH2 -_*\U25,jS936&S+؇awA|ueSP:߂9f}>,鷼k1 >-)6˦/Oug['سX}m_yv;.߽ {q1ˠO1/b"+PߣN4 Bntuq&x<ć{ŒE^iס䵕̹%l|+9SFQpgס)ϵ`G_֕ۙδ6iia8cffm13%33l1%,f2$mgz!pcK[g9{Ћd"U/6f4~[^%kTn0CEh{5?|男QlRy{؋Wv yt+Zd:S/ --&|S-?S9_/0E=Vpc4*)!kG!oM)OWؔכSdkY?V:ewlFG8Y턇$ed}N@_b̩o>?}ƥ -o87geZ۩.)%&tFҳ E}9MQ3khUVmҲo_ y?ݸsg2^&~ɭ׻I۳,[AqڰN1qZ3L2:paVN0?+}OHqw ߿vԣ_n,̜K2?%V7~ˁ3Џ=Ч"vY;far}XQp0NuGN Qt`!? ywR?'ۑ?2ɦ.bAC*:ܧcpm@uVIrfx1m:<ޛe/$T@sS ->khu*0rȹ %e-kȍzefoKc,l/:|0MʈJ(_~u#%WfZw_]gW3M#ǀhI u|*:U[L{xvI1NH) Ӏ nIFkCmYvu rlpyX_lc/2+"SyVfGܝç^zirzq^YXX2S>C9ؽ9hqfI zrGF9] uC*l+Zeto-QzL1/RM$4_%9DleԾMxй 1!k#m`[fu7:,b"Jw -i{U ,CA[h ȁ C}HtCP0`v dkLYEZX )9AYWt[Fm *{=kuu6!j|w_åOcmVY=XD-rvI^!%Q=xcP3P`PkBfmYRQB*>+gubF2&uwX'W9. 8,񫽒fOKZj}bX\m{b |J6%A{rG3ؕLJhsTz[I -endstream endobj 297 0 obj <>stream -q2 kd0u -BO@6cՄcPPBZِqs ܖ-Z,RRYDa]nu|$SP2;F]rrQ#4*i~%}B,N>HAm4a׭Ypn- -ŦӦ8 (IKQ?*fEI^aHOD,*аzd0B::ڶ`u']wu ݹa-˰R*&/ -^%r_'; s|:)ƶkMMpaw5I7Xd=욵iذ谰XTbJtmlo@D?dC~UxPImelF=Sk|om_eЙ%&ĨR+b@ŌҘ9SI1v!:-nslDSbs-/ڽrdc\|lGDu]#!UX@;1ᖑ_&j lbq%bir|u-FtASMA X]ۂ';'l-W 0Q7fD m#k4[0G*8 Wݟѐ!Z84ѳ+計Ŋ -&~T/˿h mtﯓc-Lİ콩ٺ5%*.XG˯|Vt'b! _#ڧZJ'tIp3aZ]擑Z*&[l[Ax 3–$r+S+$lLߺDJ=35|k5ag}O) ?ʮ )8Z畓kw>)*7ޟvxOSs ☖94|2L[w''4FW@>QX. gϱMG̎'ʰA5,&6;5'%t摞9kbZbc>S+>4H-CԚ" -c۽r@OJbmsmĀ?G[LCL[!Lm}>5||šMV! -DQX#+풣rTWʉM^ r1搏Lұ:ԠJ -/^;J6`{ݐQ#бf{zc -K>XsKpQ#RBo9>Y ^OXgI9*վɈiK ?rݱaԐ*Rc2{mR&-%M&MM!wwN ܉xwnr飂ϡמ]9gIG65 sAx -_:a ֯&C?n2%F: -QaBRTm޾mMQ}KX]DاQU2*1pgsOL*ߛVVU|""egYaMA *w=tML"ȱ_E8I@,=hO%Gbñ7%m7EH[B5R9 -iׁx.1*<O肽;= >2v E  'fCn Jo⁒ubh'_\44 IURՑkzQR0~pe@Bs.rf9V6Ӑ~@\W= N1RQMr, %s[0]8bwym qJ(=R"*&" Oy*qQ3QG*.'&I9+ V2ADq5M><`[ -*̳ -ϊqj+ЌJBE)0h9xVT!&VXgITkz鵜Uk@D -%ky\ k௭?[)GFgR -d{s%ykyO+1ql um]G4l{’}"ۈxԽԻMQۻ msxizTxo F*j -A |dw&WP{+؂k;{ju蕩w7Ƚܚ -IL3*?f$cFTuD/55X@*p*Я} -ZKDϢ[z٠b=rD}?{7MɈզaBn@5Pvw,xHFj_Ӷ+y?7=4>pNOl@>Wv4>0w Ew9Ⱦzl9`;z~040=_H-H=gȽrb"c>l -*dW6 G8V#,F} VSSVXKCĴ4@)2ǵMߚ=hC6!X"涡R\!-ؒ8qcހMa2_{]Y? -oCS\d: -/ZngxYg׹J:Qƶ.5΁BH{ ωf6:v7p+6Xel$h]sWsȤ9VO; 9{@emGCw5䂮p6̡6ǡ@rYxqΕdh9ě  -0!-ˢ2 -X"ȥ"虥?g懛- ] z5QyOwV5y-)^ɓ4q?]$Aл?zƮצk IJ+CCu?do~)8öܘXhJʨ坕7DQ 1ufas RaKļKrfSiX'~FL.?d魸{0[" >y4 Koiߘڳ8jlIa-9I/xyxQɽhG%1K1_}%W -8啿~ -'w'ix 4BL<Ւ!C.D0~7Z|k7^'#m4:%$G:^y%=EOg!NM>g_n3H2VHy}ld 51OKnEthPD$U\_IGu |&l%bJDa@/qٰVjSjЕGf:ΧC\RJmPo]u!Q>!:ȅq %87:"6sH=28IU|E:D\7 Vް=4?h|VL)b M#Z!4\p@e@/m ,]Gõqd_%NBK?w7|)$,sȩ W3*HIn4\=1Uģ/\8İm_#|bFWkQ &$U UuT(a{(,aZW8k\Z+ج"2`h[2nś JnM LDiq<ˈ4,<W@nj75ns~d<*6m!t7\3*"?ƈMOݚٳrs&~rW߳<820h\%L_LmM[[}JHzgޑP?_>_~ؠB*TLÓU3e7'CP^L+ѭ[Lvh9aPE`UkAX[k΅ 3P~. -UDD.Q*~>2qGZHD2}kaLNmv.+ܠ h'^!ae5rmZT1>%44MI#o͌ F*ЋDQOm&P3ph#g]Dm{y3{ nA}(, - f꫹3~2>+ !Wk  \l3*-Cb64,ŗ-+O=쳈#Zl{b -}B@Q9y؛ [f,lM4?/INE 茔ZtV=adkh GE\͝ QGǴti鹪G3pbooxXt(Ⴥ -hHWTAG^g nk憄񥆟@-4&9<ͭXǚӀXy%:R# ǧم?3+I}w'a9H@ghbCJ|_ + U~ o[BfcKkzgU?æ^^m~@A:!)4$iX -SWCB@s7'ܲ7Yv'nN;Qw['TM_yH=5-䒋?_{Xm~YU?2OE-e5wZŴDП͚gֆ-(p^BUw MoBRlԏFLMH>bvvGf*xТF -qA%&Wk/i*UBát.ҶO✭}`-Z@d ql -k,<z}dڵ QPA?> 8>:2$aO6:Ǐ | 7aܳ|oG'Q/Eҫqлe| -%":߿gk?mTY"ԆeĺxxKCI;#i?h}F{yH)c&[,`!"rÃن:JじU4ݜA|_o=u+ \ó[~zo\9Ya5 [OZNzЅ> xڳΊ-+KoLa_pA1qhݭ/vFj^g>cj¦DJZ28%гxT -<:Vyl[/[9g@i馗gٝn|n4\y2Vz'nxq͊x,RTP[7x]lb%Fo5*:#f4`OB -Hڻ&'SƿCi1.hhd>Pzhcq i0Ͷ-BRʼnI0|c?蘒T?.^{׫t9E,D~ha -\yքiDY~ѽ=j.uWrj|N>Kc~pTue1f[AeWPexCM*A= G Qc̱{mhpGngtВJ\KNK?yeݱ6yXfZl _MڽE|wf[_YgFuZ?{k*V~b_dd,a)g8VQ^A5 P0!j:<ޫDlu -)S:e"Xz驦6=)UBwrAMEoQli1kTfi|d,mx9T~ԓ1Wvˏ0{ eL桞K &D'!r74X]e4G uwfnϔ_f?nw9J|=XP"D,BPIpryGʶ+=8<ָ>1)]# -c;+7!, 1ZC4k-e__TWx޵33V&}B+L6&{%)]UZYXj^rK(#e -ٝ-|l.|cz{o;]v}oF?V "FcUxWpd{SQ[\ W+*nWpLdvMt$)+>ޙAfUhhEHMeTc\!l,\/,c%[xeo( BT ? 81(UpM'f<(fb"Z.;c6AҳLO . \3x;Ͽ^ g Jꇟt}7 -!_?M :J0x=-]'[A -+$&졂O{ >Hl/igsR.*mTZW_WaKJ\[+:랄ͼUʜ"\GFj=d~x6gs*ޒT ޚgcI-Ε!:w]49#rR}X撒:%gBmj B^o-s`trc?bgtgi_g6 ;` &^zޘ_ܜ{HUam e w]"5ul&^I.|?[n]d&1n/cm -w+.o5K_ue ; O>ϵ&0 -.+$tOH͉2~KIy$4_ -ΌiqI ~d12J.9J84a8팜[{}{T3u$ErKI%Ղ7?H/ϗ^|nyٟV|˱]uZ}/G[8:aXNh(uDʹD{ZPƗʷ_iX"|5M>=Is/['2/ګnX&a/ݐr|Xԓ Єdž5hh@m)0%~%pk>븴yh|Sm@r*;IYf2廡Ɨ q.jة ϣ2R2XUk,UuvL| _bidh"3)?B\<꜋֣@,yN>p,}Rl#g6ǛmS-ė8)5YPI ƭDa@ j -o:ZTLGɄ4l̯fSlbJ,2'@/n/ھyx$Y:(f czwoШQ3RꝋqL^0S^5ᐒlR hQ wRH,d!Ӱ&b6Q!V/ӪniVr;uЊs-a3*iJŗFYu?)~럜K9kcO p㭽ɺ۾l[+a|9 -9#sNYwGPciAnFy* -^2 -pn"8hJ,!37GJ.['ʮ*;2B?bv_\')T!yb2CE vyP`4޻ʭ!B*&F@/P*T*"^>}3tsdžݵ/"Rm$7~ ^萠GPMA3Z.ۘTO|Qq3}dLLr\wR'*|ךk1,{{"4ys`7Z#r#R9ٚ+`@@pCtb!A-DOrZ?X쨦1ϗ(宥_s;зiL572`TR&e[SĽeTʑF82G&$fՇMFqׅoh u -73wgmv'%T'U]3_yɕ^2VWtoXS~ J8 pKQ1+xMIG^r -1yNzՙ'.E1/`>d_ÔdtWDu&o_KSq;˷+qh3%.69혂$,:*#7:Xpӄ_TB2 8 -q鑀bpkMP- x -:)"4킐;ej4IӖ{q+UgNd?A䜟Edk/9W_7'}漌SrkW 3o@Hn-"A !&FYf[[[߄_;{w30QʾO;vfδN]hiKK;!! DHqwO+>s -Kޟd BEi<Vt͏bz뀨Μ+uO)Z_.+.^EeUO}t؂ r\Ϻw[~s --LJ_|ۑtjU Y7wEWC݅7E]?k>M0 cLGXi׎+۴+ƅ-m駤)?s*_T@~ .o:lQ18pSZiڞie:Wsc<Лly)u?@o`Y1}I#j/#tbW}?l$E=*l|6Zɡ/ j?VrB*=WC7Ӳ )toKލu3}rn[wc\n}a8B?̓nuu~ -s? y'DMN# 5+"oa洨ꢃ wȌKG'w<-1&鯩Ah݆P?&)bUyH?fm:]k2[윅sL/ctUo3/l]M)}:*&5=$9jK˟XgG /d[s8g `4ڿ_&im'83kz6>8=y -I_KZhښ ]jDǔ uZ Ov7ݜUM3š={ Jh&bVlyXWT۫G]tv/ksvDزAş,)zh3N߇i:`~Fn9:z^t넲5c͎nbV|n)Ḩ+:5+˭0 MY䨖Pw*pΙKˬβ{2T/̺',;_%ׂ;1E}c4)>2W9z/!nzDڲ< UDqWܑ#!N3?妓Xr,.f&]0~)m4Y(1-ą傼Pu}C#VLɶɇ;p\ <cӉ.4->-f L>p1r~1O׆ 0fRu.pEO5S~V?:.mz~jRpmzIlQkӓ}UyE K4CS%&] -eBm?m?Dn?=Gzu7t/s<[|CSfnf-UW1n-UwsڃSPيPd栽b=>r9+B2O51ٿfc@tso~<)cf1s,ZВ#\{lkgfٝoUwΈ1vJKaƤ8Կ療Oa8;'/H20#SrKqxvmLJY#rwG\\ɋ{'FuﶁxmK~詸1ؕ#7fb5sKچ3S%uk8I!ye-}a8x K<󴪭j+PN j]?CNpne+[W[V'rۏiwx}Ŕ+'$Ky8I=]oy:n2JlмlN=7!>^%w'77츨ͭ8ܞyr [}u\t}RrgY| Ϗ wғK.;6 "sɂ,XkV],8e@V@{1;.s+ȥZӲx*dž@o"4N}.+D@a o -/ocW<:JAϼw"WS?[s7;`"k@o͈VUƟv -i;5W$Ҙ锬겋_wU׾_?3an5 7 ΫM掍^z\4?YO5^1@V qj-X1wSk ›͝)oZ{nLMLfAٔd|AxhaxW⭯@mz2"W>Z7<Җq2QQ#dCt#BDY:C_ M1 2fT,p%Q29%\ζZPbF1aQ&fM @ f7+Fjܴ Vq7|$ ݴlⷼ=އ0b7|tľeV\ rqPJOnmhI-,}|=aÅZ2#3|u/8{Vjن*!6Ltvge Tz̉XrR[+BikNX_a&8bӢzBC3OII啈Q8MW?FyegfZC3iqzFE$՗:];\Cz3tp8lv[savF阽1.{/$eWU :@Oy絸2doe6J%ic*h1Ac~P.Vp<-2yq;ݯS4IFϪC%INmY1uém >=詽\L(:}'A^Uo=)Gro}|(WR(0\w+$,Ǿ9ūqLucG\ _q}nƗ:Kշl7NHj UrT)eG)iBؐ nbQݒ`7=6*'捈cⶌU (NM?o%$:7Xph{֎5++͎ Pekvd@/xqL *n" =&7>JT֞SU#fԬYV>vAKkKZdec:t涇W -Κ)e>KZPqagt:Cl֜&!+:TpパK˺旫VDW 0Iɪ W6>'voAMAoVLu+VD^[>B6WV]qSICdd́LI6_4ҧQ\ӎWjDg45Kp.z.)6% + gǡ㽭gS1OH]6Pmߌ);YNHƤ~HxE|bMm!;: 3qB>na#iY-&ELw*AҾfwS RGEwjdA~G"19+Vb`ĉ@w{ZWffnZU;MoC"p⮋9<&m?=Tκ`$(X;]) u\0iZBVٻĜGPO S@<)KmVVzUFTO&l 9,*㜏]~kň :B3n};Ж|SX1x>%EI3Mj%MiO%MF @? -/ u>?%mztrN- եUlޝ-3`Y՞k2ս3/ op2^8 -S1H3C3ZCJRTQWƘ5_=[פ4"{Qg7lp۳ t茟fԕ%uY?I~.@!~##ֽ]9s,9vvU|N͛z`^w>]3f;_EgԤ5Y冭M҄іW 5Ģ_lEʻ^N?\V1gBZsp^.eJnZҚG42 ?"Iqňz傟OIBq] 96\Q+/ -}p&ȴT!s6!9JuҪ\6?(oN+{ڴM}tLk8bE7l[˫PNN MiB(!w_n +!VVؓ׎;`RӚRW_q!Rc3.zu|mI9O :FB|@|ecǻaXO;ywL +OZ^_>a"? RfWTNrRxP|ك—|}"wвU$kDR{C>5G"_}pE[uLQucYUswaF_˽ҫ'k[#:dѣ̇~cѿ9!c/Hl`e]$Q>P^_sటzfYw)YДZhE(qv0u+vdΚњ"CwVЈ۞W]'{,[~qݩGnRӇ S vTԼ\9%,8Ewoτsv|<ڶ [cE`'pFN<.n!h~3ˤƞE9펗иT~_&ɘ3f挊jn-AE>LMh t2a>\yoZv:QgL"GFUC`t(PGa/F]jfݚ]s87cIϛ@'gGO -x Y+yπY-|ZˊZ e17mhZL§0{o߾#fg{-{cT ?o'U-9(5{c~PKkɍ[ғ˖LY:#0xi\oycڛ&|Yڨ|z7 )5! @F}9=,sɄ)]QW]L䊏޿$tE845Pwc_pNٕQs)f!՛W?kdyfXzzŜ9!Cg: [RjE~fpkw9uiW f|ɘYb悟hUlȚa3z/>FGq%#|ʇ -&_rT{5TɊ]6k8f'aU\Ponrg8ȹqqq ow]d}0+(>ʡL)#e06X)3Ys{ـב*{> -ݒjA.p>~+YKeS~N@!mYk@(޲+mH\uf2.j{k;#+iӐsVzXg7F5/fՇ.[rsUVHڞ^EϘfT[P>"7mXvRv >¥N(愃q: qx8{Kl\qJLE=|Fo=U|Wuq[x:_xMn6jn9vFQrMi 5nΌ[?âK*I,}F!GϓxAݰF~)!/ 'a=W{uh[Zfrܾ$>O0;clJj[8kyA] ][.d񖏍?ĢZ3+e, :l֨>)='?EEJY fԨy:pMǘ]@9]w{!iDŽt̪Y jGiQ>F9 /-[PVT_G͘ˆ -uVe@fm 6jÂ`@.Y@FZݼ@$Dd FBٸZ4:D.5P۶GlQ̄/oy3* ,8y%osm^ aNZۊ_2brݚljK99+ArLjG9ʋ?il995;e3@\\ԖѶqyݛ!:->;>R^4Ȣ[01KXQ̬vFvXR`#5 u RQ.|}dqXwh1&wJA9~RC8-2}VP [~H#m/5nu1"}߾@UlyUWYa' nr$Ǧ\,_>̗-WIAEjXr:׃Qeg.qCh_~|S&87IPKfZݬ\`T͚Usx!`̻{&VS@|;iQFÂ;دW"vX{6iVߝ:JE̸b# P3^l V%zFi Ś1`Mm d{ޭ7 ޅԩÙL?=/bՇ)|?q"Jv]5 >Ps5 (i\? rYknuwo{DuHcVhENu{^I:%fw,DUgt+&nknb4=I)e WRO1c ={Jm 2Jٖ6 [^ 5jC aLʬX;ck~&jڀɟҡRc_pV}=ea@7Tķ(1n#+ 0ً&j`<̮ O<64Hx{xQjkO]з$̪[OjA  f;7ᡶ>Q @c<5kg4ĺ~X{y?.yYȨ /3vb/XăA݂͜$mhU4H_ʦꂡH@kmz5cJ+^6ia.+T2 1nAXl\vKyiEn(e'Ē%70ؚ 퀮2ҪW׃꼓 #ȬIF3js"&ddFm1.s=niwc۽9ݣښvI&g5@;0vX v[i@l9q:.j'5n)ȕ Ԯ1n߸#qBh-ذ᧣&9/=~k~2xMmsZ>a=[=k΁-^WG'4fx<,u|y½QrtVy*(Fm?j_fÁ(YE^% -8S؎:EvBRs%N)e! edyu_z/驔1a,)5>3{Q34{F^КW\줚8a'"pDO*Xug-RSĘ:Fd e$eMkH5 lEmi#<Vr׶yQpAOPZw-)椶Et9+}. O*Y!AM;y@u sQ['uqͷ|a0"A< D8a"ЂK"\ -+v&8"$nЕ[>j89 WO"ݲ1iFW:oJY=9v{ I.)$q S ܦC[=iuZx֡>{#^[礁ݘ7;+hCL -`S&j(7In1n!s>(z+ePbթz2UUۡ^NX03)0 =)LI^$v[% ?ac4(ARJDZ|x9@,z)35ΗMK\[S"ʘ@ r6l[m~l1[#0;!nF)`Bl^NA:tƜм=Mƿ_WǨ.cg[;ٙuF(X8h{稉adN-Xnc/7mzX2Z5]j梞{y]ƝP"UR-HΓ&KPW4R񲡷{'3NSD!sM,=g0@U~!>7Uq\/CKPkX2M]9`Ah}ڀ>lJVPZU['ZPG\ipVvD (Du.ӫlYi5Fd _2W]+ w74@-@iS*r9g cc?"P~Yox`eؽ{h&>If콌@줷ɩ).sNECe2V+ 17og5qD[ts`NJ3fʀVjUjj[r=6`^;a^`k.&|lBK\vKiY-u-VrѣFӐG!|y@ OqT.CzλPY+\-i1@17g=Ć)иVFXŐ7|>E.׻}͓>ڄ]&!%-Ssr zLED,6Gݙ^@7ɓ|RYe>w0:M"j椥ZJ錇ؙ3=i|#o=i/>0,e)P _$ _ -8uj.baҫKFS A+łanI_4AE#T*b%8d9YbۚmWWs͙_UfCρٿwU1~TEkAhM@+N@n%yC$a`O, p1'u%3%?ߥNܹ[rхy~$ &Y:D^aKwG[cڰV Ќ&>B/7{ - x֪[P%z ;Ӓ~P!)3r k!UL A&-^ٻ -{~äGcf6Y Խ7䦦_8SXR$6y3>J"O)%Q|\y3:G'y0@Oh +$P3iB+^.Ɂ]N<]?PCr_{gYmыo1"sf>gLf \K&1;m]USyo )^w%_HT[B6aR\ʊMZ56rM &࠺R*RI{5|!b`ucIJ⽚lʳyZ'tD -pPcE.** LV͢[]ӑ[v9;6l %}I -^ڷẲyTs"H⽏i'j -?u}wfOIW[}N Oaj0چ.`ʑP mpD|CG߯8^Tj;<wB^dґs➼@C"Fo>?bAF[dLNyM - Ǔ"/R.} q`$1w:C[<* bA֨?"fU2?g* pJ'qFp]wGJ2wʎ=wz~xpܯ*wjw[. -݃AykL}VSӎ# |MN0p{ CdN猴sR*51=Cz^ -q䏿<~.YG%ʈěnh -2 $R(T-8ZǝD̉;/GyGrx(!0;YIetQBtgS -?$fǧa=}w?? 7rOp+q^WXCUrzV @_:F.q%U ?xM:&ZvW-b>WQ2f옓\s`VEȐD9rg;wE?A8ϭF')>ouXJXf)ג._H2)4I O::4I^2 UJ-mB@54~ ԑ Y ȓTFܹ{-q9A*/.{v@wXԮgoϸS -ڄ kC fVe\wJE͇ 7;?.%HV>XI$yW̙5NRIzfU vS&-ʼnW750ӝF_ CgK5}go&OI+O)άށ=\C^Ĉ4醴lSC#61NsĪ."1/D]"] Q2|#JV9j^2xNsҬ lA+sAk-bNEslQDQK"^OQ7de5 6j{R8x!1Gx[2U!J[4[qfⷫS\޴U>eGlb`HW6H_4F/@]ʿ2^ ۑxa_!hr!Q{7kKP1e:]:s[" - Aj4K?NCS̹>pIg;.bHoQ,zeCFv}VdP:  =>kqPJk* uBTV4砀Î>E?dhy:pWooOwAmB8oe~A?QódtŜʺOTߪ{B{LQ5}O\[b'<"j%H2{h$Zm8_w⸧]G^OUs7DKtzRCȝTlʨZ#ƌZlh$pJa[P*Rx]YkǪB8WDQݯҔj5N(#t̗y -_K 9&o@*rH&dђujIoO18П-65Ȕa]Tj*WyqfAk׋OLy'"._/钝شPWFyi3)n*ŵ>խS_*a|@`Qۭ@JҾw]w!&5j17=rCyoZc3Vjb`в4LXԫ9RY*O<`7[< Puw0}X&͟){6 -\2k>t|36]1Y暳+ޡF(eNUghB`Ʒ4!~nC/9OTCzRI zjٶ[^yXi3Eý1NkxHh8=fvvOKʶpI& ]NM Zx!vgQ!A|`;Y#p: 8dig/cg/ S~P΢厛a35~v -q"سyy\al;^dU燎?EXQqcs0not'랾$d7ZX漢-iϋ>߱6Aw$Yq\?aoy놕gܙ&,Ty;fݞT_J.7s"K>P-zy#tClS7?+<++?Lq3E>LR_ޏlQLjJTp),*U>0}^ o]娾N3Ίuy¬"rTSs]3T*WIvVڟ m3+n|2ab Ytcvj i8zAT}A| \ C5׷ l  i›;&|mA/ 7ӊg6r_{&dAPy3;fD/^mxe<<?8u Q+8wnXsѕ%U+!f9]j_5<]PV_hAyh@d|%cv݄ (cAtjˁ.jy6*hO2M5M[ϹҿfjnY!3).2hnng. >]w9p@3偋Uvj˂):΢VpS@o[`i{\͘=H˿~Gdn)}C潻-uYn\e^G},Mp Q=4mXlӜ;NAmQQ#A-Z_EWEWwͯwm{%ZV ;2wOl^4Asؖ'm;n\վ0+{NZpsY^x悼._U+$3bZϑβOuGGVtseM UJv=Цa*8}n\?]R8DLvN!wʏ!l۸#@V)6oo+9{a7?^T_Q6<\;2mjI0v&^X;f\[2;zo~֢,Eg[LJ;[||k3m׾y-suTBKi k!B]@<]Cff{f>C!rDZc-N!#Ojy`a0& >y`+D{偹v(8N`jVWPR2 d(&>%N3zЏ@^mκ6ZxeB;|/}h0)f!IfC?5d_ԧ9V"g=2!>7z ,P$7ZzSt6)$dlFۧss?a5\~V72lC_Ɂ~ȿ7w~Cy̯dz^&[dՔϳ""q;CMjhAk -+'+/ͽYKkɻދ -xjsabc퓰(`s)2籚:@>';5X9סFǛ&`a[49ͭc4ҝ|sR%ry!tIDSWY[<^-w7QXvc>=/dJfL\ -zG̢ Het]y˛اQ^qَ - ap\/> Kmv_bQ] -Z()DI9Q#*\()jЯ=3Ч=ۚ_O! *zYYϳғ9j[.}&뷕3=nV;݃AJn/.bo?>[m\_j- 6WDg/*0y =S?Ppa` )nuι感U ?k2/fHɫ Gkʽq8F-w'|?KiFS7v:Rj x!0H6p J(7' /ښSm*JU)^dv`\.I6%6~_/fg˦*V7)nCݞk~=mmϓ_@V]DӘn:5Ã?D=mu5?>3VzG\^wإ[})M PC4:hPdݙPyA@i -*Bn_EAzbZSz٭UV~[RBix&0ә=]U4X\͍?;AQ-q^{  =YPnV9eg^:6fOUɡgwGȉ6T׷*Z>Y $r;bs?;sXUB -ԥ",!ZJvwQJ[5N@ 2 39CM[{ũf,h ʂM '113>Bˮj_+= -MFP45yg>QBVO_R~qHqG -11- !k0Jk9y{)־J(adJDMAzO)K`[ύ0RNMSN"2B9O,AB<o,}a̽I;?M8R -6+^.8X߇ 5 `3q|b)TMa -׻wBluJP) obyM;>;m.x8OkKGK<}Ia/9!ZeM -Ⱦj>oC0[暄=q3ힼ+?bnܳV1o?NJo06Ha«s -qKMeq&M]yG5^pѠ6Èw7;ΙdfF0am)߫< &fEnҭ.7yXq?x}3?_;GNlbߔܐWY|}YӘiD?u1q!^βQ\ubgFi XNoM"7z)#[$`G۝MeANJğG(a?mh]>|o=?& N4bSށ\pȉQLeBKŖ[㬬j-{wM3bC#ŷ =6 o,+}`pI1Fzg g2s[QjAF梻ܱJYIZF;ڇ*˽d Vt)GXGYIQ]:S.bb afg 0N=?/9Qabg -s04`4dJA.JU):v+Hҧ>eqv2㬄 2>/'M}rQwђo\YJNt)>l+ 6t%:ꇬ8. tc $:ppU÷uqWO f o js[͂$(Ʀd4?vO=@zԬ 9YcWwz#auJ+&E囃ė3DKYsf=+q, WSE"ζ]׼u9bKoo!7Q撻ݘnÕsM;,cXܫc̈Vso/6VD%D_~{9Lf]f;DIֶ@ цz_c=QVJ2ua@?_x{e]C_M_+h0; _V'y{^;nV|#ԄLݔқ[QHǔŖ؛ߌV=\aaO+9;'1qt0%X ]kUES7+N+@ |*P(tN2?"'8I?S3ٖؐ W_Cnks.+y!#5\[ΆH-WO/6%RU?ߔzf)忛a/~{5 s)j/Ҏ|n 1c!N/ݴ װн>tXQ :6b-5~!᧝$ERpj?5?זY" 5V]SxYY`8b42Ry\mK!Ef0g;`! Fk>ٺ Y׬'lp1q= 6$feN .$>#=s4͚fGET?6DEzTyݗqw[̈́V2z&\w`8GՈ9d~TDzۛ= %:-FnRvG Q+[ 76qbr[UC6&YD.lfG鍵`L=W`]:Ͼ|_zc]+.\9 "]J7$Zhy-bCCw=("ٯR5؟O,4s:G+K˓pQr9۝wa?ns{ -p4?f -hY0ks葺:a;*CX@?ZkG<1;&iRvvB0 f"q.tщ;}^80])@ǰQ[ذTvx2%n:(/ws+]+$9S|{%RSS}5Vv6M*iIbyʛ+ooY&ȉ+ 9|*H ts-?\@źBhv=]IΥ|Zc*bbG%}ki2j!7L6;ȮU,o¦-`@ ~Laa`y4|8=!D{>2+dzbaڇ[ڦ3>|gF]i +(r0B0g_^o@nG n,>ɿӍxb%E;FQrbkѽ«izM1 _"f`AQOb7)d1$'o"s/nu7NPN0:)c}df/ o)s/~ğk(E}$,TqUQvLW">ÔͨW(Y+` 3J %wwl?7[9]톆HYg{A\[SQ;2Ն_X{rs | >KJ<%.|V~ !#&[2/ B\T4_W7Bn0O}§˻wm>[}~CV[{#љ{ !hz{gZKn^RcϼFh\RNgx0)zn- s+0n 9SEBMp)^6x8^ d+QV֩ v$-eg]h{p@8g5kC~9:ʺ/[|qO8;6i ҫç- #9٨LiV!Wz -nw[9r yڔ|V12IJC2|E\yu3G- 8\oG?2^JMqOSR@kݖr~x8Ջ2ry2JIXh;fgE6 ›K{$_Z}[|m!A+*3.'Y{Ե Ҳ-*ƻTrU"-#v) Zڭf̱`Z.45 Ur!x6nS*$t!)\e8 bYӫdCƇ_An6>LxdŅazu\&L?Qro -.G1v=}S-S7JM&o"0觎Ijs5Jr.|n7V;M~]feOK1žlu@'yd ?C&DGhabcdF1aIbGWE_dͽE<_mnu1_)2DꇊpFx m*F2 ec C!)tQqjGR)Yy;'UAqCA#ZmR|ᜈH9!ɦ[c;G)smǻÂRx%9ïpatZW}P;v]!ζ_q͐F_HXd gy[;5UY]rj}[`GvƵ>Qa>tm)f_P=Ym?(f1u_NJ(ncWA~P'IjzGݭ~x筆պv-9y9,.WCO{=׍ -3ߗ3mS I|OIH>ђr=e vK=W: -n1iF Cbӕ.MY5uiCtf7`AVrCUC*,uJe !Gidžy;n}ZY?Xk-"|4Kw+)}@%k)Q>5ܧd[ƱQ[shc&gM*P4.w-S Ss- OA=5OrO ;"qS]tr.D>t[\!^p @KNRӴ| 6ۃ_'ṾP`CCo͍.9mBwVLnҾƄ[C:^[O-7X9M8p@_ſ0O2EG OOL@_̿Oyzq}z7\$tbG˥{lcd>sNbcRJCW+ͽ.ku*hFY񒐳?AIZAf){Z}ӴL x7ϯaB-1Qn%xhЭb&ɗ?\ps,:O]P+ݴ@gxb@,y`#%BMUKϩ[a[cհ!v!IdjGIqcSkկ˕Ue8U9.dM Yީ#n==pHJ=B1MQӬ:fE'Scc |zֳ!#!$ }D &%"YJ+XŞE>ުfYehPݝ]Z[,6OT"WÌ,/ou!nvUgSդjίSFKͥГ&&d%'j8Yޗ?Xik97ǐ/w ȭ^rr&t&Kń+ٛ!k25g7 BRlGIp)9eF);WN7M-J~qSrCVL]խ>Dc:YXdD+%85I]^]^_Գ{ pGq* IЇӺڜ45ɧZӮ4A|l= >c %`jGGZhia.5*?V)5 's4>+"ĸBһ׻ %`yUhiwzj`.Wզi*1Zw;jJ'[ Iϧ{t|[ǧ5| hU(=\ge=Yfb_7j- -y[>,m" wG8$buƁ/MߪPhV viz]QvR D0"=KlU\;!ٴޜTMI\ZSد]b?*m^5b[a$O㨰{KOA'|ۨys* -fA`_K+`~wvPɦ10qg]AZf$~Dޟk:3Ɋ^.H<ĻR(sN0 1 He}ogP.q=wg5̴+KMޢ=ο4u/:ZS-Zy0 h9^L BSeOޥWxߩcoSp/)j[M-gr aT)f!ȇ ][i(8@&ٻ%KoS̿id4#Jg8F Q}l#80:f*7U3`.l.iHEKhBL]05N2W:Jn-Zz_W9;YNVb ϭ b]ʡ⡼jrGE<*PqDysAEL^ƥK]_h͹|0kSE]91֥`o+tx฀<7*4edη(eOC랭_ef z1=Em Ÿ'б2BKÂγ>k@&9ᒾlVQP38,0{Q:Kȇ7cjQY:u.xh|,-z~2/ٔUo>oUr965>۪D՚W֛wr{T$Vb2le ly<.%~ |Y] xt"]Y1M -Jo - C4[7;uqQ0/w <_"xawGa[̈́&DXlF Jh=0t#M'}İqaMQL[+c^ξ{8,7ZoϾm@β{&nく:UoU$>EԮdlwƒ;/,RZ7Gیu0hx(g@6g_jNd, uȍANF:ŧ$!*q1fڔ_5icD_1⑲rlS iqcNN޵kDnbD?'훲.юTZ5liTKmn\L}5Y6.ۿ:DLSJLadV4e_6_F1ibѼy$쑡~]z&cCLcČ7Ye\@; -nW-վ5Hdg\{{iQK]HI9Fms`/]+h{dhWҊZ>zsROV,Urs<wV<>.}!Ⴖ)y 0gKh/ ^ yc⹢5Dz``TfA?ץV){%p^L˽BEƅUU] +UXzC#| bX?=Q2ðH cRa;3"0'm\T5~g"gK((IiGzJ񡖘]${V߮ f ofYhp;u?oԼ Ӳ=ZNZF>]n+.EJLvy_TXP">rB~ v гIx'*2ׅ q5~lfy H+p@D"w4GTY3?T4B/J/+󯬽?'U㬌qVKu ?LV~0)Ey)w l0kK楅ʖ{_u,d%lol3|]Ft=9&xQL\ȡa-w-bwܖzEߘ} -gS~4yD -?!bk}߇KUve5,%$=?T3NX +KKg|zrC,6 rsӰ$b"śBno|tm^BE= 3LŏzRۦ)޹=ɱ+xC+9&"GG[i "LYJh0 s)zJѧ:a_ʆ,@gfշNWzAK notB{ttHQ)mWi}kVl- - YPt,AD{̿v*]@ *Q.(/5\CM5FO]:zʪ? {uk)ǫu=u*\ C#cMokCt* ٖ0 WVUߩJVyof-6ELiϵTUtXWڡjz[ϪX0;Y3zj@-@U|eMd3{)"%軥>znl>E*-yQ ^U5YM6H/  ߂[`WU>3B[pL*lW*SMLOaS~ ӳThm۔ -յZq`A~㕶'?7=n% k_Q;TKE2S])Bz)뽘'F4#*?Wa\*]#&Z8)fgt!0Hۧjs,Bt98F7KIaQJ3I(qQS,5שLvA -qʘt5+=s4,9֑sӘANLp:&0|v!<3#5%!Ed7AX$0<i!'[ n cy@.5ß_mq,5133w8OcFՔ<q;ZdT|Zrω9!B3H? x )ku-916̓ZdTlGAt qh@qP:ǷJVhw3P2zgTd$es-V ݠGVߥ=:5u2Ã˯/^_~gV Q>·bw^Dh),EL Ԡ}SPrJ`=CVާ3g^2e]2u iV]/M]Z!pk0q,En?M:x-=ٿ 0d= - j c#?cNr -6G@!~5= Iev@=?4^23f/3hF =٩ɉ\Jܡ`Cg.54[5)120'<%DN=Rr|::->&vG˞'p'uG(Yen%)ӭܯkBA&)#[Ij.!D*$b -x~KUF>$ڦ%Uqo{& >ӡ`ҡçoO mOì =7߷xMo˦r]*t4!xSӪ|}yk[(Fb}`UPs{Ͻ<>o ōE&@ߝZU,ʫwGKu53%9@Fqi'kl{Nw#' ${l[URSfs\ԑY ޟK_Vjk =I}c8\s)X9\)1<}6. p*)6%ա`|Z17^pøլ"P.e"#bC-vLrz&TzԀc)uMUEq+3"q #&lB] 2 !94%1r&tKF8YqVL2ZqhW`v$ԕ^䓍A i녁ceUvW -NeaSl -z0>2:\QO9؍ƑIan<=[&} $9:>PÂzOZb4u꟣~Q{5 UuͧU&xn+cTbb2tn7|Ko]GV)%ۡ{5?v9 -c= c/\Q/_-1C+ړ X5dS\T%|cX@Ze@ k+4hs0EK}5ūf 9bnjͺCw8K/9^x$hm :ګYbsRk*Ĩ8Y ̀O<)F-~?2mbmr؄S_GhQgVCi39g@Nhp0"1Oqk9N9צf4\bmQJ0NNǫbo^hVs<뱓_j_V,C.>kzϡCVL4ԭt `goҳ:_}=Y O\rFF{)NĿuIgul}٠Tq_v>x$%sg؞wc{<ީ$ZtAN$_|^Q>!Go]&d5rQAv!ulai⢭843Ӳ:{@/v*vޑ<= -v󪙥~= q<Ź5b +`8>ʡA7p/m%7O <h򑮚u4'IbZLl ff0 Q N USr-)xP NM ӣ"{B[ rgZ/,e8/ˍ޹wr>|9 YL@ΤkO7>X|tk쓬R$-1J>62Kh)al|KշAOk>>MP_Ik9ЃqD m=*:xruK˂8|wFr/hVU{|;AϬik\qN959 532 JQ+l-cB=fFy.ܣ! Zj:ģAMG`!QBCE/6WȓXǻcӉ&)9Ѫ'ZX𾂾9Y?b~]khW,vPҡ'+u6j^Y"p¥$?X!` 8)48g^{{kiK/h;n븏~?ye6O?kZ]2x}ߒEwO{r\Ԫ&}Cr_RXpyhsϹkEC[zfZ?!?ĺ%ͧ6<]83]goȜ}rmԳ{fRh}Qi_z)(sA=/sb]{}{`oOˆ{3s'zi[_݋zv|yzCnڹ 'Oߜy9.njɅ?Ω;nGߝ{O?9tkכ&u}v'+{S6t9"蚧:NwhEyߎ1Ck@o >O/oh=oɵ?}m:ޝ]ta /SYv}|jK'Wwvm3JS5Բzg`/u K;NgpzӢWu7\g'?{pEOvrnŤ^qySϜ߹pw="?_x ioouԟ\74}{r~Kf+[ZʮKOn?}/-Yr}wu=ίh8zvYu_{mn^9vn {S`_޹pi;?~ >~aÙuӎl?6#7;Cx'y:;=z3,|;>5w>yy.~s;{Ħo[35?v=]]?v%߱lŽXø9㎂|vBأ '*ss.mϿsƉ?o|wc+6v>~r#ޝ;-nXo}̩ {0v79qUO:vi?{̦#6ݻ뗏>?,ۚo>O-ᙳ;w~??|荖G]>Y=plCCW\韟9}nGϼ sg64X3Gmwb}wW=ۇ?GJi:"/q֣ۇW7ﹺ̥ٗm>~j‰W?i+?[̌uN3o<~ﷂ;l~ae#+Lsq坝3Oͽs.o]c{f~5ow4NX{Q>{|BЖ;ōKί|Y?73~u~zuvۻ\za[_ /wfCk-G/|䒋`8> -7Ów|'̡s[1xdeS=OWvM<0ڧyck.g޿0 -3lZYߚs=񾡝Ͻxn??>u3ih@3O9jybmK{6t8L8 qG@Gy~pEߔO~vxw`_[^K[rGlɳ2_=wz=e{/7;<̉ ͟K^7.ll|얃+ַyus?c?c+ǁ_rÞ=m7=pbMġslȜ¯3ǯ-?{k15;=sۺ o9"ey=~⮎:GOܒ<>>|~7:v;즍>~y֗㣷/֜ټk?9;33=rag_'O⮁)jyB煝cw}#o|:uսoyC-W,~acs['ޖo:/}|KǏq?1;?}쇎?rS֠r=^[_쥭7w?q W`ʶ‚K{h8nIO>Zpυ]m=+^̳gtO?ahm kSgV-|NM˕Gjά>ziWO-woQ>C}w]=sh=I<smw?{f\ؾ4>rSk;'e]WgE[eoy>O~?;=`.|S:,Rbh,힉`^38p:.˟3?,PXԴ}[坽ԏvVooB_؊&Oւ27u_[=}y`~Smؿ>ڔ;>_1_=k?_p‰=o7)[d~Ozyg׶=|i{Wv_'}oqھwu=a=go>=yiy/?ckٟzjM66Άs̓ۧ9l:'[Zvk[zf_:VS[{Ͽzx5\= mS>xq^X׏~ĚdP:>~yk7w9:N{b}K,]~g^<vۉum.ʧMz9ŭ3vk>{ wyg\W[qɵ} ulmǣq}ܖ{K{{L|Uv;'^o<ϭy}S+]suasK֦z~:gչGOlb_,~qҮ'h4?}igh<5_twz`??y}{Klyy{Գg+L&ްȚ>WrS5f֘๸>K5:;έo}kㇿ}b^OoZvuIg.n}Zh4lw'{?[ϗnsag܋ }yc~>{U Ӿˆf]Sh̦f]~?Ì🻗-iI oκϱx#{ߧ?|bͲOz}leCGn{݅S ONpvK[^˟+ -}lI֧^Z}I;bO|{.m_ݿZ3cqĚGQ\;'C=?TyжA.>ѓ;&6um_/wlЖE١m}{^sZׁOi_eלoѢ{{XG֋ڦ8oS{+}5s;ͅWrή}:+/no}{NMٵls&~6TZGlu>?wS=w>~|Ի>]߀Sطh݃]'k5^:ܔk[t]ٵƞ-ygxZsbU槗._߻7G˞7}zuO?c.7o`\tL O?}eҁ k_+{3_W.8n1cצwS.XVb f̦K^=̆O^smwsWs0~3k<ޥ O< iv-鿶{^ } ^`%җ9Q{9~?]}{+SWgyywo/}ʾeO_==MOT˕_8 6gY m^}as?; 72O-gO7ns:9!lv㳕.]'쏏}oo%]ޱdѵ_k銁G3W]_f zoNW_^L8{q\Gw[Q-l3<:rPpReLشemWM>_ d m&/j% 6 "5X-*Ef#ͺV49:' L 4NVN1F)՛y0tKXkBЗo*|)+/r]il!= KOv±ʹ}K嗋WAÛ#A,3H,e]EQ;Or*DJku2Gr5-חOgʧ۲+o\gw7[(i}C!Ǫy=!R36qN+954qN4qNAz/c9->ȗoZ~ߴ%M1)M\&iKoStLkK5FU2Z)UV:$n uňIUhoyB?ib*M}#¯S+P7?"mϑ%2J0*A61Q~QkiF>/*&,$/˷Qv[ -U.@`ӹ\]ː^Tx"QFz3}#l*JHueJ@2f-\Wo!u3oVn$Mœhq}cWKZo )lWh]l z5`< ss!jIƔj$VEo7f4Ri!~\!|vaT|#*֨a^FYg mB YjTȥjQZeDBX)HpofE*MD -|&fk5[^%o[aTDFc9-zX>d JZ7x̪$^ -'oj]5l_ 2U>_nvJȩW<ǨR%Us k\~P|ޫCG>Tv)kS%;Qi[;JL*&;nMvt62 7:Pd%B*RjmFIT<V+}eAijTWWcZ#.)\؎+>v,ZH3Tw56F&腦_K02 Ec6љ/*?E\e RJ$E G=PQj% Jۥ]Dto|x6wʵ Yܜ-dK{\8vd2S鉹o jp-&.E/hrl%4:˅Tc x@iRҴ P.k:KBBlGGI' -:ʸӊr%HjV[։.vbMMd4uʥw@ӣrԪ,SKMUo-s/n:]Jj*?gQVKśUT -UM(4JңvԒڥv)]k[vT-#]F? ]laYU5jңvԪLh|)j,*eK:\Q(dyFT|i@ͦKI_J+/xUX h%bQW<%D,N@ x \D(&B1 Tb"Ţb0Xb(SkʉWc5i7d DӒ62?JY|*`j)Weݢ:Nf:t5x"xlWs%5ʡL00WʵI;vTؐhUZeRKhk4jҌb6RkԱRR ?|>DkJFߺ#_Z=*>HRrQ29|IbkY-)JbU"ӹ\o7zc9HĵH2agf`!2zgc4!ԪXy{y*-uf -%Uʥ-բoJ{UjVZĎ&\ [j KN&/#Aͯl~Ol~OͿ.JI6?Sl>הIBa+J2Ikp וanVڍfCoAf[Zz3.Jj˅LGGnh;mx67^lD_7Vu*QbˌZW*~MITq8bU,+ś'Z界mg2]c͌3 ۚ۟ud -c汹|k҅$Xv*>,逿 R6ajq0¥!'_(sjB +ZCRCy,e/jKow& c[:&S)`78~o 5tI$*D%$DHTJ"Qq'DHT9I$DOӗ;;~צ m4n3|Dڨ?^MML UIڴTI(i/qP5qP5qP8\5*AUwjf;UGZJ:o)7MZTgZZ꺈tIQGbT@z%kEN逿|R6e/R}ʅ 7, Y %&C2Ahj3$K.6)E$ݹL).QKwo&Zb@Ko>&6h0FydtWߌђdw#Ш(o?P\!|\XF#t8 aWE>£!ԪXz{ez*-ufJsqQʣ#[ʎ"':9`UKX*%Q+I'ߜ;Y-zd͕ѭ1Lܝ[Uط!snT3\:-p=ӟ؆RU\+A1Ir EoxZ|[ѷ 7,g)<( -,Y=٩mj(ś-uM)YjF+۫.bwtۍt+Y-ݪܾVS|j,1tz\@SY -5JM‰jNT8Zq|%] S]-%\Sc}nMD|n$&{,$s%qXFd餢+N&rs4>ݮG0Ar]S`ZV+3ٮ~ۤn)ׁL +5nM5~[" f-¿= --@Q3f<ޛ5j5uTFWuj:azT c {uX`&uZ5Jj/fT\jJf“v.uh51KZpm~Q:vVESgű?jթYS׹^+Kq 0U &:J5 &pl& Zږmɕ:@R0ekT6k53-g/}Pq+mDS-\S4- L%"zڊhF~ILCZ&|DT 1]** 0ӀA`\ڮ&l]3ึaP -ڶ9cf1Nu] 9D 8viް-atE S1qahqZ j. <|:!̀`*.MRp(mi#S^a ! SﻶfV瘆A8C: rmx/b8Z;u0:0ؚ+ - #u{DRQ`.%G2L@$ 4 Ib;&M̈́4? v ՐF8£aX+I0]^;( ^PPAi5)ƪjk$pTI<;#c(,aHY0<kIP؈ķ8KP?ɡl^ Bs UQ.iz ǥh$_ LAsl؂T3 oMGu buj)Ħ:-2XNC0 s q]Eb,Q{.6@ 03A@b⾂iFc\3mX`VR,dT{W6p#r vmҩJQ8`[[GU1n9@D=JAsp5bHℊ3Bs|c6!GP&#vDq9.z))h[ F{HdgH: L"B;rhtԨi*/# Ea.YBYE☼ bxK^5 FBDe- c:`U5qb&G~@;lĐ1§pA4耭ajZ?>= K;ҤUXȶ8Ӈ\BiZ`*3-A#E-ZGXEdLqT^[eH:Q|QtK҈x${ZqDt48$9T.)8sX*p̈́,#,_'͍E+" ruژ!BR2@QrӞ`$]g =Lou)wG%Ss0U&m|4tS|( %Sr$伂c 91 7#kDhjPdưf~%}8e5k$WRiN߂@ix6ɛ4ZpEj4QQ& b_gj/PĜ^$-*az:wC#Ǒ2 -E>]sl|[& C݂jfL HT[}DȎSHb(JY۸p;[t*\' LK%Kme4\ &e$X\"wDBE]*D~8jtp5<* eJDYA3*A0~GَW40-8C@1a\}y/d*dYO!SN; œ(BϤρ*6 -}mR;bVEEWuC -@e4Q 0(j&1H]`Vl,"4C 4+fEfu8 F:)A+B '-N8bx be#S1y O!k0iH6l,FHm\8th33`XJ!IEA!KfCw1J\zDzẎ -@xilX_P#Ee#h& SlV aX@k,giy \ -?X,:ۦ,oBXx8+"A -6 M .BpHaA1CǰE'ȟ= "\p~K`it2q"`4~t6BE`PlXS,KlFb1(#odI4Xbi")3,}io`2w;) -Z1İn?r0&`FQ"@DN+80jb 5f E9SdW=J R4<-b->zf5| c0"QX\=|bO XMGdDBAa7  -Ejn<:2cwzB4ZHklF86 ×,sl{!p NA;z;o:/@r9qЬTM(%OCFXc DPYj7zZ!#`j,F=tdRr)H 3fF/AOӦ(?ЦIKdbn2)&LW8\C|K$?G !?`Ad$<(Yb(8LO!֦{p6 -"9Sk@ H13\haT0nWA$S0tJ&5%d,(M!@j H>f`1V!TާPQi(҄aG3L/2^h7()-E) ] /Bwɣhv)nF E3F, fߐyіaz@( -$PFq0@*;Әe05JPKEӁ$Նͽ2tς@N/gV]tcQMIbyɸ"s]$IK9-mQ5d#5%E)7\*8V,64㯓JSʱE,)Ih.ߋ$$[iS G!/Rm{D3Ũ;eP*a0fWTcg5#x0"y'*ҴdĦ\ ƨB[72he<tQՠm*&r`]A. -EeԱyMK1rgF! /'ᰢ6UQ9ÜQʼnuRp )HgI -ELõ=$ʮ"ijXn=AT1Gĝ]/K"ԤjJ[{HS0%G]`X%ߞ`K(RL!-ET?'Ab#z!7̆\e)%re% X &tt2J4f M9HAb\FQPFI:=B"*ھ$s?"x:eft$#sA(iŽes;Iq<źB:t6I4)ZCQgsZS#GAgt@ӳA%1 x,̉k y.W'+ }.fd˺yF}4ǟ¦"4"Lia^^"Iƪ YDjcU4{ZuCx~~ 9AnsKl4H%0Ѣk~NVŲұu4-IǓa[Ps0q Gl qlF:4Pl 2)vM1~զoãIAB9:KG|S^]5ܤBsň46gb ʹ2_aI<Bx,iGj~-/6 ȒW-iyњXP zxA0AL`*3Feu] ԜX @ T5M8EplaeiKfr&r*:ʐd9[=rh锺2r뒠0Q"U3七&`S;k/"ny)XʫY'Tv!SdڍFڒHJjXH"Ė)Ia$.5lVEhX.%\+QԱddWPTx=Q^96UXg sI]oE^C*fҫ;0Q6AkIٰ~8^&;7e e`8("X9+ԕY)>DjX\bܪmp(Q&bZ;Ka*M) -*iXLRR3yP˳˅N Cfƻ22J\2[3lMM$R϶^R$VI-`Vv~Kȁ%a'V(FAM -Eؼ_LЁqQ=YĹ -ت(US̡I*TȚXŗ]ȺE6}  ʬ(މ, -HaS)#j!)ta I0.4pC)FÒ;"%+sI#<b xppQ'VM,dqXTxI(J[e?bbZ 4Qpl 9KT(%lJ 9~(J`bKTvP1SENA0|2;;8x"ӌ!VDw(RJgS v?kZw ɒL+NHՌ/q5RRJHr< -% zjliK225mb5LҮpEFתih.$R(5#pX]U*Zą]rE,8.[V/"IOqu\{'3~|"ZҲ0ch79_B3 BѩfSAC$L,9E$ f[0)VE҈&Iey73V~:4Ek5r2x]#05HX3ƦĔcfQGW$hTEA*TM5*PXe^0 EkiqhTTɕ6 -:D%Jչ̬ӡؓ2<. WE+"~z9BE<9 wF"]dSЖ3((EZ"Z[z;aFGA -0P9T?0zKfo蓓NJYHD 2DBzN!MmKb[-ŀj8n\ -;؀|4/ -XG( RG1eUJ9g5 -@#U $#Z%4NBR= S:F.++_u"}xlqkdBK Ӵaj#hZb-V+|KSu^3D&(RwDoŊbKJ4UˍbI1~di#KE/YeB44@Q+6\^ - -x-(^1)H!WDM(V'RFAF>Jw h]ؿTȏ/A0aRE3,{,/*!(V'_]ΛHkm<Il$'8\0`O96Κ`R -ۂ1@9x"&˖)ȹ[.&E);wh:!ty.guc ׆u NSl4Tl -0w"ѭh+au #\ -8P0tzV1zB6RT#F,Bnuw?y$45Cay@7%1Fۈ{G"=vn(r(I -;[Qg,`uA".JNINY# ڴi Q8l !:=29QQazC!+xO-=L~'և'ڨ'lLь@'f\7uqpHϤp-\Qp8CZ]*0DvѸLct)FhR6L<Ś((OzdA-?ZrP:^*/O_q- #&:Y5L#h"t< C ŇF 頳07x3CiW]8 slǪE],M%qs$bDG, FX\-ؓET`#z"mYlR -r/8Kʫ5pRTj ObY !Cز8oC$51! ˇD!utBgXȬfx;kf=uASu*,j&/ h>k. -> +%˧qi3=Ga<kHѩ{56% <%&,`^ç(P ߳>$Dr EWh75#PtSzr-ie08 29y09io^iv\ XabFoe'_xΡEVd.N tAC$]* B;9v0i J!%%*fbQ-y=lh5g IE|P5ٴh4İ8 t0oޖ4 Y0nPw*]%q4D ޓ; |ۛN5ODZJa#{[I#`=٢ýePK`t}h-M9W]0e`0s |WLS7;=w YZxN%L Ξa, -*hb6*آi3^k<'f(F )/{ʯ4 e)ٻ򩊦xOmS*a.0D zbRR M s4yE˅<4nuz|H΅isU 5QN_Q5q93T>0ܗ= ͕>qBFlx+:פlWiOuf_om|i⋅EȾ+8p /8PmDi C/Wv.i~h|R]c5jf -5v'EZ"omQ -BUsHc~0(&uY@ۥ uǧh4|3V8di`Y=YbDaXAQ&lEQZ0Tm؁Kq?txi8nUI6B`#`Xd -{5Zz >stream -|mU*x#"ُЌiqj759<ޮfFaN"7Q~66tz^  -e@| d%'/}{oĦ7lC5x Yur\t v`4x(hhL} ^t^nqLE`LMR^,cocHˡor*5w:GT}JP«6 4KO v~^sLooLkHΫrS+5*F0XNGFuSjw@sŦy6@j6007zE1AT !@4i< f -rLH[T3yDpTc5)FK M6* -Q,z4d ėXc6B-u0!v]v6š01R f-d9X윯sѴuۛ5_u1 ꓄Kb|鳌oY#k{N9!_QF S嚸X2$YK~uo U{h`_.v< Oxfx vlӳ5]qy9=]c0pTm숏4&qZ  lWQ4Kˤ_KvUE:9](N}+F,f:ݓ`;:˷E H(ы$[R98-UE\-O~6|LJ.{DeN\1H Щ276q_Z&ݑx (壭{KwU<9i&䕪sj6)*2OC؃dSvx0]nӆ-kgr[#-g7at!#V߸XONbߤc55UC|՞ -nev,S̙TRCH{4kW,Pj \5jixV0Ȣ5L>AQN:P:#[e7x΅BZ֨4M~}Q`fyPuUX&O`(Z.xdLvj*to<'8*d5&J{#eçT,떌 crDђ6h^oܤʐv y20zHt9kys۶DcK,CKL(%-bȌIMc+*Gt:]ok*60A0g01M.nkaI|5<,/Tgmq&[p1;z| 7o`;.)K& ܪL6T,M^ EI2bk˕rڂ:J0$q7ר WM{;]s ƒ#Q/ve1g[/^Jj"gXT:]fH":Fx>qGFBvEAcDC!P(YMxpiͽmU}&%fג~lE>–d֔d ԙQBjSuAKPp(IXTH_S17ʗ5y"]& -C4 -!pYC:V8$L!50Be椮 ]ɕlՉ6W܉v((Kfu%3M0d$}DF%%6(Oq?HS]0+oj]n uluJq׈֮"t] %k( n0cvnOfAl]c.8OF%V6xB׸YXt3} +(6n)S>yg:1y:Nl⋫?itdl76kK9 |ǜlS@YAEYR CFݬ:z%’B¡-aO\OiYǓF6ߊKF599\] Δ] Uj[4{ay[ǻ82Xg[æ*M&_ٷBN֬t5h&VTF[-t#ՠ:c-٣ `M9&;gYe.4VDOQ - Mlb h -:Oo2-/1*Bp#\1zBVBe &VsP%T]:Mm_m;n,![D&$%upwJ(t;m%z [~EySF~]7(YG̖wK5jWq7ηSh*|o5?ℿJ{:_c؞@ưh={;3Y,_HHZCh#I!=j"LvUI+EH`#eqp+qoU\d7opr 9` /#n,XXDiFšUL1DA" t4~U4 n!kH˗)~{DbAwh2D4dd}"ߊf˥5A:"R-"ȝ-LeUx F(w %}nwdgzwbNKn:#QZAz >STBLxK '\4ه /sKNUU4C'R"y S4QpfxTF3 ]OWC$ -wԤMg}a̮?cg<4ru#,/,W7;H7Ba7v?kyRBR:r8|:dӁjaOپw/̸ݬa-ckLl :$i+j &HP"HsbĖ HRaA'[M>TƠ~uGt!Xl68TL[ `n/p<&. EHlDja1HҠ !\E" -CLlA=F7(%4%ؓٴ;QRR%H׉`|6(8XLz)S.|f8?A2+T |GmS \)VWiiIep(< ׽} uCԻL jҴ <%5a=`T39ZFB=c\@wEd4^q(_`Xi! R5P*ՍGz_'A -Bф?JYP\XпH/D@}{{) I -wFQca4M j/AiX|lye4l}}KxcU'|lI(ZBd̠eL + aTqo(,yV~C̏d ͑jH@VA% BGFd:)0kC; 5|%_ItZ(^ ,4sRZadOXxP}+% ,ȀD`[D)B]XY; -3*qdRE{| -d)q!$wdAu58(_J )RZbA4jDNHQR i|GC*S cs%ts5 ˨&-g:=G: xsĎيEE8#vB BWӊ]TN ] zNxHHNEI#f$9FJ!И|V1w:O!*\AP2>#ͧЂxӓfɡsqn$х4 "7hG\c8iޤ psk 7[«mԒ![ӻ^j 䧖 K/A~)5LU!ĕ"$f4#w|i&H.B44*LH:IxF/'6$_׍As 8*2|P JPŮ?&| ȥJQ'dT_I$pV tQBP#%K6uݾ(AEFF $roE22xѐ%TekJ:!Zptnߕ??.##,,z/iHí"d lPhFطN0))vWb`Iv9 (_gD!v,HGx_{ۄ›Dx|^+<^RfGv!AM&e$$.䊩omdvpt*NKiQam/UHʨxnPM >1N@xwIJHxP/J-'eT Ny"=cE- \a5m&7\SAXf?a[ϕG - Zl[x"l4pBYC#%2"}HwCɐ}fC25nM?i]v+z<A+ -x˱m_xz`x @v8w^+G#^FRa)HӖN 39|PpPoqQ 6Vفm-ہo Pz$ /R{1 -_%!(iI=].#ȓ$$%T~wBWY<ݐj8Vy3$O~qU>04`" - & 8`#5-oصO)?JS|H0AeN%0b1jI/&"Pc![ "*EvApWWh6┾?m] T{RpQ`JxedBx@'J+ؙ8)HJ % -fe5.؈-|[z2cCF3d -q|#WٝFg[F mNq="|҄@ [š|p Mp  -:J],A>iPh]RxIt VX0{,X[f@^ /3~tSjC_g[$4GECF:G.iC,.\GKC䬇g0^ys8h٤(MQŰHT8" -|I:Xa ">4i+@wyA4$Bj0X)aGe5pLg;SIrF}8t΀9:aB`LTM7pf̞ΚjURTJ%9?"5+Y_ȊDHdE"++YW$E"++Y_:,Hd, W3i-E"++Y",ZGHdE"W\*G -zNeHdE"W$"_ȊDVW$W$"u+Y_Ȋ_eIY_u+")++VgHʊz'W$eERVW$emb$THIY_d+YraO5+")+ERVW$eEZz6W$eOv;GIY")++")W$eEWW$y dJʊ{Hʊ_ȲDVW$E"++Y_:HdE"W$"i;U\RVwn`iԒޤ.ڲ~.)s(]ϑHUϭR~sW'L?_ ӨönEk-n[c,ܵL?\U_*DZrEɭj9KdE?VnJs8sPfuPqùs5J);Ȋ~=s~sq8c~FtI?w`Kb玵s -[Us`h2(WJ5C[0dE?_ I3ۅEѪ~v$nRnkY,s7%Yreѳ)s[r.Z[޲~X^iq\ϗilR[%.\t>=\ -L7ޑ30A@\nNX|,9 0MAus.t^uD!$(2{Ȋ}/ ckƄ@lyȼA.2Ciú\-tsGB,ZseJ]aB -QEV\<-Jn@HtsCS7xDY9Vd_>jk&%8=WmݜpB7RVRml愥jN+18ꉲ"Ce9TsŸBYw-[Nܾp) *;`$ \lk*] 㚹]$95sG;K5W;UqȰ5Ŷq[ܷl: ]BB3kHl՜pe,_[M`908V # E ՜pJnVu}Q hnNXu[9IAH^)YRK58f}4UJ5s`P-Ʃj90cdV]Lfmcaک[ٙTbn@u~(cyѩ֞vb=lk*7B -q9XZ2\r9rTr!`+r\/Lni媵*l;XC+xA[|-tUDxD -XlkĊ-ZQVp7Qr\l۵P`ؗḇ RTLR[Oe)ڜ1 w)ϱI*ʷ3v*./!iyQtG]QxFG/JPc'ďE/mHT~p[Ym3DBWmU+姵,J\UO)G/U@\aTѪjsI˺Yq{ -Du.y.98 E Q.BCtObOPDg%]( &&JB<.JnBb BamzʼnbprӁ˹Eb}Yǎ#֗dpR ֖"\xR_gx.RtRQfsT85XHq)ڗ-,nDg/K5nXhq924\uFd)ܗ;T^Kw%Z:^M*!Pm¶ }v- _Ӆkbخ,ybSoi;BZ($C BnaV$õPv2puUWP N̯tj \8"c<ґB0/; E.:v.> PR:OZչo{ -;wOK!؃JGu&sclAٲBSN - owvuPģ8DwhwI s: Z݅][[]:n 㳮$pحQ%{[Yafw˃ m\sE%ح-ђŒX"-.H cMKRgDi*9MK(;\ϴb>B0/Rvؗm¾(rڗs -)ZyTW<]̩y%ƍ˒lX&w> 3 L` {8ٍܜ- ia^R'\_u;-̺a|$~XaeLm,HGr^HK$c$˥7.:)C\xCY tfEN.JmV6VsjXfgXP 2&/kȋ=YY.nMD,C5&hAZ΢^X{u-E-{mEfW]aK GϹN+:&8.;7 -a?"?;2' *dٶ0s]Ю@4Y*f-'0ܼƹP #``~m(-/ATcV,矨4}j1c!ķdn r1۝dpLƜvv-.^r L;bDs;{XyHs=4y2RڬeVVAEqy4¹e]fUPוB ;VJ*e#efpv.5QCOv[*A.B$T,'7FX([@8ʬE[ЃB,3q"[XG2Jͅ8d. -膺ӨCXmha.r.]0BnO`sዉHڵB>0s#xmabXH7PQ=RtJ].kF/W0MP;l#1 zhu&@8E.ڥ5Z'ǢʖX}+շhg*rS}(LtebE ;3d]lE…pH`Q(-%ܹ@αcM^$w`BeGLdAY#{, -䵥E{Xsr] )N -WKZ%)N hYH,EgJ``erX| ,Xz]<]1-}qXq&;xqZqw'̽Z]_>keGn}@G%c@xYH0ьaA,k}c Ɖ_8KPjcF*QYD}ffgX6Jp)DF[(E/h[Ŵ)\anW1R(h_潜蜂W$YGIb-7nVZaK#i'`,>P !Y%瀖h:HCHxD`ntBq(Ko'pGĆw%[k?G g' -aٮEfIq4"BKڵ >GŞMr_س60~Z x/ -LĮJO?!S/(D`u5pҼsրo\r$M`[`A)=vG NJ46ISkF.ϷEJ8Չ 'U-k$!(#{A5: Y&\g ^w.ڴ'@H+ D!a|nŅWaeB墍fbW|)]'qP$u\:Vk X #]-uolW!\*:"KR׹u(q%\~EL8(^YŢiQa!ۘY*uk tkWK @\[ĒuU#̋Z[-u(k;Yo~no |$s'$,&eHsydyϽIW$z vWpieۮsY3EBZ5[y!:۰bYVhཽ"ofۯ%N.̭l5},{rͼkckqMoog~nv3}^ -Okθ/nCe hNA G$ɓٞFꛯ{C n&Hq,tPIF7G%X0ts6U 9ל({mn{I `|8sA;WclZqe:t`h2s4u _ǷU -,4C+Pa:UP4&: ~|g+N4EggA?WBs{/x:P -)*\pCv}CBmU-!@ ? a7]Df>}EF\RY2L&$ .T .,)fkb]kF -=uSOCǁm1.|[!ǚ!ÑZ:'Պ]tK˯XICZZ#$nAV q (eF"asɪEK|P*gQnh[CT+"7჆n JxfNʬ2PR%^nVaD/K5Xx)NA EBtĊv8r4@ -{ }]L`[nZE%T%og\OUbe* &kO%[I -THq( VjE#G puh#*KK ;m&~PEc~ mU hhE'{Nb,Ub/o<]Q'\H>Q"0*<R0Xf TEl\Sxst,# j#2#9=x7YaT -DL'¬IV1 6^N?n'V),ÙF1C4j.tSzIKXbPE#K%rFVb`Ue6}!r ^.m7[_HYHe|/t -Dž .DxG4+*>$ CgkkMb犎>NP&c["ംq!e_@<(Uvt̽'0Zb"4L?xZb~&C”MHg#XKcߘ)p+X\X`.x=JQv|M[)#=&X9bJw#>dI7)Itƫ F@YYr#@S9c<,b&F[Qك&O0=V7s,t"eJT}۝ LoJ:*Xi#@f*%JC11> Gv^S I0"BΡ2֤I - L I(A Qܻ3A (qh;[wء{Yð\pAkUw%8@&DfTA})* &B ZV1qaxst 1؈q{R?m,R|d) ɸOqaC`w:kKSXH1 nóm]\1 -ppΦO˱T-1 M3*VG) VxK?oFX<e"RnwtfE$F YV)[ - ;&UWGU[g;^ CeQ`e0W -Y+TEk T kTȂPȓѸžQ,x!ӫ{^S(QرUc_;6CQ!0هSg"d' P W1VS4@$74AZ ж:~b%<ðBsCKx.)5`=N5#`~|C1C8`uK҆ݍX19 oufD#<⩎BSˠX |C ;XcPQeAL͇fuR:S+1jS  pQGBSvlXG - -# i@%DxD抄h03ci\;h`K D B@2 c0(ܼ1VPc7ʔ$XHKd_+Y"!닄 Z YbV*G(4P Tum?>{xM;%*X 5hY! 78hdx " -)(z:5eM& -N0 "# `/vr9ݖÜ*ڛYtq+Td+R&oZ= -NJG x<'wKHA5 9ƂgdtM,d" T F&W I&E4xVNbeMl -mD08|竄/U[ J:fU1L}1RJP(00ǑJ&u"tҢON |=*bbFvTVv"$0K)1#5xzomD8ŊU -ي*)rQ:M`y(!EU֭KW$/κQ) p̭x"yVF᱋\x>`x*L8eQj/$q9vC+pS"X@jdIk*• l 蜊<[`e,(T E _ \ Hۆ0AT.OR&sڵj%"%I<[V<46tZȴÖn(+:.,11ؽ|bfa= 4(@ Vh/P%kK#qL1Юf Nٳ `^Ѹ "8j } -f84IE.1D@o0O -$vEXAbrTH u*@XcZ)ZIaU"(`ӑgYh\ddz1# b!)ȍ% p;{P2+<£ D:w0%2 . -۾a -cۂ7b -vCA*D n 232OYe7Y*?+M*LDst FH2ak%E;HT}F"Jۖy&/D:~S`)A=]b撦 k8hS:.WtH'dOo&Jp XA$BȒX`oY`FgY M[k>қt eA ֠OcnuZ bMzbΤ ѫxc s.M%@x2؄%Dҙ}!ʈ+AƖߠ:\PATz@qLa8iR'O DaQ1 -S11@I` -RP\Daא( a,L9X XFAHZ:6!qQ  tA1+СHLz"b AurhC$ f1Dl}Q`T'&x !v[r إW$ eY+3wVg$8dn9FގKEm#gL:y= 㰠 \`u`Px5Wě4 9t;X"lP@i:9D)pERf.̺,kJlN EjD_a 閣2 $q7"Z ..JY4QL[lp6m^YwJ \k@%*`4fFw88*Jp#&#?Ak]wȢEpI3ABŽo4cRTt"^;NXe'3w޵G$0" 7_=6k!e^!k ìpf/*pC3`eU;J'b(xt03CRPHaW). |0KHQ^[*bGy <`<;i96=QgI#ÓEPlOG(a :{BOUx W=ߍh3:n/ʌξsl녢BQ'iדnētg=k'q%xƳT\5ďeϘAkdm?_em|Pߜ}6k#HkC]W7ns6}seRsqޯl|cmң n]c7 pj榕@w6 -*':d?Wف|<'o't#M(CiD4.:Һev.0J<6fǣ=( -bܠc_GxfȀ(G\,,न36D p*š4zo; >$I\_L֮d"SAޱ{qN挿]!Κ`e})`灛w{q ;7wy1kY^*,r;VX9S6/@C2?] 2쏾9_p G f .=UOVAoa xɩT`7Q ]Hql~S#vc4{զr'kNfk*&W[F#~v«BNbt4+8;rz0>ePyB.{N|٨g>Z`>y=t>Gw({p|7"]&1٧9éۄ/Q1MtAFiբ'E}ez?0pV~skB-ș}`FR.BoR[c;o!kʎ.y&uԌjfGW@'дϒiT ِB' X~wo!ž%}Ir4W։n0X/0zDJe?',13$RRfq" 2Y,_92՟O: Y]={ɓw CDHϖ-%S.N  "蚡H(in,+"pGNI -@ -D<4|S:kWR;]$B'&h!`E%EP!GxP hb^"DX M9yÅ}>Et]q ՙR4&¿C|%rTeO #I?lykEbդiio\}:`l+J@r7`W x݂88Yts--cJ'zPWXh{Df=jWe8R@>A;¶+S6;~ c[.J x{|K՜^:+]ߟwfum VW@ZhyuGc O}8iO'az -+n=Mvhbz*dp9s??]ԣ>3SP|99C*RIs8LiaWOebN;k\5!̚O'3qo3 Ad4{n)W z]%XѬ93\FZs~083'ms1&W7BR̭YY_c*py3keۘ՟tN:of/f~pM~bN[qRcyK_tVDyO:I'yӤ]9kEHA]TG/a'/uCMb;ß,'K/$2J? \͠" Cl>Ç<$Cb{C2_|f"-UǷ_ٸ.-G(ڢ=~-aIʠzD/M{o?  E?1jAŞOFA -Na*Y0c9~fg4|\"~]z vl$ld'jC(Oo80|'2 #yz5 aoE|9`vOo~o^uK˛Butnv?% UOpr-w tV|ſ+vWfQSd۶5_$]Oz -fQnWq5UcMh\g5 -6A:ESP맆IB${ST?eS' 1܀:6 HF(PнL&=Ӳ50N粀>q{`N#2m2#8s -Cs# XN.|5 Eh!kęr:EkB¢syS?%.PES9AyJ,'D@N0"&!jɋ6e^-6ZlPL͈ɽ`kʂTa+n`/h#+жBA'ex4vU[bl8"<`CYCWlhYlTcі0-[cѝcKc6 3*Xj:`&%.{DwQY<#vlx=79|AySK\]QQ|)F;Pc*Ah&6vO<# _u߲uY.9w ¾Isnɇ.uҽᖚ0_5!5 -k eH@jː T]\D&,CJMF^ߛ )7qRywXܝ9!.U9L[4:]Mq%68Nm.2*USʅ -6|[R\:/@ÿBƒ-iV$6?nKGd6S:"}া eTU 7،asFZv`1jש[o~zxZ#f|eN{+W >_Q{>estV(ӡcA-ʌ:;=!7gI5ىd eg3Q/vL!}Y_EZ\p9;R'8amɁ@p|4SyTzCį`h2/ ~CLv87tD$-п(sD#kk݃__Y;S8l` "yhJG&y w"ӧ~S`1k/h}w]/C0oM脨Gt:LyrbPA( -ȟNmdz~]>?4?~9َ;Χ5Q#e>ͲUq4J?x|8Of,"?|AbsP/֓/ќš(zl; cO9|7MOn4J(nxxܤiy:W-M&\L{yoWahL:9 6%vk#>x),guF\"LiShNgo$XGw,d1O*]-挛0Ѣ;{g ,/t<-Wn{NYXQ'41 r)XsFK4')~^BٰQ%PՠFN0duq* 7b=)0/qP<לQЁO^z}3iS,8Rqevd -Zb-xlݙk:) N4:YCQִE);G96+gX.`x5Oq>Fzܓ՜'=xgOdD<]%-6~R)K_?XUowUnn](k 'KxƯb΄SW?M*aoڥx݀ j.m* ̈ﻖb(WAH$"<[: ѣ 35~hBW0ˮVTM} EL#"}sdc^4ۣa+]&:BB`ޫgO?]h?v ˬiYʎ7v.\(QNP#{C|CŃxuYTɡwelDO0B :-|" YikȎš4VXH@Yy+K}1^{EXۑT]|^~a?:&Tb:cIʻWͶBQ陿yٛ',7u6z'oq3}0ȍLFlFkyȖYTfXY]_KGS%mehi~󏴕KHü9-{YBAXCǯ莱Pa4*a5M{"4ڌH$rC _v5#tYZ#¾YUf˨|۳lHZ8!/M_{=_+fIsM&l (Z ~;ni^$FiYghD։ AZv K9ix!->@$pyK@J+Oly"#tݞWcqjzAඌ\ ?~Z6GOOf/wĶnSnPdҶZ(e< tf#:>iR,|4T -aQf5}xw|KmW| )}\N5:!Z>ٗGHل;}ެr:[mnoOx+sFӲu܀Po^s scD8w;+xw`}Ljcb''YlɎ9=n>8EI}&x9uѣz0`ʲPF@x\~ll|up,trƦXF5;F^GX146bOւO:cOH4~D h]\߼V{&`suZ;+b tƌfcK m;g406i~4ʜ-`_lc;CPw:u\nTQQV;ese#n2 -DZs Й@Y΁?_گLs|L =~̻`\tO1;?fN?'7#|ʮ3B UرT0Y{KeT5π@MQ3ó a&_W>$YpEjN>JN>snF2ç,'O#;p46,@$@PsmtkC?V yBV =-VjbFoUJovyw sim47pz.~ZpݲN/hqs bN۔IF\xGzvx` y|Gmo:wNu{Ae -#N.M`ucc?"FLw.Jbd+7.ox[݋QbFG쿱ʿ?{&m٠>;ڼ"k5fc%L|;ǎ1/THfO7'zq۷Һ-݄Ru Z ca坃p"[}&E(h39*toFwyu=[~MNĠl_Oŧ4y7J{mߛFq""^1wfu{IaQ}/^Up#t9>̇w4QXb2XJێ$XoKg')y's?$ZrH|%^k'iߝߞꍁN(t{ 뉪f'oսZ`_ݜՎϷw5q^jjKpMG{5򜚾^&E4FŚ~6X(Vxs㸕Io&tCI3$::DSyIMvF̌Y-Ankc|^^}{3/OB_dw[9* T9yVfۧN(TMuUK쵪A[#[7ziKy bq_rw^ \{ݳ몙ilCqH^QXaUWRTh7s ԸΚY4t(ϟS}(%/ōU,Vm*^a~ _#E﫦ޝ7\}x_`2t݌vI9*o7z{H_&OjzCz;A7woL/Rf{l簳GD= p;_i7iܫ̯my:Ȧ/ʇV< wI`'qK?O}pZQzxV:_/2r 뽐]r\ψ[kzjH{9<x*oBp8;9Ҹ9"mU 7aԾ ׁˮ5+'I|,˃71A|ŻD/(m5Rx͟BC-db&=lfk62A% -;F܏xؓ%tv۹`\ *Z%U[l(/'y»wSpxi1f[b! -a{sLqZqRڇToЉ_T륷Z$]nO2S/ȵl!U*!%=~_Nby"(âziX-Zʍӕ:T~TCś8kH yzݟߒV6)ws>p{Cw~2GG݇ě[ LJڞ.5M禧tpNz7^OO۹sJtK^r'Fyy&3@@  -dpƇaP.Q?yqi7oT8~lJҦ6iD2ӽ<;MF}V\enw{{+mW/;D[|lQZsuӛu9yʓG8Һ;g3`OFg/ͦUuwr/ ưzr&҇qHf=٩EL.$!O'6"nxLL'vˋIG7}(;ۉ09WEZmzKO+Ƒ7^7"-;Lfr|j沲TQ).a䂱V>W ťaygJ%NN2"į^g͜~NxiFtSA8?zl(zF8(uRr}.gOs=~R~LN"s8;R1`&*^<}nbUh|7vf\n[ϭtT~4HK>P϶''[-v{\?}+=2^zul/KsFJJ8ZU<ϺWeAiץwg+%~jJoUrJ2c% 'eu7s2^~MF^ie+Ϧ7 P&FJzvF4}4ɲwQn$69L'{#?*T* -ɂ̿;op,ƣmqp[]M%n2.V=|P5`(IvJ`^QQn~>6҉ҭX#q_v$߂󻭇vu[ML՞'ҜɃۓX+[Ƿ'qf&]K극^;m޽iBA&i7%_ЯKY"Im_^W6*V<&A.Te|jn]p{>OWf|__DSMpWHHFxT;VZ,&Tvr漽z >Y0$)[ogFq<]Efv8#'/_JR5+ۧ=%Nz(T ^_9ޏҩ1;Nvsq"?\wǩl}Tz6.{a6w -n+4Ļt>ڊs3l"Ubs$aN 鬱yγ@Lә:w3zj3KD^˓SyȌ;L=5Ke7k'Hi4QOKwoS,GJxzCh}2 -SX53p8ռ; OAɤ8O^Nуx.v:ʕTaV:RWv^zv/f2FajoNLcӧTSC)(1f8 t5l[<rO:]o4J'yY6nu*d00/uwZU7o&N]_Z|T7gs3:X)Sh&:SM: 9mLIX;C@b尿HE{3m<^&J{!^n F&ztجm%Kum6fQ:׌_f7_Z:F6JgN3rFuRZDfwyr ** 3wc,oI&nd -Qo7[Cz8y;Lyv83LG>/P쒤GiPc~`=6|۵DrY8N˦f/ݫtFEZZf$yzC!6!vs8!w7Ai;'(T SMg` -7} '9oqC:~׾{R.DcG'1o_R,%חz<=^* }fyV/JWYc[bڹNd: iJ瘒ϯ8QJ94sˡtܔ{ԕ˽4O1-2K<;{Ln@*_ C.<գ6β^_16g'R$=(ldA_/Eo鷄"e{w-){qk+G& ;菄KPZpE9T!e1ifpQ7%wڋVGB\"Fi͛N_%Bx~؟ʆ9r{غl9QwC|H srjZ J^)G@' }G(o'qf[es{t֟j٣aRޔv3hinD1VeG'!JFygr(v63oҦ~JLs~'kb{:8by鰓Zf1K%sQq#-Jge(_h7!oMÝJEܻaBy۩{sMk~_ؾ}+ԇisW9VfT((m&M6擣b RPۭ}* : rY:ej54 b2{ШJ덋4ф))GҹcA˛6xHGRkyL. =\Etc>gFT_rFVSW[F9–anػ{/+$yifwNr/MJ9ZKbl#r:~W'g^n vc27ߨn$o !5ڮzZWQ(D5&fa8j29 iBؙnNrؖ7 o9^MXqqt:4Wuq}efJYz-@m|yy=*rwPj'6OJgf̴e'>KBq?e/ b+Y?NK9%Z"حV#Z$͹Z-w}Hlނ=۹ wgQXxeգA=+cSgBF͠C:v:{ė t{wGHnPxݜ -{e$d_wns> UKT&Br;Ȟ^ŞT9#ٞёo6 -rF8LkFxg - %X~ڦ?3ӹbmwkuV=Ӽ FqP>m:ioՍtY}-NӽRmV8FEaT$#µGn7[pf4qxu%n|4;܍-r~pUo[WfĂh|{~k^ŲB&'Q9JD/&{?t3٣ie3xvΎG;f}jqcc{^#+7zOb"ۉަ4_.wbAOyn+t[ZD9sAb{m=B1kUTyo /޺ aH}TʦZ{:K:C| ,NִۈD{{Kz\{ !|?(]fTܚusN]6@_1D/gݫLu=* 嶣kh>.`c^<+gN=4u˛ך?P$*[_1yEZfnC-5z8:'y$?0JNϨ"_ru<J=]qP~$yQ;Wjn } P\,i6i; } O2I}P/k!)Y:qjƢwS98MVY :3ķu\I,e%s>Hbql*1MB.W2h/IxW0qTpSJVK:(m8xQ'O+ /vnN$Za*<`:/Dz_[btry_CzL{b_TfErPb( -ӄ1a=xh1jV>=0mJuÏ,܀I;/+wū O+c4fM׬M 59R fߣ~R7gf릋3R^r0fJ@z'o[hୈн=/zkp.Ȥ,V>𞹨T:Fu.(Gv\3A>4 -p)NىxH85qpCb=+U%,)q/E5GG LxED): k&Vwȟud^!s3-Vج]&Ecũ.ŕExy9|a5!rWv0o5qb7ْuUgb"!r7[(gR6D -Nqr)E- wyx3B^珧j#$o07FF!iNd9E3)zu; lxuˋ+H71+O = aqocm@x|)Nm"Ę=_ w{0~Fz1p־j -q}lVI٣UQ8 ?1RMY{$7Ǘ/rcgtt@5C<2c~ʨehMB__9r}Vv3 [^ۚVkn_޼d"= 6M ˺D?R96>jmѕx]˱~tn~$71%VJ\}2_Oqe<#.vI7+P+n ZH]7ngܢ'ǺF[ /X]ǂ_.k <' VwIץww )$XXk!Hk - )wo;l&9E =Q"[#ݩ[Pw[8z|,6Z[_eҶ^~u V=BP+| |o)'HF1:͠}κ8Ԑɵֻ(<&KJJ8F=(}-ʳR_|8m5;FF%t4a(JrömZ -aldT~CyqI%ea'b<8R%fKN;)hT 4Smku_@˦}=._z`Ô o|"=\, OgaMNto)Ee8 -Me갆C~v(5t29f 54 B"L-oWjU{5ȝ;zNWw2 ~_lыF DӢ[]-IٵΔ *e}ހAJw -Hޚv_.%uyqpkQRgp? A6Y"*9T J6\~ 4@@ - unoW"56ъqv[ /hCu5~XԘ/! -m{̠nDE[#X&t :iFbL:'ؗfi\Qϥs=+>4W*NݹqDuZЧ%~?{PӅ U]%74ء 0/lot5F\Z2jf'Igi N^`Q7}]jv[ _e*V; =꧆8+ЪDuqwo~BE}Կ xBzJ33Z^w{O==7c Z<SR5iZN(=*\\3#$8fBvUyei|L?]> |\jp&7-&0>8riod|ާ1W4#Em<Pcٴ%,Ɏ ӫ*kU3`zDB+˪Ω-Hk.ocWKvlvYM2wp4쟏Mmz[\fNmt:Э -2Q^cn}n w~ْ8{ⴋ)dj(=,ˏv l+=dBN%=U\v3;w;(h6?–[>W0s^m5PESܖҟ;tTk,QM7ܒ5P -6[n]('xpMJ-7P5VĈދZQz!h`z}X$鏄RJz/hΉ &.ܔ#Ɵ8 -?7YxQB UPrEpɥqL[.%dQ쭝V(̺j[`ESޜ#I< Y3b>`y5f?¡煹f#]BM3%C*i a^'֩G_́Wx Di㳷@: *9GR|QeHԞ^WruA8cC:Эd3.NBziM^\`F*2>U3ٕ -n[v"5r]^O*75FI-wJ][b5u.D?=!&KxW9 -uœ,͑.KWްQ'(&nr8-9*uL=6LwU. (wFGfR7#Qn|,8B?H]|8l1b.@pm]x0 -Z!Gd" ~׈]R]Tt3u+ۏu ɝ`Ucd +M7n?MQ \ Xv Vڂ=B[24TI-upqOXљIS|Z+7s.4 Mr ӎtמXס V`N[!7nz5ժV/: 8Kl3H/@;7ŝ~O'$U#GLSw9}{JT(Oܖ;O9??u|Ju, P5iXD:En;݉m,H$XÊmvE-Wq̧ԼWj*!5(H,K~NI&NH)DuJ}.+WZaFc;!DExT;f|2+uR7}PV,/Kͽɜ R '4|wX 4w-߂LTچ =cXKkyc*8f - .yǚ0̪~ӊyC|`'d=~~x1/$Fp|R9tYҽO$g\lsP_W.߬M]{xW#~QFZǞy9oPh/>q:&cSihf[b}pSg8hG0'\h9mXn4ajs8aQeopVշƓsU;wYP#/<ܜD!8'mg>j7GΗi7Lᤍ~ $"feA\>wqe\W(UI.Jv-xrJ,-OKz䒨J)G J_¥e ŨQrҪ7g¢jBk4i{+uhԍ5`;l7x5H36']#RiVl)QZm!ȎqHնex_d2W²HRҟ6ae_VHq` LiƖz);Fβ:A-+nynW9phI9s˻ЖUt)㳄en/_$#gbZZTHW2R%͌j 9<[=z0wͩ-(^Wlj禄zLhmOqo`'ٌkV~SUifbG>_tؑ\*F~x\KoWBh[=l\ *0=$n[R] ";a I}CoXIWN#+VGlB- IK,|2]U/~EntZZӭGtH&jgg>b@EHvnߦJ ʠ+IZy.(1'wa dw>N3dGZBg8P (9"\h:xVCE;Sjʿe6K! c9g,=dRP[U͡WPo` dZPRK㦤gA6fFڗh%WI-X}(4cBtC7GٮDWJ~jrߛX$*ywNADo,]C%yCV~y eFTӍ'Xfwn B!}`Ipq]]Dt| o NJC3Rͭ/c Iz5: CkVn| %i2ƙY)xJ]/J{Ty`NycRy4@lRMnjo"s2ٞ}D }n/W~-\Bexy0\+-?\AG40tS)uՕ>uY7MTk E|F5g>漥* " ϚKX.a/zZԇ3:SJ %Vhѷfo1:vwZke: }0Ps# K`&#'mzZ=>{]V{EEv9f@Ԗ/m%uI~loF[t}& -8؞jܱ;UxHg?#gerr١񯈱^e`'7]sb2\`yRE?mb3 v<֡ǽwSي7)c -+ /9]hvQŇ. qvpfLTkzJ. Cc*b6m5Ke7R C 1aɾKs6Qo uٱ#3 -9ȏc1c\^T/]mj}y5̼,σb%YNi e$,dQZ>G(vy) n@jaZ-fJWs:k}Z2F -Zwr>^GYiund(;2d1!="= OH{#|t~1^gT -j;f8֐xoRʸ,M[X?(0XZzʇ(IaT4Mвn}*VwSȺXPޭ=EuS0AEͿ$P)b!v)Ze fٶG3D0/ҬVkQ?&.'ɦ.Xin"4,=GxaW(Fzn l#^ -%7FB(㮭"&z'}ӣ!Yju+a |OP̱ sV> /M^zw {c!r݉LΆK2gIGa49klɛڦP?K;瓸&Y9VYs}?30f[UK-DnOޛVm;ź{.H$T?D}0/H&(Y3 ;_D-4ZH cZeG}}''/,,,c0_C[.fUe7?XYb#%S8q]9C]a5Hl:L4޼ըtXṳ^tpOLT*p6S FiG|'l%ܸܭ}Yk>١TUCž*IBzx䭖Έ"HN:T:ho]0\hJS]{@!*%9dZӄ5إy1{+nn-|ܠtQ~1Y &`$bt9I)̤?n&=Țޗ(ކhg[-0U & &ۨ+ vf vuF]:pQ\y󎘥KEb/aQ:/>⦉^Ft|aӞ=U(bTsG᳓r "XK]BA\r$_quk+Ӽh"'eKW@͇v`J鸱\֑=b:=,,s$` -u@O؉6_#)d?$9>Lvb8[.כ+!e.>_Gk~V~riбXBsʰMeW9x2TR!7"LOI?^Mk'0 - )IY[=sTWLW\:_ vEͤڼҿB0S$C\iEs5i,wxXJ -ܗ»ky[Z ˅m^ؼeDL#}*9Nۘ[jcq=gY;a IqϾ!HL?ۻH,LycΆf _'&{PAeF S> b(yI2EG4Wh5JK/L`&i 55TUʒ5yF 3vƿޜ~ˮ{МBMwr y ?/h2vUŭ0"^h[O9(7<'gn+͔g>]z f(>^J. ZvZrKŸĉC[M|v5ڵipYwt3 6:deTxas?B co|\]?;wY+xt-džZX̅؝l1 7>nZ\׻ߣ\I:uf!uD1nG`3GGCkwJW/ Ȩ|wY.eF&f-`Pګ`t]uYS]v"sY96h -N dIZыj` OGFHVn moٯmMT|Q棠/|Ft?HJTЫAuu ~FꓻܑEUץ 3RڞvmRַh2U@ eՏ.IŲ]'$:ۑ:l.1x -2ǝ]vwgC WnICN?9n@%}˱M\ckk̞ހ̒6T]g8 ox`~5%!94H֌buj!/:;jnQ6sWFRyCnUKRpP߮v? 3,pVh4?/;ϋ%D}2^oe\k H 8jϦNR|ŇG|(.w~fV4{ ?o,h˿] H -=mG>SjӚGհpԏτ5wqNKxJ02DCۍs[ܪx}3 >6z@^na5TփV=5V1֋הGTWv.:nxςj_؜jpPO^=8VÊq-Fs+wN5{Xq#֗+Jj5ϫ}C*=h '.Kc2Y{cH"!V?$2,hv_&1nתY]+c9bpq[G<+N |~mgY;Lִ֝_V5J3%0#mTSŭ^y]4+b-{x)ct5WN_9?z] םeEB`JFT|> G">gKB?NWJTZthTUzQ=!6\7bAnMOwHr7qcwT -9q4 -ʼnT*䀆v,Bn=gسVK:A5]R.1GG5Rg^P?6FCrfd}yh?(jPl? _9Y&d?t{}C|6L]`SL1wltzVH= T4ĂGl4g|ckWKZNCs/Wk0KKKî{|tO~FG^ 񩴮WC12VR>",nk~qQ5?0[ߘD&!2 J5nG6p*^kWgTSO:Sm%q*4b9<ˎe -ΠDZҪG=9Up&5'Un۱N -EJF8RfXinw=.z`GGFX@?yZF;vo]V}qߴ0S6ZrLC}vMPǔtCq2\>q'e'LI47 -e{] sskפ[u +z{OR8Z -_bjHz*~yTo z~ `5yCBCG/axI\ 9h|O6YDARqJ(~ډ#HF<`iYR"n qE"K5vmpUv-Zk `t^6%+ ^sPh _r!d>--dkU|Ea~5 a}M^ܓb1j߫7IikHU%RкO7G"4S 6PŭulFWWy[ؐ!82 C{W{Kж%ff%V(E?H|xh/>:(mh&ރqcʵ4wx3]¶u^6hM?Y(.eK5>:S~xŞf~Wtꤢ[1}INjhCmPss'M_TRiL-%oofݖ+ӌеDbU|K -Fs_2qARw⻲P}LҚYqJd^ ͑yB_)M M]*T7%AA0NFVv@2GsMⳉzGS~n Rt~ KZq?qdkyy}05$/ p_|\xm4,aC܏MFDߊ}FR BCԱjg&Žh~L>X)WjpNwVaˉ;zMQYz<) bTBv)Z[R'|$՚\Noy3k"hfd3 -̄  -$ܰ>|肎Αh-D -]'`BKծ |̭ktpΟ'ɸ20X@2(QQ4MR62?ۦԥ/bQy>wO=9?Zdnk[] 'B[Ï#q @ _T5$P{Imotfz[3檚 kQ"6xkBYlPy+†_VꢢɗXSeGKTc:vpiSQS8R)KX{B`xgd!Mהy$::Х9s* jSuAU5YbB }n;KBnKs\lHL(T9sԹ ?EMNT˅>=lဣ ºGݻ6wL1`%JR {.Q.Jצ#0͙9.boQywU&Swwg^q^R!?"tɯ0ﳡdX"e -rhg98` ?O/* ,$I]f;q:CNL(23q_.˚ߟkr MYC.# ft ouޖފCAܶʋiK`l>/㝰t]z5̦^9ͪ6ZՂh_ew -j-anWS+,<'tuj;2.cu*:~{ɩ.!d!:>vyݻ Dގaqtg7QCeUfu99 qSrVy5zç$G#,Xm; [mx-f -׉E:?X:E\z=-*㖅~u'>b{GMn r,ѪD*oy#-ݤJ^5cvLOL~nTRM /0Š d * Zܞǰ -~Gh>qKcx0 {|yw)Bf:򾶤̵kaH iQa>bcr&K 9Wѯx|Fy!󏻾˒xfҘܑeXiI?;GR5=|mSw?>G],yĥbnI}>rYO,wQ!yVC . w -O'es;"`<|c|֝[+,9b$顳ZXi7(}`L'9NLRRRɳ̼>B ~}_HPsI}yuF /? qQ)t.l\Da5u5F;Q4pc`1emo >2HO;؛x<+G\K,ԅsnQVJVmy#qU^jfh -.殶-pz7r%T(S5{y ċH#5.ntXz3l$Ƕvx)k_6ua[hn?^!?n'nqebo5q!3vyd:.Kn"{e W>݃Wh-^^=) oXu7_Ak 0'<a{5$r}\S,o# (xӏNi=؞ p"GJDBI a􍫣ơDqBi[ r\N"UĔTFw*ʉ6b[CԄ%_b:ޥߜfZ!*5^Y>2gs򲷽@ @ukY,n?$GvTQQmc -"i$+j<D`:x'!f~MK$1YX`!F'1uܜH'fc0͜xuڎjDȋ- -Eĺiɟλi1gxs7E \o=Q} ]G!:r}Zv W<#ӳqPܞ?:,$S^\!PY%Ӊ=<|-7B]DlFc#OY,AL M7d0VXZk.CHL HOx~1;yK%-XxtYVǣ&<?ӯ(C21l5i#M}o3Rv9rS%;'/HrܷW:~X`.^~'sp<4zR,b:! 87ޓ{ ^) j9*M8#B7HI.b -ZίyF@"fj`FuH nJi*$Ω΢Fm%[fSel&F3X>9 ]ݛqc ȧ!мo Y Ϫ[6VWH^H$drz'B`S7R_ONM>35\OK@6[f||6*\}Zoq 6ΐcpa2n?Sg5ܦb-;lj2;I\S^8_7 ʒe:[J}TM]Il'Pf=S. Ph)SJ,d<&] Yж1)5͆fUOTkS3aSo1p lGwn͓.!lo.coYqr嚚eQieGyk9\vs=7VI$?5DzH&^}KZk4>9ZEkFNܧoKj,#دjb(YRF,5 >둡&(;]>k̡b6^i|(PIz낊֑4ȬR*-?bp 8)мmZ#_DqJXJ |!yv*$[bp%0(zL +A #$J^{H{a]өT>t{mE}TCҠR;ۃHԺ\vZ$aN:'$z闾yTadBZ8Oe<ǐ <О~$ʮA{۫HmM7ǜ}{wZg\}Y,E9M{ -YrN>6B܏ tV6 ^ ToLʹ@Q&Ͷ)~d›UVi]CCwjqPvpz2f~Z9~ iT^CFS3tzMmO׿b'הgYadD*ÔV3rTU3ɨ:&+権Η}Nb ?G?lqo;JL)@À)}*kׇ7mޔW[%LѝԌ|vED /B$F -e(E_dt&$i)$Ce!hᯍl qӬKRB3kͣ|/;}&H[M0 "ԗ:M0Zfy>e+sF^`5r0F$ -% e~#\O;K=ݲ,[s_EFwm}UV[#P$( O/:U{D9NOcuKK@H{`fDNܻ 3]%m )E2S''~/Us=? Rvu CjqDf?TkyId <">7o@9`Y󮚶^ꭙ?7J3p*rZy{*<3sRq7pImL9Ru޺Tc9cNkd/jQ1aB]Fi߯")EWޡ{/Лy罍 9[)'Ͽ$t>,pˊvUyR+£罺<)W#Ss+;oi;m3ӱKPoo -Q~5{ 3jA9bPrӡ^*+i]/od@]'A8ә3&kɶ9c^sko7N+w.|Ss,=+2)~ϛ q\`\n%`'wR9V/wv2Gy̲ښK_Ӊv*M2ֵz &7>AQı] 631,$cШkryi]U2 ~JJ~u!ު'HٹgME)o~q9Zg!xЬ寙z3GN@Tg~y/+!W>vi~Cg; ˹x5}4!'Pj|[^l@уj#@?Y&-[[[}7;ǣ~#rna7jz;Y~[Qʡ9,HEn2@!;TPtS:ATzGG'P]BӁBxH͂? یk?]o&}L<8{j L.MTMr9c)6䀂dk8jFqH5=: ^+A|VMlId%]lLaI))0T5<(;=lF8iQ<\yXLyklgqgQ^׺0mtp E=,"ۂ[퍿Íq*!DNz3r|+= kykiBN\=::_C46zgcaH Nog?1ƾg^p^]v^2VVЗGGd$P{P*Wo|[P; -Ý GKOob̽h!2uA<"{ -s-PȅHF9VS8,LPCXZr,aG0|o8SS:P(O4B8 arEG.W{l䟢tTݣx6 ˹p |駱,Ws -e|ľ@<@AT֣Qy"yuҪ/SN\Pdq|y p%Uq{NgSɊ[~&@nӾk[< -{Kg:.i s\+ݫnvlDJup'C˸st V-`4m -z('c`daɷiI M}O)Qg a ($,=CMPb8(t}%ŽYN,j:/Cw6Ori_:U&Θ|M˱ QEO0:G^`/2;x3ᴫ!uJjE]r\_;zn/ST\6}[HD鞰{e;[61Zm)RDKؾYhe| ,XP -Op\Xrob9תoj3%Taנ/'a[WhN{_@l^g}]P::tZ2k~7BY{YfuȴzӅ< 2Ց,]&1\_B<]sh'#`Wlʀvm=ƃ;WVpV;ڴ 7yp}[`/jbu뇧Qt=zGK7ǎdgwz9^7؏ /}vR̢3}WklG)+^d_i-8߈\H|(Fh1/ޙ -MMi4< OtZe:2pԔP/ݠ,Kbna42Ptu^v2m!p&LR:yhgrwǙL3i秸!,Q^V6]@@fc"MlLl=r,4V˯HϨ7^Z8P]`5~7ץQx)C4kĝjrղ5|-J*h|M8KjG>ͧǂvUY?2a?g6/m̜6eWyM m,ryӌm~2Ad }7=tVk_-8mU6bDJ4*VZ١Ս%raތUyx ȷ 'ʁtNwC%4PIYڧ -%!aE$ION#MkV wղx8ivc-.oVؿ Js$s޳wi(J ̵̈́T+vޜD:Q_\Jڜ?QeEFlyV^({ %,+24/3Ig݊,[[3%ٹ]y+2b>>]ʓModRhӳ=)0(Π>uiSl-#sF^7tʵԄq.w\I/w)"Yb roHyĮΐū xӳKn^?$\F LTF.v0щo\&Y%8zIkn9D`o9o6]N_-y*Y1-dW8 ?0w Hblف)ka.3BP*]i} Q\wޯ$4Ew/֡b=!Lm|}.s=mO6/-VA*ԤhtIn֖ڸSRk uօMp~+(<׏׭ j\oeNPF6|V}aժs($xɹTfB~e6J>eY6RGs{m-S!hޖ3Z}kJ- -fZV̙Zb\euwUedv2}1h{sLN,4˓j16w6Zq;RQ:VwҔYBQiՒQ20.o/Bw&9VkҥnZM~6IeUҺZC%j8HTumRڻR)1vNʆ;}4X]7^GK31hO5\8fҕ8͌ˏG&U^Lfi0|Obdm ߇%ԴI} -,>ݮ_;oY"jL;AZ}b}܅7\+v[nxBuJfDnoM=TF3ۗve}~x$_GdpN6Mg֙lb0kGǽNE Ұn։U=[a3]H G!Q~&*.k-a`'8{B'h$Ԯ,"t7) Y`x q'8_󀾭?Ft1O 5Al1ITU,4&]?H&mgKT(w:-t 퀾vZ?^Y`ZpNZ˵hFb5&;x >OK\yfsG}A~3Q_L ?U~:Q\>~r^{G@=+aϥw|]=_$YMM(-;3,7n@rF݂uuI(_Ŭ'E>2hfGB}V06a~WCeՆbT0/ś tuq_ \|#X:+ʼyA`?ySQ Ln2dhR$YU[߷?V].wF? 1nr?ĺWn|Njv{Q-ڴ-~ˁhxЧK k;+e4^I#DHQuԪ5n޹ZP8<"()09&5?^ @&扂 ?T  JdRr5]Yʋqr>' -9|3Ҭ*b/w@Rj ->H@jKV@vY(TLJ9^121lF?YJ wo6ΐkc+HǙtIÔYSuٴ|*a&WA6PhR$>b97;F7AGѲ?;s}ۜګar/L#\BkIgȢNRQvd$E|9mc[|1s92i)k,.6U~GcnE@R5;A<OQ0\$^+Fuvҟw1r)qP;4vZ ;_i=w벑7qD/gw@dmڭS!OTE?[C 6GEкV9trS42y`NV߰ -7=k*/4dX=?VRgҖ74{ZD~͹Ŧk~?yLx] j:y6ڨM(]>|=ʱӹc>k;n)x&}17 |jEYZ:ov6+tֈYnDX̓j̠ہA~@a>'xI5 Yv ^ꐩa8;2khZ<1ݵP@|7 \W ^C^@K}N͊3%©Ы`J8!K<X1WT=o #3 ^]w^We&&ȔU'/phI!/8/TZeSN.>oq>IzyFk1 -Q`w!>:T~;ފjrhLKE}!urp͢N -+,T>z;y,65z vn-Ӗif,xb|PAu:Cw> 806`r98so鏩T}uQhJCҐ|c.J𴿡޺`ubKHݵM#/T|+*ukb(ԗbJ߸:2b0W*7BfDe%Ҧ8Fl8 -X5?ŊD9 54/U9qުU¨uDSFі1 $i..MQ7g\MǵKY} o8{ԙ{=l>@S}\4c_a?ѯ$<Nɱyɘ)y/ZIf8PzԺނ# &,wfs_mvW7gOn=SmU}2z0:[4obp`( s}n|pe&k@sao|-g?O֝pL EY >X΃hՁ18gt"F~fX -7I -()2IK'ZsQk:,EhpB=a?L}ߧȚvR/v5Q'UuzlJS\|E)CVg6(+T\uj:19Y[E)XB0lC%GMN+CƃG[nsDV6̆1/Iv낚"&rg,|-@O\ĿvWٴI\AN̜)kel; 'hWP*lU/a_ҳΏ0T|j zʩc@Vw^%׭Y0`[J9 HbC#a.lƶ#l _< o*O{]W+H:0`ɡpK:Z hse~ltN=1Ѥ89Y"*Q.w8N)i_h' +fUӃ>{H͡+Xwх$"v8b9 ´b#5+[KYccsV- S_ 쇯U[j ymo pMsA?$I?$h'UT//ENl9y@9wio`޺ua -4~2E;4u+&q)Mn!A^Q"eUv/2p".=̊fJpd1Wm? <@Q?rYGB-_*^IVpuA_ 4>6  b쟃G6d$Yb7`mJYh*j_:@f:SIc1eWj,_Tտ,6o -r/7FDdYRj_͞F/Cx[Lp^=،[:Y}uaG/׆Vf\bCinғ24sSњAR֣8NwzWu6g7 (qe$@zLY!6\5`~-&(!y_H `XUٮw 2+\2՟_(2T`nNA$5O|՝1w 2Rp>ͱL9\zEiشTf5ktp+IZ#EW2`oTD ch1+!AJI,F/Whn*Nuf|*44 -Hd׸r^;__en AƇMZMyQ)*~耇>6}}Mթhǹ>&v`dY)NIT" l*`W?cC޾a {}&_8[;33fL*n[t0-@P/\ Uf~W:xZvҮ{2כƐy2;EOG#Qӊ-vY!oֵAXȍ\aꞸ7 䖦8jl."JL w`pB_fyp'?<(n|梙e½3pmrbª}6w#!'EnН'qX Kʱ\Ϲ3WN(t՟cBtrt 4^n]>Ԝ{67c(qw#;Uzhu2EQ8b0eRD zzbƼ ,gW'7RӶrg]0{R-0+{'żV';bdyAO/a -1dܜ1i{%s^yS8fmz&  dBns?;\K¥tŵu?喾|[%Z{Xc4TKhOUx! -Jw_AG&{zh,`gK[g60kn3@/9c+F *Ú&΅*5?^ܣ, oR@pbAm H%Ȯl ԑɐ`[ԅ |N}UhMATySp3o,{-(_S嫀X(HKӌؓL.R<ۇ["M^%.'DXw.ZMsZaq8ٯt,ib@e&baydpu ?!+/cp*׹H . ]CRYGf54h 9jaqٚ]W p~A<;rֹUu{{ V/׫N:j r3SJDObfy~.Q9|lI$YYmG-3hM*&ϟOݡR]Lɕ&[?(=8A*<-۪Z)7: yP#E/kc }kpQv(u&NֈnWQoX$yf%u6L]U&Gޓl9M~X#н),L4x*޷-~')x1dSv%(J+QGn1ɡoe\pjY;Vۇ%]jO(+SOFhb-NYN -71v?6^N)#Sk5 @= LeN$*yywwG!b?|Vbrض -a5{K`X/e49{*v>W1uO!%٨FE--*blVbȡtykաq\ZIgm_ -51)v߁8.]Qb XͲKҚ蝾Z DR`_C o9G ƾɵֲxa}3[a>B7.ֆE {`򦸩%!H=k!CW, - $7r'g3<V>uIC? xʶ: h_*ʴ~hyuCdMmFzDi vݦvBBЖ/{NgcP.s>XOٞ7ˌ\749᜿K*el6C-|!5 E`6WP V%-YWZ (ݼw8_PDdrB=0fn''"!À -endstream endobj 299 0 obj <>stream -iܔ5 VC~R," hR8JC#u;e֬|8Ҟm=2Ds{aw78YHX]\(^f|n?ssj@\N U̪nFwbb_7GZc?>fKISm%$mfnVuQ\U&ѿ$aBzviu3jQV?|LKOZ,XX=|H̸u-M-%Yl.WЗu%+_Ή~38Yhw-s?`ko *Y!O4* -Wrj1Fs hx>clrHHIޱ vYXIn M_.A׿##+ET>F -+5Tƫɺї5t@gMľ+f5iZ]hoj9]TΛJ bXk =h!ɯ`ik7Am*v/'R諮i(j.K4"jM1 @`OPx)UrHuGg02uwElxQ˅5䕖}l HҼ12mvXBѺ\)ڱT{)Q)ZX|]zd9#Iakl%E,>v२\3{0.K˟`V/J*Pw>3<\VE !f5/^B28h ^Q|[b1L!$Df}0ʀTxt7C6>)JcqvooC͉g SVsۗlZnxA8:U+ހvEޞÒnZVGma(p<ڠ>\ZЧ&?T}?~ݴc|Vq Mw"!F<´bZEA.j]F8QdV<4^ҊKf&[ۄ)u}S:>B2J~7wehW Jx\pE/$,"x3f:w1eCn5h.L'΍H1ۺ7{ȶU6Whqƃ$?~!l~lkKZ4bz8^D0X0hR;`bXy -qyT/G:ʡ(G7x$&9*6h64eUt B?U^.?Ms[X7"[1ol¯42#sXuc4XMhV [KΠnwVJ/Unw̥ oA/o VHBL/fo E%?dxtVYnl@?oyJH#0'+Oq"xnw灛!<q/8nih;(*357GLd|Gvb1QR{z&B,q;qOORe7.ʛP'8,g&Cj;+0t6j{{ID.Tc,skunV[ _]xFQN3fnw^bq/fq"E3MgvUϚ>&?<g/n=0 Ѧ >Pi|L~9 fث3_,f z\h?sǖGX@Fh{RmKsbJ@]_٪>J<cI1zryt).pFਛD֔BŰTPbvi`<`ajbVz)p*Kl{AEϞYѯc.}Z>lw:4έf?v4dlέg@v.Di/3^3yxx0Uj35 .0'tabYaKK(>WIWOA[oոvOv[;8995|D;]*Ki,k< ; ˽έAnHe-~nWi?|dbh}U -˝_m)/ǪF{q_%{mJa',tTV6vPwZ؄z#}#@ì;*ܨTcytwG`ympT۷U=:En5c\4tߚȏtkcw񩰩fgmО;Y" 1]pQ>\[1faͩûHY|h/ճ8ؔ"|> ^gYr=mUZFƢ&pZ"nFf1}v!x0qtFi,L _(6vIӝ)ef$iǕ!{@k3:[4Jd| aq>eƁ^ÙWWf2Ȳ^:1%gU%BɡKK 05Z2Ezj~_ӽ_v>F;\̇nZ]Grc -h멗[%b n5;RTh6 Y.NͶ5 -i7Ux -OfrMG4vN'HfҶq﹅QQ{24tPK?N,`2\P=kq{ѻMsO~W ]m1ӸZ嵖`5΋u('-v?bˋH\U!-hI]/\W?_.\5^nXTHq:]#)\yh7Vݳ)Z%)$fxį3֒ 끒<8mwʊ'`]&9pW%BS*/{/pH y,wa*[9$ C] Y κ @n]JC^f09 vYضߤ/D|] ,o< -L8p_z##< 2+?ht+ukԗm~>io[PҼݲ|ZȮg%p0a>鼊\/,nu0z;8_$ur( Ƭ*TDUOƼV|vW[>r+xci2Š(e#s n/m9nַass>YMOBJ#vv*O7x)_@?$@(;J^;)z(pFA{z()СA@ r5$5`{lڸ|RϿXi},Y(]!D؈Y? /Zrɾ/\nhW?V?#+H;omhf m]_EP>P>i"=J!xS_(\=s$1/ؑ5X&u3T\:譃yz &B/u~JP<_zK_@{4Q%Do[)I׻8Ǔ7>vB} Vުܭ1{;Gq *B,>Vo&Ѝ*<\ Tk9e+n%n+9-N~6DvPKkL:Ej 8DMpBLޥiK6t։b1Y_m C6ޓCKH!܃x{:9qky) Tsj} -Wjc. ZŠ -WᬉL jNcLMzIaWz8:oGۜCG<٦j)ЁX[G);yn>Fye88c mŸ.|~sFZvSg4-$aӘZz/ןLppWsg|B7:|8bzm%LH/A"ru8<o7ʢ䞑N(U;s_3}g`w)/zTYuÆDJ$,\]Bz(vh/gV'bNvI}窻u49Ԩ:9 Ѿ0,rUYi^uu&^X.1`cL54f J)e~ --N w& -w-ՐN/nDaG~>郇9^_h {Ւ/1Z /in4ӱR{qnԒֶxD9 -M,;ze6Wl+(aɧu` -3AD%(Ð3U_-LWU!"}P Yb/K|d[p.ryӟDΆv_XMKl%lcL0xduY*ULOWixIl,Yji.($7C>NH5?RlLqϢgplL1;SdLѕbyv%#N%T;oݔ/# -%/ 09 8wWZ.3({6Y;$-zvvJlquՓ!]])0Pv=>]`M1'L{_{]0fCB:f!iL^ k}fl-Z&Rў<_%-WM&ZMcNG7ҺG9$ѐМɽ5M(>Sf3}ix=_E'hhe/ -9@h[hhg^ 9OT_[A.5k|m^HutcinA>N:FZZWN[%JNzh)|?tWS:27 93\ǖ[) ?s4"-a?R 'YE;TUCK\[h9FU6g/N?'i}~%_j'} UFƭ)ϙQ-C6)c멓ʖZ"7vD?xgU;fO:a67V|h:;kgF*T3-mJGa$rc`)5.Fm+Ǩ "q>Lb2s22C?V!'<[F'] [ͻ2֬^`yP8ZYo FYLcj il>hec<Z}NyBxIE5^ u*CFCg}Bb;߿]AJ%6bsgnGs7N/չqqyZ>E=<+: i6KG#]#+ŕ^~/jvo46jW_Ɉ3Nw'2jn?=b_* -dZ*}~,i ,hh?¾AI]vz_]q`)Bp0'u&e.nŕ/NP cSuTӬ~ݲtd&73'7q?E`s6uno#GPN//{c6#eNutHpbՠa ZT̛wѳg맵v1X:xVn+fi%RPHȌg|@B%*eduM%KԸ?fFD5nQ>8-EG>8繻4O ֲSd/SMe^{R>c8*,)AEĪzo ˭P'M%HPfCe-( c ݷn/1 -3\jñ{9{>O__~q==iG"rm 8%xL&M*A\𣑡h.ؔ01zjj+DG??awU }<˿ es =niDE7砥n%:WkE2 _v0Xg;B͢Xyt#Y "ͨ ||U}"4e9tg0Lw\%jh`y}Fn6_7 -{N_#/t3jnJ1jŖɒ!I'z)՗aQLb4tTOS7a9I*w\k.KĬj߯JX(2-斯a/LZgu|n[fr `qeMS.yŶ2n\%kk,W(|d.ΒhSR60Ct+hI<ҳ:exl)H/Vyjάy3U)iubIzd~TxgU(J]`"I)*=NIy_ٵ3_D:> (}]w~12tk*v*)W>MVgb:iH%c-!QvQүXl1Yiqգ62+V ~jEq -~w+b#lyL,aYF2u?A0Fb,%>o1;HFL]҃U ݟ?|S6s7O_a9b纗CսN } 9u[_5*prr{@/N]ci:V5b/Dq6"{NFakٿ-i{WH,/݇Q뼵I3T u8q;VK/TRʶ ͕[lvp]€V2]+f0-xo[!Ujrd 6nmjO`4mt,]_GkƳ 'z[; U~֜rh};iwz6:ՑlQo0Q7Օ[>jlutrX-?(nC3"_MClP5~a)=XIoO^fTU פqNʳ]<]i AӁ.}A}u* &{z}o, #6jxAP P=>t< -_=9D\ ޖCY"=kBa0kc0UNkɸ\;o; ,ZW ]24}ϲ8u@edqS!\T%,oC-qBalzCOrr<5=k lPWpMԆM;/^уE Ox0EZw+3l'+L1/Kùvj?r f7d5bGb1b~#;UU~&l?(cݩMh*Yjo^˷xUN=nAdǜ5g",˗/q`jP?tbFZ Z$6-}SCȤ1x&qo$J~  -wV C@{ڿJox]eGꆅHHDW)UK>6j%k*^e6^NѸ0]Y3x#/߄VPoCȀFFTedY+! /ٞfc ,3v+Y{v:91c9TGljN~Ņ$*>\d?e -a`Td-15YcfۓX- -bP?X E4{̽lhh 691tp腵-WGx%Qge`1KJtUɧMvjNf*v)SN&a/^IFI7mĵvmgQK.GK Ow[ ]86}!fktJgSqxv GmtZ|w%8Kߤ|y$]d.vyqh$,Dz2_*Ĕs% _8 x5&Ϗ˗ݐYv Jy79`(Ux?zܙtջϑePՍ_)9V){~AH+9u*+) Ay0()5Of7*`;=m2cZึ'0S^|eY-D m4GZh EծTnϞ/"D!Rݩ@qnwSa9Xt+oT*7y$n8ۼ|[x4( 逸7ʜ\+gY -@I<8Ȧ~q~};'clv;Zu?ӝvi(B)}q `wܨiG Yv2Av-3B&tϒ-ֆj?[Jiv0m%nmj4zPjdv\fDfJڗ (Zw*'2YܐK{|~(J`bBs"!3Q~&w -~1M$nAOdU>< 0Y?JךⴷU3V\+WVK -GPeFj/w?<qH9W@=^)[ip -cEK֘?.lTGy -}wFIR,|8] ܎W3SSէf_Y:v݃{q` -~Ƚcy 4`4YZwENzC1%ೆ6 ။DEfuKCC<+#Vj6zB_$>mkc-,4|ɮjxvF/fz.{[o#@}F'}3̶ZW~zp&64 z氱TҍN -9^IT {&v][%lIMj'wjZ۽?X4w^տ3dr(:'mTWuN|ht' ?s>޸ȎuˎJa8T' `U$w xY`Lw*_6DR=LjKŦ%vOCk鸖LRjԠ(ʞ~z:lpCw=~' уZ.ۺF,mL|uFjmSz]x3Z/{W==_ڌQӰ,pn+ Q -H_8bv}B۾Y|mCG݀ !kQ;-&w.ȶ ũbULє-Jؿ o"wLmےEz`lY2*ka<'qYo-jNoZ#z,t!EZdg HM֊ޔ3.pd&Ѯ!Vm5tZ_wОp #okldG>wژ^7앲0{ϼLD#3A(@0p홈.fs] '.azh6̍:d+ ~n:em/ˡ -zm`2R3}0EG!`a)OG,W_ނ.%fҾ_qs}ԅ[iSt5P,_^@-luH{(CG6Soo}^^j;K_R=c[-xbzhRſ|jq)s -䪿X,")jn_yL>nI҆y%/Yyѿ m.(Z_Ge[{FFwM5ovt(b{T㻐[hnoМg/ ˣYX`J9@HiE`Jl ,g,j'Ϗj2]wpȊ2׵Zq%-ǻ?zm{~tלWZZďcH&͒$wƑj MYyZ'v,DP*cvT6 UB尟f(#fut5IrOcpoŨ^zj[ONuG`K5cmQ7Y>oPe+j[E0I;v'P{ dR5Ҽ󠌢UbHbqdcjfiVRD$?ʕ+}zZcId2`E\o]|ў)kB!g1= NnQީyGYu1$#AG ÍH*3 tO{d1jgis\Þ_[@z{ia*q[L/obb Æ28/\Ʋ/J5}$/T3BgQư8nt}͇XS'KR];Hb@lhNʌtUgd_Z[bXtѧ -ԗf[ l:(G0U꿵:7g/ч_f~vh8P~"|9onaZ{g"3g^X1HZQ{9nH#$ﯪSq(ķd|)onWk^g-SZ&֑ॱـ뷆bQoj eʥ7?CGߟmq8<Ǎg0H4:hnOf9ݤa|2R&2*:nKJ{u@z*M{W$sdݛHj"hx^'ʓ͞'-pR<~m8[F'MNYްE~tڸ¾mpl( ~/z5)@t"j0e9ffaMzdx^+:Ϟa6}|AM:-_o7"jk ^g&uS-vgPDrF1o=U7]7CbڡɄzKy^͈8v{m/f+/Z/'a<ۮ;PS罯I:h -|3AW):fNx@?TJa=ݷdc+Py7|op/׼J #a#ڼ7~[6W:w%ئl05m˘ p707ԨC@jt50)1M@lю|\Mdljv< -wYRdꈳF qo -1VOY?>7S8NEx?nI4\h]dc6Z6߯_C53e>a_|}@A_YQF%+!U̍RGNeZXԕj'AuP2+xǜZº>%<c͹ jGlĴLZiU/8Vnُ@)0hnm]QsT|W}tmcsrGٲVç7yP1'F,[{L`xJO#眹t>5uW䊛V$E]PϤ K8_ JRxI8Mm]ـ5tʛ|!?ISǣ;jz[ꯜd7uyLaW:2%d -O Apq^K%jb3Zڝ#ߋŠ7`Edˡ͓79sXMeYY>b<odE{ud6V`up'SJ%HHD75U7Z,2:5!>[}dIr6N=Ux.EQCRsɗJzI3f*P뵦*"M=L|:z(Ѯ+br|chYX4uW81o;D/{RXigs]੬1wr~q}|kv uEoG=I9տk;k_&{Z0|bQG-I H`vvXmyeHOoJ'D0}W=Pk|>s[TFU_&mm]-1YOer}%_00PE+Uf#˓, .}WC|{7\zH Ɛ,}{OT?B=;lnU6J=u(ȡK^JTutGQK .4n -9fý&qRS"]ua_$P_2xw:\X -[Sв^ⴕߋrQZL= ?ʡ]+e? zJ>^C1ɹκ2J ^c(6]n!q@YhR#\ma]h3sUWj߬MvsR'=I s9]pXPžsX g ?V;Z&~6q=+1 -+ǸZ9S p/k2!p@xnҴ~ @h_ASAv_W螝6鴫ɨbxYiFqUȌ ib])hYEӯpګbCv3h15p`2Wq9þr&7$I - ȳ0WFI88LёF|DrUk%UΰڛVKcpV%Yhf})´Ur9,iwTh2LMNےba_Q -Z1qX6.}-2Zu'8ܔן#Ŋ/{˓LZ7.^b['ӳZfD`P=JԊS6dS uBS2k*deP .f~:ݯfZPA5@m&Rh' yh  v.҈J_1JZ4Ϳ5Fq~iY{ OdzGeխǂGhu fEDlVWՄebxgsrK2`+iyq4I:5tiIowqy3hTġ?mVct]~R{ӋWƄBhx\5jbFZo9X634+Z`HG}`OcPj\g?`ff~<+$F@BGW}j/!~h|)6^gd4jW͜u ֠! 3mfl|oӄ&EL/g[%Vaeν^^ڜ擊~0.bWvӮ^uQ`p-2;0lEoqzVr0<._b- *ҷ`>Q-"Od `];6l]K fϜlߘrݛw#5'Ι2Xu3[T筻X)G'u _mքK^jS`->;W垤`(bP.^E[Kwu3.=s_vͶUYv K)Ɍ'{d]PCspIYlB/ciMPljR,p< a֌^zƵ>Si LZu rm~ j꿀I*nI)0:s;4A\{- S9<|Umx/;FؼP?/GCZ՛ ,*IE?EJz窼4shX^WI)(kDY)*?Qh1Pp}2hGǑSn^+ ,yZՖ!sO_[ޡ=?;]0y?N~NF;`缞l0!fMҘM/I|T!W ;}4;5PKz`]/Tzͭo溔D˚ʗ2C҇WqR)Qߧ^h-h~m%UVz`2qk'vKOz -+UbYo> XLyn=erTfv2UisTk}CM'3Nl4F,_ogCuEkͺq{jzNs@xToj|ו_ڀ[Yt`{&_@WA$zwe/-lMg~vwp5ՌKW8mxtP Z(UsfE4?Xe-p .wA) o72CyƘ_  !Ηw܎}XӇ7ff$7CX+(r1lw.,<7.Y?xY -ߛN;sS5;T>%ƒ *i,`sFf4[8\=̐xTW7m%,$"fŬ>]DFb/y5>eص^;*CrT]뼞ڡ C5~kXm'-K1_~C-_0 G-C-+*3Ni6R,_e飯kɐ~Kݤ).9yx{̓ĝoW8^ޱ_ꔙ6aiW'[F[}1G|&Ҁ;g0_j.? Y itl 244{_UUhiWU*åcw܋UF=VC%gz+ kSW -Cz[bIl[5&TWX&ŕ80."EmUIr+$?5۪n&%=7*!ǡzkӭWPx+]]PUǏ ia|Q:ThAݫ̥gpԸ7pqOYvz$dzW/!mPj\~x'^}R53I -+@QR mn/3CQrax7h-aex:\+3N,hϺCsa%| &pg?L@<򮊿7QWD %}):y!ܱ7:5ȻZJ7tra5[I[dpPyuk'P - -Q8W5S,%v=s8:Em +ۘmiNa\z:t7xR}nyDAM(o+Su#9$͆:X$]gJ -B"Ų̐LIN2k~]#ylSY{qX7hE+g '쑓|ڠ,1: f&T MQ\pE$X̓/)6UBJk}bby6Z>O6m6ʕ_/=U+惤JHߜ"XI^mց g0`3w/JbO OݝYngsrmRnpjA l@JŬ S#;45kXoX{2PLDCdcq:{KT3?4/':_jֻI1H6[±z: h֪15hi#ТwWz0MGB]O`#E<_z}yt2C3ӰE #m姭MZCdUWb_}FmD6n"i\SR:[VcB}>嵳^oBWבac0Ts{Ro` W]jԡy KFn? e[àb$vc6vϘ>]{bgv z0Anm t}J{o~'JA6C;}cb?vj&XHQi;Qlf6:F{k]n\("_; m#uqf#w֎i5ŦaiI0rZwg)p;MbWG{geBan^k?Nj9X@mXi_B<Ɔ>3{h? -fL12c1FJyѩɻV9l߷6fuf(otJ* W1=u ǟ -Zgo)/>TՑ7:x =`Y?y,;~"W^fv[{)ϊXdZw~h:w%R´8U]`3k Gؔj-2OVWԥe1?Fz-[NpUj_Sc,vb+ourLc /mg;bo(,̃=G{sp+0%2kdߑԾa^9֏_ZY!4qۿkvw0Žq)@&"9iT :6Ljן9 .QdB88u Z!; BwvپZݗ?žOlq(z7SdDT tt^ǧ6l~WT:t%{n~BAbTX04^>xNҡ/+IpVǾҗz#o2zP4aus JY[zȞ?>ʿYCe{slٝz:͹}5Cm/cE~z{1vj?=O*Tm;BN] D= Sg`+XE8ÙMnKW6utы$'_ \ҐO„Y핐؞] /rU2?yB -#oUO`UjwO_~g- -@fe r 9/;յ}")び=2lP̓85`j{]e~I~/`ƕh#k2Dh5x3!?YK?@{nNE> z᧰Aa3v?%44 פHJWG=NS"YZ ZݴНF uxsYZ~,ԧ^wzbu50C_MF͆&de] ~D,س50Y}*R$ bC)2ζ-jO㖬S\y @8B'J8y,ui\f]( +oy0GW y8iv\֌:zwqEj4-GF]R0`w@j:ڒO.ӚkY /~(Hɽ -xs[GQnS: FͰ˧`.ZiX w_s0 \_!}bԒL1 q -^!祪45"AR/yϫD~+Eڥ< Ҡs8oL끴[wȎzxW$3uw5H&[cfCxbN-~𐶼jXuD BFܺjdݰa'c=N˫㺯"5k!?!4㶤{}蚼G/!j ^iߥ`y58TQ:RfU3N[UXߵR}3m J[C짝:dx[1;0k$aW/9,]x\֏1ڝFqŨ} ^˭5lzP@ -rU\ޟ Lw̋H&0&3cBxH?\C)<ajOE;>b -YvƦ7AڏŊvv -Q hUP6Z p= b '$HTwd$' y0mM\Uag6 QVTIfDd Hܽj##6m{NI -]<`oHcUITX~/‹#]1ǻJ$nr{}F+j.¬k(vh׌\9*SlU`H1.RӢr`;0 -''\ʧ!íftrʐɧQ WXh 2ҦjX`K`ݛ^ُ^gWFeM&=+Roc&ڲe]JE'k~SX6Jc v~SNtRt4,{FzKG@p]$My&l-֑|h:IWT;IQϥDpsQ2pHE8#/DRMx 8l09L=xcʪ݊ v!s9y@ :WF, - (,rb%9J:jj~q -q~T[C7wCLYt0&e݂<\.՗p}]jrArnn4 -To:z=h WM[Ru̅6MӻӞqA'j%6J/5z M{v2I%vݞof?k8ɰt0 z'Ӯm۠Fm?/7V}qQ'z Y;$f~w޲˼۸$'ԸBZ[SOq50@>6",ݪ5C/|йДkxBS(COάRP[]AF9֬Mzi>=OB0{[ξխ1"'={N3~ FY.qذ业3xk{R;G99f~=gxNDyA)3íǎө[a=#>^Ԛ\:>jk{ i+1e9y;>AM8dh޽6?h0>hsv`V;cZ;Lvq@m4T+J A> .Q%Uٹ|_1Fv> >ޓH~i`,8/˭ g3{Ii)]1:d>1XR \"nQׂ?GHDM'҆1j_9osOO%n֪?.vxׅg>>[9cm=<17zO _pZɠ*m -wM>=To~rB1'yUlءsBٙ-w.p[xrmgު Ms?H%=u1Z_KBO=|~jh'摛#/˪ɦwM^=ZaoNtaݽ\2ޗQ#@\/ބSTKBS:}*܄,f̭efggɡMnpn&8wBjzhjzuyy +%tYBbGmZKtvԶD0(Fڟώr2rQyo􎛙z݀փH{2iقf#rV0n(:I>Cb3FCe/_DB7Ove7\}Yآb>P듢)Y2Jԯ%X-jkg*/5}C  -Ha-EWmvop?hT gqSE~Aw6m7J%*0'_<ǻ} -5,zm I21Z6{hp4ig !ȴF4Fe#,lv<ҴXw<W3Ct*Z4|Z1CC,?s~PצԴ,: WؒUIb!1k=Ścdp/Wlef I-EęŶ_GRޣd7-Hu,;| ռનs†~*f2 >A\CF޼8.#Dg ŦS#VX Q]> T}މ7܃I(oɵq߱@uQ>Lҕ:+{F=KAJSL)jԽŴoͅ+2ң"U6PrR?'}ܿFך~>p.ܥ{Ґ[qie('?VPˋI/ZON*R GWK6Ďoeُ EJ6/InV~vP:gENdZz 1x{͉A.m_{,ϳb39:1cp%T!# f8UxMo6d4o̿aЭc?g{η$tNw%jRB], PAGg݌+(5˲۝~=sGeBuĺ5{ 0S2dKGr&8Ϥ{T;isБ0CcPXO|= 4rmڼ|ѩE0V- :nf*@FuIu7-8I~^pax el-R -) puV7"%:d LҮ/6c-)BdW_w(Tր_[^#%a'fؙ"k/x;FEb>9S_jnt#FC4Z/z])7-/K -n}I*h#xcHyfƒ"re)dũv:?W,wd7M1pϦ+GL6!Ured;, #EbžFr`q t1+8]Rɑ |6i2$k=G23%ë_pqPW ce9}QiXJMk9 -Zq!p *bG '#>d9oijO[uXS7bdd%byH Zb":4%ȣ*d2hf{vZ>F5*]V}L(w@`gfjX0I쩻(ճ6XY/=WL.﵆MN.ȟ Ywr -;)ffbK_)ϙrˊBX]2c S YS{ _W0`)9uR5BGs¬H旪s+Oq/^sW\IlbeױaBXLEMo]$G .V3Ճl{ǒjU1iwf k y`QTB/WS^wBO.Mic$pr FR -LAO(֌, N- -k_Oxn*Ak˅n'5վ&a>DH\-o#L?emf)P9+K;E sYQE *Mk>{ #},Ph-v~Gk3=gI`Y[ƪl&fih囵ݪ{ rɎ^69WVmP}S&}|,.؞rS'}])[1\] D,Úc%RjJ4'ũ_'H8|1r6S'[sB3( ErnmX)AGE>slů@)̤/;U{Z6iѡM>=mL_3o(ltRSzH@MV8\iBf|9p4-FEk5XĬ{|<>QG1)2-蘾̩1\vk#`m:6YL īcT:k֏<¦b -\.*Rml 5sR~m;spRhXGşBWʡ8˟#3׈&VX_K['8cIy]못 ҡJoBrs[m GbkNCh|S޾(!^~4jeH߾\ݿё#g8NJ ? WK@ TCSr6=nr):ǁtK&O+f UGlIvﺧ âT5ĞL|{n@nm}!aOnhV2Aj'74} ܟ{8CkTRi[(%+s(#E0 +y&lèإ{Hjlv ,hDF;p#=ә-f2G~OL^e!}s5v!h.lDOci<EvuooV);R1eŰ_O5,6zAƥlKH>B-E{O6N]_Oa=">r 8CΡR5-ta|ּOJ?MR2=wvcŌZ0u]ñ n7T1{s`"*V5Eޕ 3OWCنn_ tl uUs -φo4ܒ0Tǖm>kN.@ }0plaMJw6t0!UOr[{mǚV)>ܣ_(=I^3g7:#/!^A 7U;[tCFQ@.}*)vPwE=-kajż94[)u|P"L`%6b XS; ׉"&Cj4xq ["ؕ[upMڲDܺP**F*u=Lu3sB#6,Qt}u2LaC{ -3EFG @OEי}]{ԭn<q85vVM*lԙV^?RmNԙkџrǗ78g4&c1|KT/W+:36FדRMB0s]_0~ͽr5P\*z_Էu -ʯ끛[B)|9꧀h{? ޳* -#~P0v{'IGg|o`H2{zY/[F"^ϕG"d!Zov$?E*W{K62I y3?;<@:Q8~j?Mz/oc 3͒afSG'6s#o:lPvx! -7v)F}Lܸ8=90qV}hn:ny$DLY \_EO)7̝HZ j-WS8ߢ hER9z<,VTur0]h[Yn]}]hiz`BK<"CQ_̎v?я+Ȭe{1M@VOyRvOo=noQ .կoM|hSaDX \Z.x2{)Rryƽ禘(˗pkG$i Xe0n= ;o踶r8IϻQUIG\hE\9 -$lk0]B[" Ix[O4S -5NaE}H}|e48K00khw T!|$Y 9BH~܂!GM“y!oP/"-c7^^z~bxڢSzwLwWm0v>Џ]RDXHVa{qQPqQ6l yۺ˖ ;n'+,Zk4+-w?Azh^aO]ll-70C:B.\>!.:M/Xh/|ؤ|Sw3@4"2˯ݻ{`[Sk~Ni[s,IbFFG:D9/MOD ->D~2A"EU4׶m|ߚ|Y2̓S~xVmS 5]7ǂoC-}<'EUMP͉".!vq!~۳c&:wsҮfKk݆w}݇}3aleq({`#*#U+)K4%m%,@P̺7[sE'enfu򶵍Ϙ=a|\ÿoe_62>X৘*-1Z48ֺoNzTaw$;]7i?{3XhP*|7#GB/PHVTg޹'>n}ok<2[׽g Tk,Zh!fêN܇B 3`YY(D7?h[tSF -آ{ -awSdtϤCҳ" ˘[$ݓدQa[O[N-; ->_dW49i%SW2f [|a0ĎmI^g#-<%mFo=ED g69Ckٹpl\YCtͯuܠxE۵zT`yjj7l] z=eNלmI%P+ƢVvw}0B4EZ[' 5>Q}ٶpPxny6^V.2X^U@O@i'o%ޢUOO/vQH[@-[?.wa&T(xs_HJGiR4uZ*>s͡*/r (]K?彜}yl.H=< Nk,ӈ_^}s'xKsxMF`m䊫t2s}io5{JÀw?KiEiA\S/ޏH9zc-*Z*VnZE@)<Ծ#u1}+V0+&$/D{ҥrķRD[7z> !Xf5^(o"=N&1b5h=˫Ԉ<P7Ca`MTωG= ޻/=I^)vX~ suB_28 Yj|hBsD_XҼlJ!./G\%Av ;Wn wVc )7gP3"4=qW~bk[#b cG,zṱ< I"j☱>Գ hfHB(޼li^q6ΐr!feM =ݏa~ ^e_.r=܆o1lWcWKy OwD<ۃƧ8F̉hp -boa۽vӈsRRxiG6Y9d[E1w|%OHѼ\Nz>ܺ:F]%p!J4.TURH;<6LeK\7к$5 -Wk'ry׵' - F]1f/ly.BA겪UMfXb%zkzJ32|QnnuWSX<9C2Bz' T^s\F6gD>qٽ_j,))PQ ]*y5;, (:$*Gt[0ť(mjF['۫Rᒡݎt8k7/\Q4u*ɒ㠳gvo]$r!wç a%{!g&E Ĭcce>E~%SQk4P5}ZMG [:/g.̹su2C@g {!$< IJs^ԖX(1w"i3W`=*,Dkk2rQʗǮ>pԽPS2׆my 5y5un֮?0>Py RG]}km q]{O۷ShJMr'/[s?z6.\~ȁ4WEb15(DE$K><#BjlgO{Qa5x,YeL#&T ?X̅]v@fN+$6˷Kvc5Ic_}XSM4Ph\'ߠ<$bc|JkwI` /i!َ{"XITÖWzJ,vܗ:}MZʆYE/.Iy ) }Ti2E5QZ,aluCiB7'Vėn gF) -#5X[ȨT%|驼NW.fHѨ͹OkȺrwu"F1c -UȌ:u1 - lb[;lr Zcg<\\mY8n4?yul wk~i -ʭlDL}׽)iJO>ǃG&90W}* ̰Gv-|qn:Ec$f%Za$b2 -Z=(/MQgXcYI]yZ|`%89#+W,x7cczB;sW R=K# nhI3s׳cM<`2=D:Ă*.tU%'Nt-Kz"C5ux[zWsqcmT,.ƚSd?3P:@Iо1: RQzH ̳twiF88RM?c{RR8vops"-y -y=a"ۆqj{CU~#$:Ua9Sq6D"F En<6|4R|Vql>. #3E`U~l;%) K(2S2ԖOeQOFdNCvֳ:*2G-%NІn41Wy,;IB4JRq!($4B޾bnsݐD裴n^-ni/XL4^/L)ڃ*m9fYg'LY'kޑ|vh0+*Aʚ>N׌@Xޚ4 -C+.gf.$[s۵У)4v-8fxh7z7ɋ>t])'Wˇˠ?Yi&70}1Tv*}Mpb$94Ċ'kJZ98r6'oF$I.ίbt "6oEA(OT=򐄑z1]Q.m[dgY$Z~s@UOiwZkW;5Qiec6ƍ u^ٟxrQ|*7WӚۚtE"B;_%Fm$A6$Z<0Jͪ)op8{y(+0-ѴGe]"y$3 OqUH~3@~_?Z~p7WU _Е'Zg@}L+K7>ָB (3hgSZ^ -uζrx $ẑM)r;9ya2l.Жّ_MY6[/)-0`X]dEX¤ޜ/PִH?,7S*C |Uw;q ;)Yw- uGRAgzsys%{&wxx[l%Un*cվ"[!xu y`U%>'[%=LjN+N>}WH -PXQjc^"y{‘>(4o'Aܕb50$A=ƭq<AT[zrBiCP -5sʂqY?<~:&>jZ\e1N 5ӸTqUa;П} 3Ϯ?^7&G=0.tO[X~NIgWժ>?;tv:\Oޔ|v= ?Z{Tp s-!o92,ijH͍g^ac7PVͦP:GҝD9ضfU_cl -|gԩr|"#L xKrag3LMaDf]I[7 -S+bx)G[*ʈ]b8 G%tvMKfTF Yҳ9Դ3ex2؟W&շ7 Y`YVN^fh9~u*O2eb(PLDLN`<Quu\7^?<A^TV$қ(.n;MdN#߷vyHiH &n1#fkv(j{9(̯JoC ȿHgֱF\''{RN{ .NFu:֍X3]2O 4͑WCP:r3S%.XQEl+L-s={V -^zck -bx#ڏ⪷&jejLVP"8}C-Zɭ!%iIN_M_@o l.u" ަF˺.3c2T?E};, U׊6grR\aOOy6xR15X\k?8o{" e֪=07{9Zk2)e$z OܓgsQQ#HT;D31cnH#L uAp"NJ8}߾D™Z/bZYNQԟRŲElTe[UjR_oe\^\lޒ}FG9|đhtUt+qa&AO *J%7"dzE2ЌI}-(]1\7_owf['te~8eC=pDnRTe:]rqx"_ 4 - z5bd;SHu1QG{3rt? i^ uu?iJbI -=#'vjՒ6 رJrDj='tم׶!ժ9WpWÒq+I5bRv ?{)qP.<i+sp 6Y j7h͏GO8PngF>_iI&~J7p}S1,tfkZSS}[~6}gx|"vw W8J;z9ݳ;V;U}^A'h̿k-ɮ+ DMW;^;֨@j=}Zw-DC;I8i%s(dz!9&O& -<\!8+G"7#e/oqƸmp3 -3}HaS,z+/0=VjFn](/D<*DT"V:'-ϖ9"З=ڍ G(he57:S6\+DƠpQ9s4|_5jZF:S 譌dN⍬0++[_r%fg;c>YwmLxьϷ W_$1?%xi['y$W} tp8}[`foJt9^;p/#C -\)gV_K$Ila^GWX}6W-| JxkzŶ:Zx$l"Ic?<צw0~u/A?,kuX#A3XLSws?Bت+DdКXX,c6>8(LsuҸDLYd#zH.tQTd1[PtE$JQہċ>74MFW_M$+y9l$#TǸ.W'0Cd ͽB Qǎ`@ZW2 f"Q$KGF\ YŤKF9fz,|$]@Ul<83Z\7 /;c6ϙ٨ 2D#bvQEatZ\XbR l Iê;m8[ -ѹ@]9%/1KC(䮯xj𢷹(uo%]鏶Ion*ա _6/Vf{0 P ℏ886zI/)wQ!_ufjfϰ\\cjOwQ8T2G0ܱWww%r=[ so:`I]@ ۀ~n[sNx -'<*`Y@>3,~.\&Hm |9{櫠}60.4h7B)W&ku3}7yDWķ.t*&]X$Rla tޭÀUzV,{Is(麃b^g\ScZVqJeIV*w;ˮ/؎k/2'=܀n4}s9s^RCmԆ`c J1M+ -+/]0+osaPGLJmvB귃,ԏu6Y0LsA!K)[jG⵴y.4k -,Un қqVYjVSZ_쐟@[:*7F;nuR}*k<]{wLt9KS<>O"[j~_'AwVVWwm0K:|eDbf)k啷r\E7ge{L=5OGzb0͂] "\gdsѝz8QG dFxBP_' pI00ػv,mg52|$#֔q>rIϽJ e\Qgh9A ,@wP*V o03{Ix-F;GF*뻰䐙F#No6 ;q&R;)[\^*}AC(5II6@v4% Y"Av$^#nxlR5Ov]x >e>̼Zڔ> ͭ(zrIR15h\)Ӕnmo_&k4S7 lFSPMSs.z )CQ.3[R 94x=\Q;=R;1u?ƉeUn۝n̓9R18BVPA=o/tDu8uYjM0oD,,cظv6vᱍn۳vÝ:}Vvx9R Pz3s&9"?JX8Hg"j!3TP.-*>-nLJqGwBY-U+K &iqA,]_v幇DZ1WPE kI g\0d -;qn ޶ziee$B?LDeV3BMT>Z\=wgWS)O }dN?O^B="];8 n4s;z>T|ѸtE;aV5|ggLdh 3׷w3t?AP}"~~_zCu@6!riZ1L76՜Hh}3w6=n)*15Kg-ug4tay5\=sӺ![@c {;3nd/M9JPZ{[gֶ aln97JJ;ԣDq3U,M`!oĠ%TE@N[6<יfťYxYɶaP.tUӄ}: T9]~W?ե5!1N9jgK'wPwavsCZeM"xb"maj'jFA=ydiI?<q3[nǭA]wڟ iWl6BS`"D^3jocʣ4*&;3OJ'DbB0)_?Mּrɫ}{+S'#u顩w,vbo22ɵZ̷xE:ls~M?4Df o;s0/mdZZ5*Bt/A8~qrxqvL/9bvyY]~R5L!2Kl'BkJxO9\:^<ґU?+ަB׫3YG҅g| !- I+,h@}&uwŋs>C` MWV3֠uCg{.zYubw(_ǟ?F?Kz"M)?Kze&YwWw0Wݱ|¿&$'0s3Eg{~+*Dzҙ٩Do*}cGZ~-~i{0y - lB[3?|n>Wx*..efd;x5<>[ :]:6ysMsO\O䅄QW[̊Y4S2TB  UP=&g - U/jsNX{dcmۙi/q7̯_075 -X-N@ӬY7 G5wq-gp\Ec乾ֽ4Ws뮳Z(7\{>&9^iP/ZHxz!i'ӭIЇҡnNofǷϼ~gڣ0Eۣœz1W\CWSH.\XEw+ {v0f5x|U*|Z$ީ'f3pes]~Ҁ==&TPS"UL@R6dL|փ -ׂ=h%9^6_e𱫙S{[֊3iThc!e*?׶/  wh}QD=N_֫}l/niB(D4O71 ؼ{+{U|3<$%cOl^ f[yO?3+Z= Tr.~Љ.CCw#|N~N}ȱRDMqSf-ۍQj41P;ה]hg9Sп ?EtX)Hn/l3JDTK'Vv]W^Cfwg,T|VL ibr5iF! h"~.U 18 U瞈Fqr {tRϷ\ָ j:;&aj Z{).xf"eE/MHٕN*폛m.KZ+*;Ў24ɽ^&DP?bLR%d(]H3 -bߗbЬq3ު7:~Mi#$s\FT{Wy]9 ,N\O1V_ժ4 {b8iv9wg. L:;<6vC/4H4FXt`.~?.!<{Qf~^z]b!]O9޻ntV!~5Us'/]ZgyqVj{ ޓ%珛 1ȞKU·fOI}}lwg\h'QTyCZT54b/Zvʛ1ᛁއ~",m9z`L T \8x;}8Llub-njTҶQ5<V=_QSK$ (杨:vA|:5$ #&$k#pZՄŃ-jpx9 h`z2?6͢2#ǂp85t;ks:b>$߅ãцq;&j4L憯' @na=.]u.qPw kD>>\|c r̟<ş< ɟ<<j[3M~x+| Hdj7>L^L}0iL^7 -Tf~rBJo^Ǿ ;! *5m-jBcV';j`g{*wB{D+5M? O'7c)wld[wFw-J5mGC[K6&,WNu.=-X {CZ57sJ2.P -SFS2;A0~Ԯ[}=_^;L. Eיq1> $q>TDB\1ւ?b\afrs! ֮G -sny\'P|7_+*xKγ`~uE5K${sQqzVr"s -Sx#Õ=Oߙ|f~1h-3cx- M޵PZ1H U*_=a>w:a#-g',[8Fk}=7UΛU:]Owcy|!^@۟ggMH1V}#azՐ[w撊RKөK۝#u\EGL.?10c+ى*o+WE_y*J{vyֳĥQຍi]zǹR:3(mEHWɳ4_v iEo$TD(=c_j_~=b]m?^Xz̥#ۋ s1zo tc4\kX*!m-;(OWJ7gMu^a.ma<}ϰ]yl㼲]vv{ٕZK_*>]vGx竬Š-7'qVrs}҅"訟 5sM5-k/.14DPk<1|f f߅*GɳTVfؾ.-ݱ-{mzˁNP]2;<>ZjhP뵪V5cWC*vOE 3H`1?b$$T'JRd~a,Wn΢39B֪F%4!l]'j7;VrVUq]n_iMw]"Zw q(6k8U?Ek;ڨӪ4WH݉)QKՊ2Ë}Jvlq'%( R޵,LNPDY9SeR6횉K备:t:'h=E8GE - -|}6Z@pX3҂Pi  yus4G;ݓj3oe@U-iVzb@BA<5 ÜiIm2J@~b>lU"])X6@MaRf-ɡYE 2*59h0zu`z H[ Uڌ߇o\oq\|`%;ں*~ƒk"z~Z-vt1T7 FZ,8lʌ"  -N7.PvbZ}n6>}tʻTЄFXrjeeͥgVۣޗO3ODu& t! -y%(elFk>߼ Iط]Ȯme{o׀:_]ӡSZ NK¤EhnFF$* -hk}W1I;L|2 CRaJ{>:hKGճ:o9EG.Ic4z1$Qy\_"|k~V[q'$Qerg -WILq7n\r/8_ba鞎&]W{GG}*u^ڟV=Ӳ $_TgI,GQ?3ͧ,eߪ*_/I3߬?/W_<6 -| y&|71P A"7]WgnžþAW=fV՞j?0 q=qZ8 -˺v5w^Oo:IYWYF[[ꙮP=l%MJ%FG% -%~ 4Lѐs!rTꞕ{^Z1!q^4pd{fЛcilԦм,sG!,g>:< ju~WH%ĭ~@AZɒ#,ԫCcM&y4.`RL.z|OTYr~y y`cBl=WHĭjvTsN%Y< #ar޳^ 8>oR&qeUZel|s;EcÏ~'5[9y/{N%OIvvw}GieiskbpND;+睞~T^u/dhp; _![WG[Id>RU=le}ԈsEQ[vMo*H 4aNd}U|Bx/0ٚ{x>8Ґj֒!9i>c꺘ZCU͝AG[]s oZ'X1d`(6$'z;о^mYy%~$ɥ}e *q|fw:<(';!|eo1<\ѭcnm`T*z6HAEP\9J{!nϪ4[/qsv>(q7+eu\'LU3k}K{){gNdPE_o ]c@c4onH)R$Yy هC/N|!\nYU/4<_pXȀ"3h'>Oq{D;2eveMkRO]fv=0U'hid)lWDKPG$fXpT_.(uCInNi^327~ccaBNH;o&?HVGfH0Qh'{@ϥ9Ž[dzNxXWcqq8fCwjH܋J*Hn/n?2N:q+Zqf#Tk{]-%b|k1Ң̰Z&?f=ia+mڻF_KgOA:6_,7]jvOiUsXmF -6c 5[5zЄ",QoM;^B4w%;L -~.n)I0+O+ -rZ,H/w =J[DV?Ysg¤i -o+"2|}v6]i0/ps;Zn?45F}H@õ7s}`=@&Ɋ8U; rWVH0 4 6,ԍ6YHpm>~A }0cyJ9H.3pD̪cS \E}MFs@<`M~'gF36}b*ar:y{[ྏS2Br*+uz?=L֋G*! mTͥݧu֒R }YQBOEd:#ʝt.KubU?i+}/LaLoUTQgO߶/__]_ij~Zσ_T/rKXy9%N3Ox^w/4}j/]p\`n*u%8<J,5.oeˉyP -'3v\}d,P -Wz¢70}\z=ЯY;"W#ר0yqu /*556M5^vX{EChU c:m o޺5WHfACFz/˱Wdk7wTHy[$:'HIW2 D5И1]>yE[_.޳ݰ_Х{{"i]sX14 ;^3{^j-颯{ KG}WC24n -?=f drM} &MAMX2[ϼz3H&#׎s;AҊ2w[u tdhitӨWZx?>(oJUj c$pG\/դ2_ɒLLYerq~ew 6zxY<LF9uaT)}M۱(sgQj.Q%4Y2Q{j,'w@lڽ4`;w|.KޞbI'Iůxǵl_yW)&&t{q'3)NydN͆O.6yLM|@Qi{4zL-'tI ۗN O)y(FwrZVڐeY$L֏Vy!jMJ:qs /g -7q!N]0捷jxoOSKUi[LvqⲝIŸ*/H.X{Տ0Iɤ6DUPf~/F5zqpԵFgnZW>GZE-`bw'C+B&ys$ەԽB -\iNa5ciC^݆T"1A,|!M뾕VsOsG֢Iq+빯X?2OvˉŅUtQyZo/F?.Dy]rjL3%Jt "H]^# }0rs;f&T;⸿0Yӆ3;cU*>ߍylM1z;Kf͒f'S +R~xsד4H7ēVg$jG;=b_663rq>r7J4J33_Mӂ衧}qk^iF3l17?-?V[~#XU:G1v@qVNx|l6aLn1Hjq̢{ 3V~i+}dP%6}~ utI;쟫o|3@%yI?_kD{ 83&ad ~)DЭNeP?sL49VI XGQhLG E8ƀ%+@4ׅd20p>k4wu}i{`mwo%1i)W읮avvlhfHtY'ox3 i~\iT~+?m[39Yh\N,Eb)%VOTwL4(UUf-s|깇[87Vq닙WN|W7 M(wj'+"T)o~ݭ=%h~#H2Q]f)u6%DvWSSϪ|6QV7!|3!l&v9Ґyz4&Sְx I=}>6^y]B8u6c_U&1zfnHFKM̷o Ep*B_O-HIqZ6 (܋ҍU7V=U`esyc={p̀mلq.mbYUQ{=83W[^q=K<LU+֙^-c Lρܦ6湫eEXI>OZ :nHQj -.!ߐ{AHjSӵl.qC^XzLU3,.+CnI,m>k -繞^*tf Cm:PkqC{Z7\D#͒){77\6zy!Af+S*qu;t ,Ntv~՗^)KIʍ9I qvBE*Z ng |Z|ys7Oa=L=~}4n;NBzYיm糂ze˼;pq]ⶊ.ⷜV_q?' UMfMMaLY7ts$>J=Z챱iSqt(|« [hH-yE}%Y iT9!W$I,zxuG0GPk=.[2nt/_w,0z_idz FP1h41˸وc{I~{~dZ팒V><պ# b6idZ{ ?mIM%>ծg{hj)S:8-QM]eC@1Qi^7g4ƭ{ eqCi\orQhd72A)FOHXNw}YFCc{'HC,I,G*go!h[-~Mz6-G!w?\J$Q f;E C46ôC=(a3YG 3-#䓚2ʧ9(]pfI.#$!?P~ -lIb8-py7FȵfH%'Ѽ1޿b9 4%4Z DiB0lt2)}=SNws}}ŭ [wyJ؄xßdI,V6qߤm}y]=aE4Vo>sVȶ*P '6b@O f˚q+s^<67񮄩OOUo%G+W }Ӛhԭ+>5mL ^|U~֐ V"} s\}cD -C&nj7v`U>ܩV P"$]2 e?hh35_$Wb !lx/} Aq2ZkƲ_q~rIm*c``.yTyYu:%]< mkz]}lp[ n5%xtsP¤ Gops2v!kPhE3-ų^Oʰ]$zM*AXHWףZ;Z}nbwZI@=#%QSs<|mcnGd mh8 oxkmt~q;AMfEl)ק*']X -tQY4T.xAk,g y - xjqf6,t $7X@e<>So|37!?nYqtdSYNxbyرb=2c4RWqݙij4bwN _|fSi'Χ`_{A` Sx ة8zCH~?^Q{8OEe_N,As9} 9p[B8}4/7ƷꦱXoPrq2EFrVrQ'NjAĎZ;QdKk\-cK=s"ZÙ57WsdnѪ{̌޶JqH TjW:6Uok׺U\(@ @2 -/~YGTߣP ־d䣕`-l>}kхKӵ[{ B[[;vNc k]wk}q/t_Un74܋uAOf{h۽Ļt^-.1X9M*mfcsv'cK7mo\!6ok|N";hb5a]5ƫǵ͊N:hI+͟ý!&F\G -C R|f[v>RCAݕbLV[yѬ"tm&2 -["]tzw񳪼a -yIv4OcC\f\p%zMvjR~wmo1{㮊`vo bX shkVXg#xP+4%qM -Q?C0Q5$|.l72я#jGc;zN^Z K%(9E7&}$NKyyp=_WF @nDdc_Ym3Xf8զ(Q$WA:aO_R&\N{r16*ISk'?2Tviicl(Q=e9Ǖ]QnFy'r ̧NN!k3s J@Jw(1tӅ&ē*i^(nX9;d_rHtl-CeY~tϝj5J}C.=!Uk]\~BRo(HTF*i^gz?]fɇ*xL2o;Px־SHh~0>| ie:+0^Bl]#R"8Zh^$마栓|KjbAˇϊn.V17^9Oͺ7%× -c2` f,KOHfRR]Ror>:5| wza1ľ6oqi$ue~?>{cD}RHZg2Mh-zl"񥏽mj,w{Ȋ}Qb_|wHC,~V5ZqVvy4Ԥ zs;VNUV6ac u&]ՋwZ޺X9>ڻX,,|X83 m~=HL.7\ZZ7d'k>u&Q_OjpWwa­`RӳnKͼws'&voTmmKU<-0a~¾ O $ _+-#oc#dGegCBJD,7_2/Y1m` -NЦ=gԽM?V z<(YH  ]$ O̒\0[\k䵑XɃ^O&xeVdtA&놊'=.S_ -"1z3V"80M's4/4[?D6 ;]U Z֫ H9fRa#g8 9j2oX[6#T-_]p8|hPcuwncݶmZmpձkP -LT -x:3X1ނ#ãUmkJ o)9l4~ؔwq~+GfoWv=w(QU2rhŘ4O&MKkr^X'ʏ4|pI#!5n?8\F}4HZfԜzc>,* -@Ag;LzsFIk)5ƛ-vfS;:Kz#硫[qzau+Wa'm&eN\ca+eZ=UA_*6wO\§‰\j -c f2Ȩ?9?v ϯǭwUtdc 7"£DuE Nl"m_59]}jpz:QEt7yElߐF9X3q ]2Gv͍tV([x7s]޼|FaSVTSOo .㭫 ~:R;m|u(]`i.ؼRᱍDkݿ¼O9N!q*r 䈾t9Dj-DOl0oQ_U~9ӗȇdlX%4}vk(.uj|UNs?jt?bnwr;odŰ*7񦘸?&N7gk )H*TMe'Ϡ>C{nnVgc:_4d (B $\"vVv;+~l;zWjM>wN`Oڍf4R]rK?@x临eZJ<=l -@No DIm$~mntGlg-gϚPݠ@FЁ8t?H($ȵif57r+ K]S\;a#iDs gu33@qmfz6HnR[Ew qkt5nY߮zLRAC@#3OPC\]a[lUWa 5CJVA0EOt'=$ ?V7VuůUx:1ΪCqh.{-~@̩̖K,^&S a^{XhC23$NHgk_ŸNreB)'ei҂\R!ʣɸ-,W =oLj&/٬- -#r !mcE&טtɶhz]M51@Ÿq٠Y^Q~PzP9*,4ėk`-3ޮ'N Ġ@{|>M+ie 'ڛ|J9p{TrD3 H>Q޲lqDHAXYGuTe8Ƿ|FRUڃ^2O`կ4%"Q(W򗃿B(=jIlV.]8c+vg;;Fv>)p+vS=4@ %s2"28J*crwFFKΏjjkx= @ܬPBySi︰E-NNJ6y\.^J~WDP@v:Q \MWJmA1J%S!aGgm-_N% /)ܬ%\w:|8V*ǯVwQ| `ݡӊ2Le&gbPoo ##>@hl0?\Qy ~Wt%A:{^J+Ӏ J9SD5Lv}$;JlOK:IJupm O6M)+gI^ឈE˞ȯSaaa2AVX뛥B\*m3)?i J$-zdn{a3fr:o[MæiW^޸i|nj@j߀P(>stream -n75*U4z)繸ҭqu_Kz^lY8Ո.Q^4~lN6=-\j❟-N,?wL -mO76c4K%qYwZUϸ5FIѽVZv c<|\맸Rz/Њ=7GF)lrR#PfLmҩ)~Z׳><n_4헫?/$&:+ T7zO$]ҼD4#kѹ;.baK[fn Vo4;Sn{~Ӭ7R+$Rkj^"^iZ@)$Pg7Pqt|'"k]n{eo\^&unMLjݾ2ivӎeFsc7?#-LaG 4\C~SiPal^>Ps^lcX͜>Wrw/v<'ݏg}E;vM͌oxdD'[$nk %[*=ȸvS0bbek?ƛMM>^3X= xi:88v38;!v0vhESn}`c] -t㟑H$& ߉MoJeuPKbaEr»e+uo4%\9)*m}X -o1s;laNpS79kcmU\UA?&ݾ7rIJC$X,>p]R?ףp{-V.2jBY`[;9Ps">b6,VUQ{hwl2g q蠒bʴd&P/{6Њ=߽hO"e q>2zp[sFQoCWodjQS2Zq+b O%uIcTsK7PHuUb[H̹&(81Lz~oLj3+Úc˭i 􃻲J o@n̆$!6I,ΣvwQ~;I_N?oN"(lT~j ̠OVG}޹|=tyfMcw!-Pm/>T5 ۶qt 's9 oG[sG*@D{2&:3O\v :_z_qvcu#ۮ0Vl֋_yl*#*iDreuqYL {iyq>YM0m%Tu|X]%<~gԷxNv7BTN7iы;e9{۱{i%aEXXwn)MS4ǛlTiLr/ r@s^{>l0{5u(UmKbsW2M%zL5-/TmV:/PܹGDQE : Ig8uU%ۻ ǝYYR7~{ݺ+]t Fb<3 -ӻ<: e#@mqf'IZ٫±q91;BoAއNySu֤GЩn6HDM_R=+H^f󉟩ƯwEyD;0"|cy|"?@K( -*L(s'^ޝrXr۽yd1]ך2nuy-QslЈb6i*FFqn\~2enmXLv7{0P_xPUŇ]̛WVgy2t!u_Taeť*RGa3^nSOڪ1m^448\[GZX.^( ~{aFgJ1wcֿmeH4F|WL(#sfDy.=Wɀ;E2kor# j[lIy*:C_]3Tz 6Ëk_gF -* -/ Ek08| ;!xݝPj'OqC#8{lwqX -sTRP||̡ڻ }ҿf+\V٥_dCpMVFI6mg$%:R9~nO]?ԪYFrƿ"R (T|]7w\ v(oW*乬ێ6|D0gЀ{ VB+tq[qEkdyX%?zywd}+v&|3/ö6v5ZV K3 Q2&kXMW$9@?%%3]/%CAƥVgBa=[<d*sǛ[)ͅ}?-= ;WE\ܚb:zSof~)?ol ّqx9ֹnvƣ?F䆾rq>K]_u^g-֩ك{c9AĂLݜ}UG4~➾!jj{g_'M_n#~ޢ4bQ;LjW -n?XixOӧ Q_Wq{+iZ;(i=AaA+!ⷊ7gB>gpǣ^nE9ݭD\;uqk{h(*hj nl,Ol}PO/R|t I;\ rȬ]@JIPjz' -.G'Q@ڮhf -襪i+G -ODkHo~P3*9rw?7jؒ3C>*-X5Hu+|11i'R>5@T&bh|hwj>bp7|irCN=F9myH8W3Cv7tT+9nVzD^ bh#@<o -f=Ff}NߥAfA]Ҽz~ҔO @CzI.R̯:DSd~lj^I~ćm#7>MѻR4]lξkЫt XOf:-%|3}iI;(Q]x s].͓8 fo&E*`7MGwn526NQFIЉTkvHo:4PV{i0LXSݍ d^{_[5k+lbHY3~'Y}sT#bJ|m.ҎOcԢd7mw}j"ua `[j7(y.˰ "I ot9?o4=fp[La{"7pd GL#d-}n p#зǭ>ޘ91Mch O3R"u$R|(QW5AOtF\+jm~Ǖ TKT3|sU8YK;9FX|:~GCKG3;@GkRP6]s5t9jm^evdT/L5]<:.ۘō/D:HյB9ߐ}c0ͣXo}-)Eƪ> -UKdV%Sd±K7 J'ii@?#j-鷤/AePi!fs^+ ו~^|c;:=[ȎeXynOS_{{[ .uB je.ބYQm"nćuER\V9;|H?=;(UP^T0#U89=?5(Cv -NJ&* ?X>TTe -||`͔mSoz0N\_s7(oeEIQ?r$ ~"-6r}+Y?Q1c~rh9`kU"?saq9]2h5P{y.^#;wqqzC͂J00_/,NuYޛD+;ba+4%2V7g$#iv~Csnd~M_}`qh|lǺUC5wY -Nw,_*bk8X!H=NffGڛOs6db_,uP-l15 ݪIL>[Mw7){ӨJ\X4ĝrfjw]`˓Gcj4M칯9`ѡ&BF2<  -`J3LhKg^^{%^0ލ7S_kM)0u"> 8:"1>y=8tADt-U=9Δi^ȟPC?AEQ7K>>D(דiYZ[s:f=W3یiO2<X(vxWXڦnӀ|لqy_B6eYm>/\PZTR -׳c'"ǀf F9BmƗZ:3{uKUJ2Et+Zҭ?#zK?X*$ޢ?`TMZws¨}hmyyM#no1N1޳JTtg%νH5F-ƀrA q dzgI/2To0z(})N:{vKݶx]n,m4i3Da4X &1w9>2E'c T4˄Yt܄czӑN첅eB,T}ÿ&^&aGB++V1j* -oH;q7dKhrRO]gBl ?h.W;ky-JC'sa ԟqeИO9kMi;HVw3j5et\eJs[91=0B[J#NhVuemOi΍gDɍ 7\<_gl?5B&W[ZiUe -s_CCWW0yeHs{jag n:pvv]h<ذ|nNzmzWc-zlaJ-ǤeVw=s%؜)'/wv'siNuЄ!pjBmTkEզ6o$23rbX;,"+Vj⧼`|iRm1m}0@70_Hn (s > -hf]kFj[E b+a==8~ -D\lB2Z$71֌hF,zH)~WRwiK\0=rTmPMS|*T@!D&zG'zr"V$:|;Oxc`5ꢊg?3.E}%"JĚ~>%wح]M,@[;*(VW>%zDo@A@q5{B'&R-/NKeoaśh!Dr#(:Z"0uucb~,|*vD % H+SP\NZtk"JĂ/(88&ߨx_oKoMх U<Խ}xWzW\$vĚ|4;˟@ԡf!ie$z?S=H[":5Ɠq^{-]4KۛO7g[ -|ڹӦwcſF :QwdnBX67M#,{OWb.9rGTuޡWg:ۇ'62xGM3Zki3zCLPً#[@~_@֠:4cܷHb\cNzWE_~+3s3fgfKK?sڳ(-~U]v;=Ձ IKn_5b҄_ -Pa\JWl4^XLw[ "9@_$}x|M伸>nrQZ'iL =:q`3&];8Q%{ư F!?nHf72 jHZ0n. -}ejnq+ۢ.%Oĸ;+Iٟv_~GĮ<۽f" @w zk}uک - %PO>W@z&]CM ^F>R@NAIIm_qGVp*~hG'v:NwI-o̭, p2aK-nUk2 Wju&*(t6zaci.>>^.wu~~WF j&iܵR4i32}dw򆋍BNZ֔_Vzi"دK'Rv`F`^87ʻPwOGx^G?{|e`k<|A.r駋j UY\i 8 )_ H~vI^Ƀ'qPnC[5>69V]-C^­%cLܣKP'ʦ1+fGž, -'@@'n/-JZm>I*I_*ZcF[xÓN^'Y -h)`&0bRf;",]^OYVI$`~RѮ -?KU"Օ&:̞H~4j$]h~/.qG8,fZ䲱̳ -%fKG1C.t*;ba6_Emza |%g$4G9I_bCPxZ8 7Kbc|  -{:AO7zޖwv#`9ťÒ2豤rS֧p|M3fnJl"y%Djl@y3|&(}%پ%] Nh=+:\N-AO ?W%:#}|U{BmMyYǗO - 3_ Odn(7(qU̫st/9;= ::WPǕ}az?5/c-V=բ* W{v6JMb #H^ևüW8^'R]JC/eͳKz#rr^A`&KF嵴5dM<1^׆| ㄾۢ>+rܺPFW;OϤ>BrOM<u% @/tvFh'R*fH+kaZo'wVq nWwdr#XgyA~ED꛼VȄ}tr𬺑m<{ϔ:0C-;Ie^T4P%6X_W䣡]ec KFUsZO@UV\KcFb4A4x:_׶lgcZ92p!OTl%1HmWWJxokt@ 7GhA> 4+ldnb-ԷQX+n ڷ)MjwOk":W-ŸP {tqu%q([)ܒv_6ؔza:t v9B5[NZ8> Zncݽmw')Eu}zaǵPE5~M#s#/)Bup/:P -qm![˰+ aLڌ.Us[|FEE]TNYBkɷ(>nnp5$4Uw*^v^QKcK*Vjc+=q]leQE3XB7aOv4mO֊F _7dky!Ԑ`.V W$=YZMz o^}qA!ֱL'D -P^,(d#\AE"܃{PŘFU@t?i;Z.|<냼!A~ k /w,S $Cg>D'p 4 䅃F<zO(QV^Lӽ5rPM2&{\j78b P"vHĮ)P(lQIi vh%8@~U$CjޮydScNk?{WMZR\@b(K<.R"UӠ<(`:y`]DO$[`qLFhM"hXcWZO~(.ym_9((%ft\Ndt*N0|7$zwľ(o -F6-og"PB<曛|x y 'my,7i?$*(£P!ky0}69 1P۠H}X@!$x?1|5oo._oLg"(As:gJ?&zڄU 9 W8^ȉ5$v6i$}ps݀>>]\4;bT5ֆO, -{R's-H-%gsw-4S_]l~EҍʉTgHĐ 7 -G26@sW4Oj^6R/hm7֧HU7mkWi/ ]=øِ: p/>I|C+ x$j: :,GN _ڏ3/Bאg&lW>FVD{tO5"+-"U}e}]eYV*N}Щ,Elrc{ߖ6_x;)!jX+2W԰_1<&L0KAn/^#uIݳsoӧOR4;fqu^ruA#VohV\:+@Q%p%QЧSIcYF[ ֯텰q^:xݼOjMg]kDZVhr߹qjjFH٭^mۊ:^lV\BU٠!+/{zLڨ0M|KI'O t۫ orB[K͛]39_QaN{?^Ydn*Ү3A7v׶up4]mњ*w+%:Y&iwZ0VgMug~eS:IVYZidNCˑ_nIvT wuS;㓵fVH+ WU)sP۞x+ɃiFD)=>41f&0h{ɘ™i:Bzz%ajqWVD!I[[e^nYyd '}~χ1) `"Ns0J\ͧ{80܃{Uŗ6n+-[Ťjk oWOkV\+:-Oh.# 8eEiHjH32sTDItmJU%Rs87WF<$cY'j[_\'l1iqTkJ9=)LBqqduPIUgȋ $M ֿ^<tv+HgPJV`/k\݊ʝc@+LUVjjo)w\ dsى1ˈ G+y֘z6()0E+>_i \@i~ލEzsSr3w*lG_E_Ň;|͕f7ͪO.X>% ^\0WAdIHo6)@i| 4d N-- }$geo 簤j\̫eC[[lwf>FP)qGda qX玛j !Z"@K` OuJ:Ŝߟn:ao\v&^`$l",pt<[Ԛ4Y_r|agpU{r|q"U>}~?" -5ӹ&;,t/I ɭUHA_[ƌ2T ~¹5dr[^v<[OuP&#k&mk=u=Rs| ܪS_"/ͤH7`K[ny_vz{us5=5W%g h -bgg-gyRMv/yiCl6Bမo ?*>ӏ*$o$^] ?ڠt><kfYIr7ѧ]2bԇz3zp -RSJ[څ(,.1r+'{81~e@Bs$I$S/ bpԝt)=pVs̫ko~P-ވw>۾=Gvjk/^"~~[*a bôz裓m3 oWiYs5Kұ}X(3* cZ|vJ YWEK#1 2˸k=;*i-Gnu|ܙ\쯸{Yh~9A{5kY*Zk4nJ*Em%MqlȻ7!P<( W kvDWUmqVGM -۵RjyWZ4A:h>M+wirڼyL5;?l໮YjOYfu}p}6ՐRfoB?[+=4lt7bpԩY|f<ߚ-769mr$?nWX ZVYA$8/\.ʩtBQik-}Skaoi\n֖&zD:t# 8nvu;<."H:57j/?9nkҨ%vv_⵾,!w;cy%Э*dV mh=uy޷=͹[k;1hćq I>OTjӪ!DWb7\@S^sbaB%uHf1Gh]SVM?dܐ.aOIN5G`p6ml&T7Œ}dSCUOy6)t(ќb%F0H?0OM骙Z)_MRfsŔ2mcyZ+܎G^E̯ʼn?T,s'mApC2^wbG߱+0xӠ\=kz^ZZ?uJ}+U$a񱗨b_L :ka&>FMw8|`M0aTuNaH6’:@6 ;^d,ddh _Q3g!Bg -gv Kg@9 4}ُwJ]\/$:5) \O@s :"xڭnlF \p0GC7^* L~1EcGgx lx/$*?D/ -jh_._5q"v贵m"ֹ'b^Z#$QxV<'jŔS։[?*LH>E1{M/x;9NԠ([=֛=' yg_@e-(h>\X~prcl K5otT^UozJ jx{* Nj/AGGzCmIll'J5vO2a [*r+Ƨrd =S|,#ny_Eg;2j`(O._#kS>b}3S6!hO|4DS;w*q}R+n@WNY8!|_H*()4%>=@ h"f74-Ajx<ZWBx~ܷދwƃ~]>Y;˔ /f7PeIN̾0%![oO `x"w 3a!vo+"jTgͳ-}Bn vq]9kE! -'8Es'>̳;q/`NlU`1 3&*Y3j?JE*Di<{Gsnҥh[XO8^8T1mV6ѳՂOZYkJlR Tﻺ5xud@U -`H4䮳|ss5H%1& 쯻7IϭI8wkqt^G7Is_3~,g;,| \Ew3zV0s_iUMLdixyLWXUWoWɍ#5r;$/Ƿw[~Qt - 9T[qȵѱ4tg3jUDsm%~ju?yRZdN7׉.xS>ϫJ -bސH//4")(rg nTޯnӏc{;0KXf.4{W3kTT*k73\ݮCӴR T*.*qؓZɈT9I2i[6La HF&jpH}7 -1_GwɾnA?v)oi>i&eN/[ָJ$|}F-: -xbʦg -̻a -zh0;+Z)WJ! Twz _SeP λۛZNgO'Y>y"Op8Jl{W<ڢţT ݁pq8Oɔ:+s/nLm҉,R|R--=ĉi/$%})yWS.ܟ n -wql^R?嬖1ĮUքwcIrDZ\ZcMqK*hb|31c=y -Չ7/l{D*[֞FF4u\̡u)pat7, } D* "|*<5[y豧|8+:G+iz=sBfHw<|Sh?iGJC'댇@gA>w'v9p -;|tpjyOk*Z=ޏ**JOV YRcge{z{#ބNĜ(V#]=v0+{tpLs ΕM;8jOg8刺%~z6X:=紽$vd޳N5tdVZՕI.R@&'72<ӥ=iϷKn8@kߓv#k+}ȖƎw5/|'9ÃCx'|[џZe]W%I>Ƕ-6E0gLa%LM*x'Ѵ2 6GzL)X?] C't9Ofۋ;Ktx/CڣnbVQI5 魽brbԅ=pb=K؏~qW|9v8"wrS 3ݽqLVv6rw+!?_.Y˥~ qaYe̜urj$q3F-g9wd>e53 @aE6u@5۸;^v!f:Ziu urxv֋sg6͊f;U`+G0"Zy9[NC!Ql -| k=:PQKgZbg S]6eڥj.ԺM%UpS3ZTaþUtސLFTr($<7k1݄0v@o5L#v}y%Mel^ETw -1[KsiקO1ǰhWlxaOjYӋV"gT|D9>ۊٚ2i-7 ~C(P!{"۷{[:.Z]ZKjl9ЍDiAhuS+MXϜV/XD }U,E<ŽY ! x2QU3"ۑ-\Zu )]/-MM|q_-ׇ֭mwvdq9j9yс*lxjV $XKa]>D"QOLZ4'Os@,sv/ nu_ nͤZ&Hr5PzTn3a_M}}6Hס[=lei&8Vj@wPBAmbdEkF GV"LXr/9tO `}x&F}t@sRr6+F@m7\)'`[ Y t /!o3MIm;o8\Pj8 -Gb@.ُl@s 5b0'VK0z ơ[!~EEGNRDEqaGKUvsoE[<}/oҙ'm|i(>KҀ˗@WAc%! D&A ] ʋH'1dbӏzf>u a)֊wM? c,e5O20$lx}Xoh@_R3M\Ar3x.k]̫|q01bU3юӌx,g^>Wuc_Wu_>͋φs`SB{>,G -t;3_0_NtT2SirX~\ڪ8'agl fbr Had3s?[[?HIPYoS!iD4H -A>}g'(.Z=?S)PR/t|Or;GGe 7[7E_,غv>c?t.<ڃp -o@`| -sEM/=f|ܠr*}u3F?jMk}~/q֔moq+ u6do419C\Jvг5{ Dln -~&\eBu|sܪ si-.ck:w'*cEsSu(r?H;5ws*eDK[13W DjHs5+[x^Uv|X2sypt颓;XzM' Kyܕ">m髭Sth&즰ώqKu.g]g?jyv I{?M> Un$^א-o4~=n~}9!LٕmvAl2W2ucysٽ'TaYT*+ZNu~zc,z/l1]ܞ -ʽcXEu[*n5oXCXY|n>E/8;;(UWz"\4bEj4 1wzكDe9yd)Ͼq)C챞h j&@a,{EGfpj}`EkVq}O'Ѫvm0zӄyFJ0bZl}OWGɹxz{kqf|b%Y!iيbRI&n*ul}*|/ --XdͩVčeW"N6!8o{1U@}Gp z-u-9\ܛb ̢vk DK6!e}3/7ͫcV>+KXqDƦ7Ylbm9 q[>P=K-2Αg<Bp6B x6|YYb3Szډd@g o1)>7%wЫJoӶ2IW͑Ո@ev)_" Och1mqk\W_̇M!m$`4Jtȷ#4w1y!d8AtazV25YGʘx[+c68EWfGyrQ5l:`%\sYcϮz[GGE6w`|ֻW7/, Z^xf~GB0fT/։|v9+W -3J\W@<#Wr9^3n|_Z:.I1a7|jfvPJjuPA)Ws`2~)HynGX8f1ZpY A7)sל"cqm_сu.Los%3M`Tʪ5,Ը\\djj}I~GI͒@p<7o[_]5c۫l[ܹ0:ܨ~`<)d$?kY+! LS?&zwTm4!+}U:ƃj\hc4eUFJW2)ͲhX2_oS۳^o L/rw]xwaYgg-5bpk - /}>Yf?ks]m<83b^YBL9rtc?eP sqƐG:Jw޶Yj;0=מ=vaȭ wнZnGόn$X?wc&nz`Ez} &㩁{Dsc  Wo]jwtvq.eKXV8<[վjUiӳi)v_HTkUfzo2ޡ\ƙDe~wmھ^<&wux@.>_GDvml{tWm&к/F3aSn`74ڔh6ƞjtPw|/l͵5+h6_18i{+QAGz$#k#kArCɴϳbg-d-<MlӻLCwB: qQk#$xgj0O jp\M c=P>CoT2dpf;OIԈO0dqjt:ܺ;h׸Jm5yS{]?tݪS۶X6*yڕ‹eʗS+4+x-nng&a=˩}L+x&חΏʱSlĘo\/\ (^RK~KjoPAWFaY(]S+5JMq¢2y]-wPU&|>.f~-5yyez3ng?v͖λUR[Jl` [.7z\UBjgR&ZE&z I*1ύi Ƨ3v4ol:X&J;I/ͮwRyl/Ji]ѱz\ڧʼ͹e_KX6(AZ7y|x6A]G#¦Cͺ·"PT ى7=!,jז_YUP qPBƇк$P%M}@|d) $xm@ Ka-H'Ow=%阖Uh5Fx>MΗ׿n? ]ŅQzv:MI{mp@^΁@ .{ dW/9<@z $8I&n .iZ2C!q~Z;twD]mlkqmk3Ij&@`豓?_|SC~|᳾]:tOyxdsp*(tomӒ;nWVLQ[Vq0-L= &c~4lps/KǐonN4*eyJ}֮mQ^V<%o˫׸; GDnlW*.H Aװ5xb\џUC$+X9ct&pd}/t#l;2xleng Jhž^)o_}]' KIxQdbT&Ւ |[ ŇeVY/1-hp5*v4ؐ&= i}OsiYT{ZY3B. [a%cUHKrBRf=F8\ --ӕ5}wT}ؙ̬,hzw} 2'?] ՞qIHW<Ƴsi? v,Җgv\^r->fYzܲ mߞ`>Ry'hy,N3y7|ۋV59:/>U]Z3*AmkS, ]^XSlR~K^hf$,fS(WZa#rѾIaBP9N]Ljvy:+CxmCW嫄yodETǗm/tOZ!,qsgG+c ϭy)ޢў1rοReXE%l7dǟ([glzs\񐩎C܏CҔ0:;*y[:D۽dmT_Q1(涗`!#:deߒ"+^#wDc.~Nl޽ȆW#w3guBL^2+PX`e}3;|J}ϸ//2A K#!' dhpV+1rޫ})!pR=ل25% #Bq/S|Si#|+(u$=zˇ!5%?ח)jTʓTYQG,Nup'&xZ^5A;Gn(ڠ~dOx> JAl{՝\]Il6ֵZulF:t6۝xP|ЬJCvN5mNUzg!X6~t?>q.!Ur#Q7.~AM:'yĵ:)K2[Ԕx+l^5:j҄QAr]nu׀lQvRkOxԽ~E9vpϚ&6{LvJf. -Nq/n-_UH:QBAޏ[mGUԯsU|&+QZaA7u,P^D? :ܱ=4fW#ե -i^k˧l#\@oպ9 ;5[ 5 *= ӹV -] Z.<*j5O+ɲ(şcyŦ\l 7_!gyc#)Rp|y"ӖrSNØFGkuSC3ЅJ?yw*yQIQlA/|,fis_Q)SHdi,S}vS$N01?<=\={9 gs:E3mnq}ة)5|:TsT)Fk%q8{j.'_ZpܨQLW6Np`>3B]Kc &ň0mj^j!L'XqüVdc`پvީ3#*œJ-Jv^z:[9(nqeio}B]S?C! -)\T"ά8Cv4;Cvs{'C/,tA@*A@Va ;?Av/@Lo@mA昉@f=@F\D|2RوK \#w2l+#vHp|XN @k]I}ޘUSޘRPS;PAD`.ck ]e4Ȟ dmY@ .C&Ȁ|T@@W \-~grM`<B 2؞@BQT^)WsW l_Y9aVK},@d/nI pR()xJ' ۋ %*7lj\/G$_1}.V 2¦hg'@&R~"%Evnty) V "񤧤_LZkE8FlFPyA*Y=n*TsBo5B?,ؾj~V~@;pPs5I 10#6*s^ԎpyU)f2ҳbPN^2ǫ?>Dð_(?6~Avp*@ܷv5ч@Yv&p?n:޷Vx^wVeYO![tcd/!,W ֪ @ EJ~6?kor|zi |G[b?Ӡ[i]wzw{xnuiՏ gݟ;_v_2ַ2|t4yuFW)(R _~Xx۹ƿޕntiQ=9a.!edO_H|Cm n6ZOߥ͔#zw7@ ăciᑡOqE7 -ow˂yme2`ǎnb&}*&"k:׸]Ii?/$zOPT"q>6 {x׬1 caU3ضĵ|aJnD^:fzǥᘱiCJL\ö^oC-xMwIM hoVX;=LMo/b^M;̐ƥm9ʰ{\VΛTϋ)c3kC{@/SM3W]}uF3:?*󕔿KV"@N@wf`J>Gmى 'Ɯ3YoR~2o Ԣ?Ws}Ľqmϼ8D(ݑHqN 3Sj՗xtu|)KMOj9AjRdiorJ^wZU;st"M; W&S;.KTWK%v:h.ED]gdxVIؤXzoy0̲4> ع, ~s v[dȦ^t{::xEti *3ڍ ~c DMKJ:eX{%Zt|q6֢%7FpjMwvdgr+J I$ReP ,չb*Qx8XnsvesjyMC`GJ0u*l$OMbKda#b?^u2(.Vk 惙0gŦ|ghYb𽙢R @107S.t+p(m߈fm -M.cR:3=y.%k H9cf曉 [,zjcfZ7΀}MXHԧ DcQēY]K'識wvoB%CVҦWV[S㾌QoJkٲ/zkmpkl[Yeq;`>-uR4AҽLW/qÌj}8;PnyutXs2=/{"7؎Uo2T8^zn>V7,cY.x LjԃGG2)|-UhQς(%IPP$(#_3zv5)Wg;le&eҭlybG<6x~fvɭՂ'VI"[b&EWfy8vgspJs{LL[KL[f#OU+_$e޸Ks,b-ͺd`#$ÈOm ʝ𐫹l~->7\qŒcݎRbƨ\ |πU/3w0oh9{6)~tə>VRs.;/e62j6W~(]\.TEc7!.G3xT+;]DPTh.ג;}/AY'혇 OֹFzyzE* sDAPo {I+1Ezqd}ć-oa<"l@I fiYFA0]"[wnѨ!f:ng9΋3n5U!})\˫lg1.wFK6^AY4/u0Ihaԑ{n,=(h=GDdm7,q5e9bdl ͹X -`2OKl~JQ'ӹfV0g6A2D@`koD%{*5wمZzUƯ9j7gU_˫uvلKc}MXb'K1 _%xyg8aǾ[k -h{"" -o6ܦkHo;4tlC^g' QX -ԥ[Nmj}څ._Nը7:Xjؓ͹ -TF ë3bͮ j{.h{k6U,՚ 5νˠl}fnYp9!epu2`zda6tJT]pBI\ -:,e.eìu%[|Gy4 _: nqM\ E}Z{༆UAJ4Hun늧Jy;9y-ҳ$x򺥢<[k -ړN{F8ghf5g54hE&>KLvƈL3}hmF -%MQkwӪzy䄮x;[)=|m$KxrjQ.PnFW|1[簎rN)g [ -ǔ X=od z.*:10Fw#MK!Z9eJYSD&2/4Z<;?Y5} a$b|v?I&rIҗZ~lT&xL׍~> PLwRX}.)r -R('»6_rl'zsuSVAuRy=̻D_!_50~Năl6|),]h–Q&CK\ݨJ]i ޝlQn?I%߂oK -%L$[E˛:1=sv 슏sWGƻ{%r1h - /Cgho .٠x-Ɲ`G `z? %}(\Iaek$ )YYzq;_ 6qͻ ?pՌ aW -v%_b ,M; {? -zj^V>lՂdPG|KnCl>I]bH,-~[1i9]?tJt}[<ޘ]|wo: &  e#mjak7 tSCI]KCIlh O-~eǎ,rU;  K9vÆ} ,7ˆl̬lEc#>wn9O>uثMs^aحABMݢ~&ӃtޕUNJr<ZT^:^{S #[=Gsslw;C̔~\/W˥ͶsH[;6= kC38֑ˉ6MU/|IHC֒aߍܰ}R~.VnԸίwo25uY\l&7Y[TTɛ}Y_vw9$qVb#?*r׫?!)tk|!-݀: G>>˅hG}ݏ_uʦm:>!%J 6'ٜ[yv:{.[}0ԥ-Ȏp}]/cCD71}w[#mޅ#+3FK*GڕڟOpDZx6h>͹KS3ֵGܒ6"[G6|'okn=G;}4fs4e5 -qpQvPNȵAHr2^RsZ,Hm8TPz͝=kܘ -|~ -C.„eć)'eY!)@AK[:lv[[mtUw3YQZv@CS=m0_mXBsVRK$=e n{'yZc|GAGX"yEs&Nq%Gǯ3gW -x}_\И]^fxZ}m;(Z#^edE>'vŖ[q -Φďg#1,, -m *@+9ҿYn2FwQa _8>算C![TO/XmmaU0=eY78%U -\TΪ=]yi "U,2:Y2kg<&lƷϫ#C4gh=ԈQ[$G0|衈8!0O:;=f'Z/9DF-}E艚.m{ܸãI1Q#CeMe ry7]Z=/{ -&dp\W -Bx% -fD 0-B%)hlvMߵbޣg߻?Jw7{lc[v5wP5I/j99Fq[`Üwٔxj{ -0á u*9 *7A?gDs;H@'Tew.kzwhFw#4}&{![.;n-E2LggiX {#l?0ܟ*=7D>A=H0EjoecO\AjHd~^Kw*3nkV=t;俬]J߸FJ-4](C'Fuwx, @-J3VH}1X'VwnƩn&6;vY3*ـ=2iXA^׶o_V3j~=wm̚^te.}GO;%I\X/ԋ ml 3_T=! 0Vz^V=op2^n0UMXg͎ݟ:‹E|]ƅoJ4J}~G&MZVѭw k`-"Qmv̋` ZI [1*tܖ4/YW tVب_~] T]vN ~1~XqAkU@AWVʡBkR m>M ˣ/:[V*bPզOh xHyzᬚn͎:4e -՗݄&>ˡ!_ǰ*׍]iW_KUOJ5C_j'|V] X+ nzr:dt~6hlH׫:դ8v|r -+T2,S!W_S-Rn, Xv9 MQ গ2qߔY+?`?S{/H7t+biVUk 0 P- ׹,XYgsJb>^5;`gk:of?%qϤYY:y+P݈0: ӉG5^8j|= yC-3mu}\-;ީljX[uEz"j>'HC48k]fgj/p<޷x[rBXpcwCj&Hbԭmʮ6"lӖ9xm ו^w F^WѬ[ssdol -÷5wb\0%%MHono|\N57ѾfX^8^]D&kS3MZ_-'JџwѩExzNϵX>[S5{iCAf~IftIyzgte~Iz[vOǞ7_/S^+N6rENj8_2BU&?$Uz+N'pz`쭍4%կVW3KiΡf_·)R? Y"4Z6y<˓־HΘu1:7w -UqIxٜʪ\3. p!+fmz/O..{9tՂ RΘx!ސ\,Nzp-igj]_[^O4PqY \O{ kJ 6 lsmOScY[; w8!(".;f՟x3=4]6X[Ke.y>h:lw Ӡ_rT3Qw O6-s[yֻd.ڸS)}Xhřo.Suc-8=W*1*Z(~]UrVaEz۷ɾޢCs ~ nf\g 0X(ըG?N} ŸNy2?,;j*G\OY oG^B<ߡ?<Ǻ*V|3d }e/B3Ixz\=V6҈y!AެEbO}wL9֦TuS8z/}vJ~Ikh(g3:y3zn8C2j+'{oV.ˣl2Oq~q%P4| HFY6Rw0!i ޒKXe?%kʊa9?`VƲ+Ҩ娭Oz?p mv9WQ 4_(c'xkB߱,8g 5rBvz:BVY~f?JŚ~ 뫹 ӹn -]'% txQt6F/1 Q 90]d,6ĹfV„xW_aFUQ"+O fZ*6w&h ~.&utp_Zw=+T{)|n:83JĬ1D]0~@7gM}Iߖ*S2wHd^][^+lV6wp0?\0Tr*gA!iPʥ*m_]/%v)KH.(ֶq~x8+֗XW_Yq1D)C6l|3.zZ7ŒMpv8Rޭrx`Q|#*(mR(Å N~A M Z%8%R\,~4^K 1WODzRkcϾu{yy/3wY쵒ʟyMUoЮN:ptpyJq>tR %-CiV쿅} F!]y]uYV[{W݀՘gbcbֺ1i]LQSVeTn{(ER.@m{>RN Q@t Ph*0_/AS V~^iOnva%N.\l88ᦣ'S88Ò¤qϧ ߧ8:qȧ֢F <]oz#_g,<oc>kwW6#[KQ ߿Tn.+Ix5w5JH⧂TЧ) +vm^/"~\t(Q*Ϛt>Y!^|]| /=%P#HfI/]*uP|{ߍBIޥn,8 -Ӽ8A!w$oKnJFς\k74ym0eY~q: %rn[k)<\&7PE]'9;$ -~H=ɏ%}-L,@xT;ps0J{vGܴ$9lnoxL;RÓ -iuaֺs۲n3VH8&UƞNjpF/+i%/o$D񨳾o& `s^iZp/$ ݼ_2-\{N5[k ef{k7W ճ9ő:qkzve{M.dbjG1AB mu !wZ$D7?S{ve7JH WA8JiǦXrg=0^OAՏU4taݡl -qw$+Mɧ|fғKN5񸵸s}ilh$iZpϻu̽{`i" -̼sf=[-ű˦㯵Qhͬzpg9)q„"Di=k>4G۽,Z±8VT:d t?9꽫 icTxMf5v1Byp hi0wfmeŝEqx|t]D]M?3["(<Ҁ!hқO7m=Tʋ8^4q ش -{eXͩ2D= VšmR&Z9:y&# (gE{ӜVwh5+dE줈_VC[,SIf QN icۣF 7Eנ}NM=^k\6J#6~ -^^9P܋MB}IS;q?ES"7nAő@J%]ȷˌӤAXx M*3W touE_!mkfdYiwAIo@1{ TXwc!ϿU95moON ݇ҧ){#c1ե>w<9rw& YUcZ5B/!ggLk6CDYKwI}qx`]f"< Ə0 d#"ͺi]܏ed0nwr -7Dz2r3s?Z0:^Eo6vGw Jp|Gf睞z:ʳؐLF$h'Pߴ<~dUf˾3>4IM/CM40agU2˫?ösL8^n`:=];>³̇ZrEhWmg\*d-,ﱂSQKG/;ܣMmԧ_RB-#m)~ !YP7;ǻ&al%_#֒ZSQ&*=Ezb*>=̶P TmXy,ޙG 0ҨˈO]쩤~gzHZ׺$=q)7r`V!)%\.ϼ s:z+'~M͚]X49fJV}1V3yyD#֯7o*ɔp;M*G؍v{eA_*>(L2v[T_6%狷`Xv{t޼|OJU.û=IgOܝRtAVʢ3 1a#mΉVjX6eM֛Tz@,L)Y0*ӠGN1ν*~58Wc|B$+9covvAp*7A)6νǡrѠ=kM-2bS\^slDkl#(.fǫO.ʥToM|CVRwV}g՞G~)bqi˖UcdøO{"BH`Zevk}l1x[?S-cU -[~>ynD2RUЧP! YUJ;2rU염;)X+\i4QK*o˙&d-Fܴ"JC-5,)G!]N6rڂRu]vWb E^,  SG`,r`0_o ~ 5 Oɜs7:٢f6{9=*?0M'ޞ?Ϯc-}5a< -SP>h=yػGX%צz@/k۹?/7;BHDF{%Жs:eM>ysҕg#78tw#9?l#x k&~4<_Yǫt_z89yP]̄@_x}  Y?YlLmrr8xVyϜ0-,6K?G쪭W[-*G>}bYzu - Ђ!R0ӤFzq^fq>繩 w-{?d1 W/[\˾Mdt^!: N V,k[ts7ěbu:o{+Oޛ7Y$Îrose< -tn8;,:OKl<'W<^: {P;^::縥r}jAB&U8 r[uz廛}-Lr/i ܡT)g_jNK&IRh -K cQu mzLwɕGZvZ;l(c*$_b-fb&O:J?;fzIF.EtcSGq8srS!Gp:u/|]H$TցXb{9jpR/IŔ]@o8[)t[#g( mSdh="dbzmf2z;0^ Q{̨fo塚~`P];iwShW >As }{#\T[$+yn>vĀb=|w#oV\?/f= /{ fPԇMS;o4s=D4=u%*{C ƮZ]wcUCb*ӱ^1ٰ89-`)x3+㕋FnOH;fD`(էP>RVuRrڬ璛/b,寔,0QE!FHJĻnlniBq䂁]FT)L6yCF~S:= hj]kp/+W|uHkSR -h~;~/RȎ9xv8Sǯ+'xQ:B.^CBQS}BRSaY?R_,')/aeQ;Ȑtܮw`J[E>[ -a_-MA|#O'VrLOfƲ~UǏVG1 RODF$w(˪eIrJ͊u I pTenY!LqYi,z꥗K8Aq "xc1Z*YZ7,+7#5?y"9&7{RdCFdk=1ʧkQ ]Q|x"ͻ!ILMvS\V3P oyO2l|7Pqlz*TXc}s+$8ԍjlNiJA"2%1 'WxLwM?`B`=` -b=,f$(փKbq|vW.[ԜU__JN=5zإ?.Fiڭ23X[XDs5GSH{JqHPlƽ1X1'>PU#(#}@X3 .oJ5,9Yd OB0Un>ݘ{sv=-fFCPj^''DA‘[|V6 ~$$fͪʡh4z]Tz˲GWjt I= -+7y 3umA<tA9ϕV -vͶ ؂Ѣ.C||wN_I^DzTp\s& -U˯nSpP6rp*# UIBn:¬ATYEj}{wDž'Ƌf~LãhT*imrnǥ3OJ%^w͔*b@.J`%*lRZPFw06):y)?6ۡg4ߪS^Cox{sjf@'24ơus#u\:٣bn0*Z$Y^~7S) w/U -o@ dư`aa ll/e\cdGA1k l\:-j7rHg3=G.5 |x9ri3|d(s+_tyhwZAz4@ A[*WV^ f"O|QĘSZj[(#fSc^6e͋}GfLٞqY9=Riz-4@~@<|P -GZ62k@4~]+#wL⸉$;ơG!GXvg/̡^H+< d}ˇT3;P+ԱVuГ`{Џb` -0EYVk\]g?~u(ӗQӴ -iUYMRƴҔČŅHsQϼas=}( ?UX|S 躧Uֵ8+ƿjṹ@cw3wKP7v%Yt\ƠqSzy>Ixr_itzNnN9jڻKe(g4-Ѩ.]b%^'n3Omq,؊Cwҟx_8}u:UtidBXo>Jzum͎s/⩞M?yKDy7יn\t1oK55y4ܩh45^v 㿤87z7VT+Y}}oX*^8];_.(A'; hq675:꾶Oص=dQYo<~?HFW=?WNumQJNSEy$69rS<Y kUvM*>e2F>t}SM /OcrDpCF>oH3C|W>3~X+u7INcCŮ-vBoG4#Jyls; -4 -[SY\CXV*Y hc'Zua& >38' ܏󴕌! ;ɽ@< q}g=[;\fY=採Jo~GdIWF2N9-?:QTnmhVfOTo{Ӛm/> noƞ)~t5rZ%fY[0pWX`j>;'𣏕=`Ϳ]_֩ϖ 93%aZء3fu+ջ1}W@\PF-im6SXqnYzqd190={oVYT)g'g_&GzNF(oCFGǺ)wxtIэ1W>%#w`1O)o+WǗl|bV&b@ ˸J?V.&>tfաn/;-NF'ϴ/?ҷ&2Sߚd|`\3Hc2Z v$01Pa'ܶZߔj"SGu=륰k)rrkcV?n[Smyw-{K;{LFMKwHa<-&CB~v~ŠJEX1`pW嵮:+WI FԕcMs.4@A2R -o7UĨsok×$|qy)ڜP<1mmiF48P⁕j'^*+W -(.G߇fw~!V䥰DskSxxV(st&/p^dP1-%Bp}'n8t _ߔxZ$;%jԪ.B>~^;7f*)qm>j^A!rC3 LGmN^~?h~qݲx&=i -kGqpr_"hjB',jKެބέw?$eo&cgA?LtD>ҋʹF}rLLV:_2?<~R~I˒&*R# E?L PM|h(q <=fƼvQ -:{]J͏7jǞ we s~'$5*6ӇAavh!!)7ܘ7yF^J=ڮ>z1c}!;yn܅U\0O:^u˧v7{9b3p8W(p+͗\WR\/7c9KWoTIWl靺xB2k1k7aVjuK{?9r/{:-+ffخ߁ xn_P#o/Mԓ[_W%zk8Қ==Z}iu)`. ݔ -߾ݔK8%ZuSK/ON±s;aYe:ڪJYuCq/#m\H0ͫɬ.'dl6~P# -Kwqob!OX\!V_cYp( 7S87SV={9jV -P-h+ni8S.=X:֕/sM^I_N*vg{@7Vk=?+dM' 寥ƕ&"n?ȺҬ!wvo[q?[D붱:? Jp1i#G_ ڡĻNcRZI)&:Zyڸ@۰{຃Re]. -~O r mSU̸=-CIUǿ)GjCni5pQv߯@͆i귆)'<"(I]]+9`A1Ǹ `EIb,Ȧ#H`]%`PIthxs;J۷fѶ۶KmomRơҶcx;M9mW}ÃT-[{IҊnR)#< ^uTү&yHVd7HCqf~CI\Fgݹ 1c}'ANͣQ'8} ;7i] ; %ŗ&B#c>{va(􈭎U`VuC!+1&l 9zLJ|Y0~0%elD]֨Mɺ-~~ZF/,_"CUTRI39pvmn.y!f`L'v}8|%7iV,olzS<<;)kU^/Z;Z^,kL&9VnLZ!J^_ˤo^gwݯ -7_]\{FxT $Duo ΤZZEn(gA'_^YqxӫwX9Mއk2H2=6@g5@,U 7Ly $˥ΦXJڝja\A3Wo0 /L9^!t)OZ6UN^Z({}Thbp ,im~V`[ sU gb2c8 K@l8Hfop}4qn꼗] MCW -[\6QlY"PA 2T@ei{蓨e J#Urƅd `\!;RCrjEHq2<{l@=/ǧtMm۬xND4Ja} X,6 -bإ: |&NSol.RW5GQ$ '3!@h ;J Qj p>ݝ @ނ&@@ڳpP3C-!7ctiP⟣C}lW߷ ̋Ѽ3  }j{NK"? <H&~n^% g@ 4 Zz42@)@@'g'KgoU4eTv )3K!'}rjE֞lIЛ=JCտ;/zv{\'7߮{2y_wz2.H;g2YfV?)h\{, Bf!bo/,za|ӧwJ/ʓ݀!Uao1o տ Qj$`r{p~tKDďGrBOߩn*G*[U!{;&w^٥߉,jkW2n"?Β7\gtIw}ZTgPE"ONꞈ 'nzkE49&|6`HG -O[T-o[kڻC۳ 6_٥՘TV`(Jzsݣ֫3Hןc~-˶_cQcS^kט{V{7%GP7V}DwaDĩ9_sZvy ehžr,r#]WШy/ {%f%b7#jJٵQAlo\G(Nv.[~c=z+r|-~]Mk:zj/.Ի?];Ymߩo0{A~V&1Y -Aa˼nۅmb{3M6>9Vk=wC^qY.~)s珰`{JJ4ýCHZ 1{ -6۽# ;,*ʙ;OY"ib:~t74]݊(}bW"jɴ9S RBFѕmTwq`h~;Ƈ9/35</|+S$.+,̌>tiuy8 [L=i;xG*C&G94cY.vF=n$~2msg%Ǯ3o`?s9OnѲ2>ZxߘdRUix֮htJk(jI'}܎7]63p?= 5=C-\' !C~_IR>sՖu0 q{IFjFd1wq6:Gkn:ϽNTu4B%se9#W(A kHpfe=g@Nv.f7fr7ӎ TyRo⁌9Uy7T֎Ik~8֒zARqNzNIuSqі>k숔ÙfPvk *Br?׻\w;bV%vMWX,^=<"ydܵҩ%[u,D* ZCy0e:9t,P͊X$-]T?WOwUlknz+Āyrژ=7͵~D;cp[v5"B -rX/st99ycINE,zcn `-)o4~MDG{R ȚSj(Dabi}tN謼^T厹>G=6 -plK}ّLN~e t͟VƒGёFHbjzh~)J5{ݩMuIo_m|j̙3'M?|pECDp>Qpx/0u|/jUT_o_@^73Q>qU=j)ٷ}ݸrlnln"2l\XjYsA6X3KjY?2< -*u[iJnjxfZI E*'s<68Rz3E/s}j w"[sf쪌D]F9#1sa㭖X8&=[%gMvF4WUQz`-)rtA>|ě+G7;9yUv~[lHn*.2R M*YJTҍB7knFЍmoGTX`&daާQZ|= wb?H]~Q{'0n|L]AK^4=E}tC^.jY.TkVL7ȢtX |!T8$:r专HF?̃T[K<04K: -{3_w~,qjWn1pƗM7n\ux35]SСLPmz!eD\9a~㏚mI`>jt:Ȃ[ͩVh=t,4/S}콺5hm-" LčLQrKJBj?UҠ-8ac2?Y6[![*)1L"2!Q>N4k'ThcdmtDFU8Lp#HHԺfgL8YU/[k[,Ϸ//ܾ?`o] aTMu5xs OSMW|)&AJ@)Z VZ̯p2>k]810O``gXqFzP̸߽FD>VZx-8j} eѾ#M{b)v8IsU ;kTk&Vk–8Z ѣ@% ɐz @^5=Ch9hG7J}*Jk299s+\- l@qC[XnO2ċ31;d9]x`9}Mjorq5BS{v,_S2t0J̚l[84<^j|oVI w oNr m1CO Ԏ(@öl [[{h_#]7#XEz_mwYB(J_NàLx8~zxq\X.`ϭ̱s__s LUiUYᲹNEZVFɉ{!}7P(Lr@2R緻-F1l֢_rt}޻[4n@'9繞DoU]]/m7Wg36gYOitV*% =pvgO, -ep~㝾vB-ɯvL(hu.$u{'':OkZlPfF'ݫNZM~dž: U+gsr&1׍MtcIƣPZ' -hlg/7[^-223(k GL11+_-GQ{TD0԰vV槩kh0@h \UǛP 90}-8WUu$=NqKLW OF_5[{ltg;C4>z}kJu6 80 4@<v},m@$IDAQLs¬љokqϢEj7qyjgAk״e֑e ep; 57%8>V[h੣i~/RE#'vk##Ϗʋ묢\D{:O8mAOz'`sZcYcc͉`xͷ{dҏL1:vbC. -soY%a[@_L8{ +\#'ZlղmbaCOƲd,jNP1oѤ@KF ˧Qbzi5 Py͍^Dy~V`lVm%ru|SfYQpd884ovg#=1YnOӵ.[E㢬Z^S ۑ:l窼o*h42qشi%aO]FnǭT>czTq|힎ZVp̍&&2qd]Y.{>!UkaR -+*$pK<T\j_F.Q6EeuwF'gCSG, Ru|x96E,2D[ ~*_?+wwb5jqr+yqrQ5iY7چr nq*/֏oUN}~nR?ؒnQ81|èGwxߨ_ q6{7i4c^g:=E3ڇM^: J>Kya{w8d$8,J7wC3V|IW-+}Q8O:Qқ -yߘ#L%1Eڵ&q<_󪵼[ͭ2 a'touj]ES[?"GjwZHNp6qUGTE#X57 }ww介2k -Ӄn!,eo+{^{mT!sA5T!ߤeEV%Q!wЌ[Q+r? I< s{ -pոAEpkb?#~ba?c$d?Ό._ly!!7oݨ.bEDԘ1>)eF5n%h[azBr5''Ԗhs# $¥Wa`sLL1"H1Fs3M鼳q#}2xa8vY^k:9sQ}Ǻbʼnsl_4B" X> Fة.tg w}NPyE9\\8S=@ znY~> vB+n6@ȅ9a}E_ZŪ5V s}O%ux<A8i -&wN^ -5 )ދn@e2Tl]4OؑU|Wַ_ z52<_щN?+fPa 'P~@0ą?Iz#@|4 JM -떢z>)Gɧ]Tq.x W+?I?NM뻚|[5fZu4ݫs4hwؾxatWR=ʗyB_s.eOOuCx"ɧ)>L{AVyx׷fչˎ(XB(yN'Uf -)*TY~4A={{ڝv]+fwMKa}Ot?zG7 }DIZR|9|⯘R -uλmvj& --qzڊΜe_ڋg.kjyWTaCs~XyB -{d-^SH4?cz|ZZcbsp<MmW5hn)ŀ_JC$;Fn3)O*N᩠NBd6n{|l/vSLSA7F"cacjTF!7b>h -7` =VQ?q??=#_i0+ޤ>YhڣK EΎbϣW$s(ѣ[ ANsA3}"Ŷ@m=dnJ3xף~sB=lМk ,'jO(b~~Go?\(|iht[VkLaؐ ;IH%Sci1<}=q]2qOQ &z8)gZvXXv hrF ~&4hVo{ĮVH>fG@Dg -˃<=\`9iq%{zɹ -"uVe/u#zf8tfN Gr+s;Z͂U*o>F#NqmV"Qe)ɼsS6P.i3oōI:t"v"ʾ*d ͹Zn#(}e e3]%k/? feȯiZrRm-1[4GǢ9uXʸJn~e;%YZ!.#y!ֵU$׸?WN| a+44y~<[pNոvns22:3䴎3ZomnlBo U>.3YU@; 6\wHkRG^,kYćf_ק'^}w6mv$T -=߬Z*H|y5ANQGevK~bP&͋󔐹=-V|- ^Ħw-Nn ^q^wIv˾? ;uqf2(n՛ D羦_'ueG^L@Ukt0j:fê>ŋ9|! B @sOQ(POejqda;bbL/*mUG+ZWrsB+.lr Tr^^D9'K ?enҎ@o>Znms94Qu4 Mp"$jSG ~&7ry*t(ˌ4Ldצ4K]'M-}OaInPlD~8ĥKKRDl,Ga;ɱ?\oTFloέ:3|Ul|^d]ХΒ6:PuRB{Mz#Nh 𖠟 L>Q|*VQIXnn=;Froaa/lX5,`r9ȥsW2܁^'$i1 &VֺL+w7ΣT~],K]&بld?PX&P tBv|db,TE4Zv~rcwÕMƳjwhC9{++;w# QGP}ExSu˲C NMT"2oAUt@`.1\rj 6+eV9@.J(+%"tf5NT!-/Riun9n_ ~i8]:lo|>S -sE؞CJxTZD>Ƥӂ }?,ҺH…y -!Ƴ kl{T;7 -k,ö.rYUwA,Dj'D" -°+Tlūkk>U xߢ^Ҡ q\om9Ϗ ,+0>7 ܜ6\[i~ɍvn߇MmdG&j⮡+V~'ӮCdCpGͨw)'cno!}g'ŭbp9659 'vn̚#.Gƹ`'^^pN'7Ue7qn;jcWWVEn: &}GlE\<*w2U-}mZ u@ru{=[+[hS,p@`!6qg-w+' 8uD\OOǗBߙ҃OQf2&# -k]" K -ԸH;o\g=/ۿZR$_PEBeEN@IZ - (2]=U 8@9TP9}y @ b:k%>XwemT4ա95UDXtW [>+ `G74X('X@3";6,S|-` %8V~0WR).J~mfx D0MI%Jnp'Qdz6ӡ- -Q fQRhTl8%`=v ع r}78*.M+7`kAHv[f#N)JzarbsWo׹Es%(ߘE{i_?V}Wr *H*TVʯԱ(=} kmKj1NqMt)2Ldޅ~!v㛽puyv=$Pcst){=ݏAD gbm4ԟ|K@ 3 -1au usgv:OQ:d?9|q SSCYu>pGE:WI]C!m r)hvlꮯ+rS5IT/;&k ; b|sCZiny͒M#ӹI X%Reoم\yy?I͠q'7]h/rj_RNs5sB ՟C'a!թ~R+;+i559+vu/#4i/ĢNbU:eZsl}" 'nFs%u=Fv($Fa0 d ].Wߛ3+=FlGvknN`]C$P,>NћкG$g-vLs^5nzVq#wQG }ԏӸ7#4 -endstream endobj 301 0 obj <>stream -";n#][k]_i`FGX -IȳmH۬g*e3ҏg\9+nsFM\xpA=ҟΔ6%qx_Ed~q5R{w~&qf}i6w&'-1܃q̓}|7mκ[iVZcԻ^_xJV߿sdt{ۺ}? uvӵV G&0zqѪƺ[8 w.Lׇkw&;ޟ -Qs^RgMsoǠ~ -urv+g\&q ˍGZߪj_؟LɴU~6q1Zŝl/jLHpV_' -Z*~Qb0L L ðo:deh܈ZCܮ5yRեMXSf*Y r̅aEM<6&|fuܪn= :V.?l:,7f2pLöYTPpsك&w? tdžɰθ\';|hԞ}&ӧ]M5]a+sqo;qzډ?5zyU/X;ja.q;ߛV ##y'K46E]']{iϴ]Mެ5㋲U YZkQǴP7;FcxVZK4&53NWyGONUEh(o+o~tWwXSaIe$qQ-z(&< 75YkR9ezK5mKڹ׵roWdޑ#Qq^DF!\@D$&O$wG݁4d(beKaKu0y^_ۂolyfkZ2[sx2l_Nn@kb:U!eվK2Y[QKzC\ڡ<̇2?ϥ]!)IQcUv\#vNJw^/q_')>=vo?{*ZSOdƲoI[LaU9Sn yD;YZ䎺d>[pS\Sj$Wvg@?B +@}O&ƖOnOf77=' ׊=A( F/Ć.o`1rѩ޴Jϣsϫ<o/J^ΕqmbUk}l`T[ -i4i-<9afyܽ͝>4\%(ʐFJX*mQ b/7-6%sX~TojbdVZTBh -lP!\(yR T><6ϵ&wW=g\eWcdˬ+,W7 fXfld=Dv1K}DwcGs#rdEw^\"2xZM2ף '̾&\UÂ"fCthdBvDk6]y 6Pz̸:&v~hr)ƘEU՗7XI37Oe*ˆ7{_9Qo HU"f5:_{hszEpF՞1L!CT J%8& ȭV[a -GNF6UtWku2-4bQBƲҜ1;Kmf-vf鹕i & V8jfMr;g 8l,¯X~~>uz#(J -koNQlsV Էx>V,(}IyqĪ?egC[M@ڕrFs[ě8HgM'Q'ꩃ9lXL9,\Lس[]- ӻQrtet+^YB'\gHlO ?K\312uDl0-q2'"0', ֜"ΥSv=|'VQQR_WztF=f99xBs BPCB7|YM78lj67 ҚUmW1Ow_{{uVl__r: -J#m: }ܯJaQ)QBoRs'exJ?Jbf4^a&+'jA!$܆)H2;=4oQ+dzҊJ*!'o-=RzT+wXʴH6IB>U -n@]B&^*0Xh=IwbenpWSuG陙-U֖DkŅ5Bu/9] x$"5| - -aR;]|[V H8wyKG:| TX "}"~k)Z_ωXR$-UOƜJKci1ZvؼYq\}=7K@|KA=@*qȶ$ Eg qbrbT9EEmW?yA!|`M~Uu$3a0H>[& K.EP Rș-S9 -Rse'!>zx P3ԾP]@.zr"6Q59}-@+@JͲsJiևՓZDF$I`Z@ XrA|[,B*r0eA^uz"LP02_]K_06,[[w%GRjVwD9Q,S,w$iY?WJՓCȕj|m1,`quxv_ O 6lI>3n -#voR|GS\AZnCaB&D۪clk B~ ^MF9; -TWR @@¼eT6T.3њD"7X_G\hSC^;:.um69J|N]&fN'a5t>?=$?d۽[ - EjȧD?|=X Ƚ8Gm;YSb«ﺵ͝=-drl)7LN NoOfq0AWx犥qSi7ػgqωD^ҲGuDnǥҚaų'WnΦݙA7>' -pμ 0niS{< -IT0b٣~;,I:e*ѕY/s|{?ޙd"hm3||efQԈ=0!a(\pe0ǒՏUЃfyd?.!_6: jb;7ww/hPqew1P}xaf%obDghlˋ'lK>J32+ZLdCM~]:z4c>*V$53^'g~ly7xrI>_[ěJ wUk:G'`BcҨٹ]f]mzyR󲝴6{Z(si =x@Πy?)įBӜ] mV߅1Wl79\zgwQL1E]Knsg b|]Px0ݺuh%<*A\4hԄYN@&mR[&zc$3`wNnjw VijMs:ܿC~z=.2O3^j?S*Bfڝ;D&Ҝ-l*kyuec{̽QoV$ -j.DeӥW/Tޢq2k7/`ώ9ϴkcfJX'64y0ȮJ{xY3ryt96X^7zc;W9-uĨf}a+ Ӳ3YzYYgaZX/wHn!}?Eb5?,AE'ԋ)^'{۝sz {7KG >>jn&W3Yaevo{1]cϠ7ՎԂN&\ ^hQ1uԊ&u+cձSs+'p͖k K*TX_İ6iv^-6jm1pM$0J5ujJ?YQ;ޘ5916DKD{j'ww @jP2䪼z,ņ.WG9@2O_*եXg&J=|oZuJY¡P!Sh?ĝ3̂LL|PtiͥD a7X;+jfjIי;(jf i":QzZd`Fe[0J}us&Nm_,<)B5Eq {zxtڵ(J'tAz#zʨp yﴑ$p *[/TpϝQ|D&;˂SU[Ӫm}lM-gxӒSVMN#8Ww[mGs72]3Te=m4] 8=d1G*AWONÌ+gث5C1)nԯ-q#&71H ~3yluBTSZ1=CmlG;jOΔ>ʒ-uģHl;{j -ī7Oo9 r g]oq`9! 2L'~MdG @ۋ2d\.w7G-v>V}dZv@씬Қ,o(D? pxGZdUr=*N$& g -{0*7 "|b&Ez|ek1ymR+r#8ux3tWQTKY2GC1*wQ6hry ILƮLm-zWSQ3u?d炪J{"(9gAQbNŜ:k}{y˪QV*oڕsI%)n;{C}L^嶧GwF;3pLSiPXdȅ:jGfFXI`bԍ:.}DN3Ě^,K7{ipx4ٖҮd@SO*Hou,6*̳Ǘq:eߡ|P8ŲA1>$uxaצ ƈL:JG3;bc^.|ƥ-NZ;bPS8#ewoe^1ǭjPoL.c(KVf^v252 5e.;ac~޿A/j:5݌ -z 4⨉%"a~\'^2+QWFD$!(IZ$T z!.uc5ۘx9EkZ,yH<~"E(v`, -rՃ2fk -(Oq\ Ea6ј>FvREr#by.T_1{_=bm*rp%W+BZk h*( D6',)`>[9@<г AhHq~fsEƭ:f1w TɜR)eHºGp]D^Z]P.`n0Eqb,:1>)$`QDIz)>Xg X\{6)f!`>AZGRO~4jτ$(|R0ӊ6baHtVY`%1?2ا · .e'/+.}lq<m@?Ÿǿ`LUW:z|.k<g,nI?'"ó$z+K1w|k 1!b7*nDly Ie3ow,nD- -tk:`|b0 Uop?3sN*yۮMgSC_=m-.QvQrx6@EOΝa>d3l+%̖t@con: 2oRS;ro ٧RVz,m04s=p糞y.^dKLL4 l;ks|(ձx?ٮH#U޽=`-MBDr}p*‘ӲKŀswq}kLdT Ƈ0[V9faWfCz9['{q]D\o_,DZ)me>JϵiFCb?Re3"Hl"xyT\:z7 ._Cor;6w8CSL"Zy"[ZmF]'<)lb@1ѿF&[ d(wA/3՞v7@Ag]Цzm.UF۴]v5un-Vn'_#Ԇ CN} 7;װDU5k¸X DU%NUrjH7CٮR5PkR.Bˍg?n48Qq%q-V5wEĎxT5Ч.WZ6LtRԒeᇽ{T 0n22fs7u3f7}IoX]JleC[ I#_.s\->S뇵z}:']5fQ'l[Gud6+1TBuC#<>H(Yf4WRR,h -NRVGFx[fǻ_ħO(++Ecnjn7׹~@D:iCn թiZ?*=, 8uO5򐹩bvĥ -{y/rv12ԸaT&Ƀxkc3nFb9U}cpXCqQ a]z:yUǷy- ȍF)psrΤ٨ ),s']wڌѦVKSh{/hx$U g.vYW fqͶSo+W$-0ypIK.v1s%Ãc,Wռ@P!I: - ģ&yA2߄9?rn{3SHRxHH*:jh?YwH/dn$|O 2HPs'l5˶ӫv{uz8Et^h\bj%7Tb(s!CR$3 KC(΄ A:df+N!Ǚ-T6KVU "#m)E=FfzWʤGQS*PK;d>Kk> S9]+.B[Ax⬽䓢Haz]mCp"f]C| )A$Jy$Y EutT})X$^8K3].5 7Zuw⁩N)ŶG힨1jey)2%x^;V0&Khz/ȟKPmm<`DEaxOߙ/ -F}i{-cUJ%Ӝ}="hvұ\q7^) b@TO찟B&2܂boi@Xو%rgP(5\fct}vF 6NNbyzDGܹ3(: 2qaZmfeD$\J!R:V@:Eb Z,U6zs~.Uʀ[@~Y`XƝ3lOɜy&5k1UxLQy{ ԝ"OaV=4 1E.S_J\E 0va ,IG/a-`X  9}RB*|gҚɜ_nloi6nXj˲> -2eC\[`}-ŻXZVɍg- `M[N\=šiݧf;빀6#`0آg9ٛIL~,"WƴWGDRx4T;落|"g؂Ih.mάuRLf3+p xNESNSl ebJ<"3 bL|u`M%t.IvO@P,|V0 wb(vHuT)1dS$?/"\.83Yޢ{շ70'Cxr"]; wNT m9 ]gq p2beR3=ȸԌk/(Fr9"_^IS?WY{:7v_ 'b5(J@EU lG*g@5Igz,.(j)FA5iDlڹlL%`أpi_*ߚT;OU}64~̢ \|z"l00g0r|$KiS{74;::zH9aW5ǃg l /?90mv\_3|:4yw#1Ig-X$(bjܰ+ġ~g1?}w>\z#Qwt֡uj'c]א*Φ[)?4xv|oѹ+o]mlڃc{}8uYȳh' Ү5Ĝ:GeBֻԛ6ni(?[7y{6LLEы' xnWib%bJyfWǍ@Z?}S缯3[-.5XExĞ6*zPϫe 2ee/SCO@ z؈{nwRx~3.\Vj_3kزV^Jl{ʺ2VBn,'Y\v2wOÆVvۤT40 ؔ)|HS\V-NNOwR10qY ϗՀX%ImzPaD(ޱtqbIyJ6bױ^0b`ja\lEZq|:[=B|B+$R,fݏ`\{w+|o925Ұ\aΝ_RصU /qa(p}H݋uDѼuoHzsI/u=ۈ*WRϨ-ىPMu8 -SDl{uU,nSb _h)EjV>>M>/WކԈ*Æ&ak1 2wy\i/_т% 'ϬYn1{xvvJȆ}sjff &F >59}["^P<1CSf][s/ -ءڦkrSUȂʛzhs/J~GwF6ԛϭO[bt:}%! 6^q1TQr&Džz7PRnT}?tUj  %} ܑ7MI^ WOl0|[.iX7 .14hCYeEoG/M0ЪTV{~}g\?˶PH3=cM\uXei7#7#}~cqX'N7kYPǖa՜AO}_~I;4&^zn_uPr癪{Őp{J f%ѩHH3jxDD1DvxuW])fY0uۭK'3UkVfFx M:vH[=w_P1|C~FG#c :&`#QBS**Rjoڎ/+/a/1EjM-W+%kf1 ˯]z/ATŸOlyh]&)OBqbߵEe E'm, -^MrI+1Ϛ g>W[>6IK''%ٰ'ۧ8+L> hk$;{m+_U+|fݿk$9D)WtqȖeW(6@ɹ2_4]\ܞ$>q0z`[$m31sbtB~я^]ѩub:;c.<W6noiԹSօW;a+zP-'s9!"PWȇos"{jPUeQUݒntm~b_/]I(5=>)_ ѳ>A}xsG/k#idͧZB)W ޖP % -%oJc%qTcO*܈}ef?1m͗ )X"srAl2DLbXXT@bCMN<x-wUvt'Gc[z}W(zɣ nwQ$pϱ2zϱdSY)Gk -ܓOG黹##?DP(L 3d1΄%x+?ØY&z}aK7^S*KU`/Q1EӴr"hehL>TZ"#ew ^c~^Ďk1ŚdÚJ;ƎƎ(=6'.tvV:'rq;|{!}xD98Mf{2wO ".dZV;A)L-&W[m2Ra>mGZ"'g!CZܢZMJx)չVҡʿy|}a^t^tV -eeL{+`AWZvY@;_?sz3F73gĒ n9x1v-h:2ߐvehڞFд-ah;<wr13FNC`Z\jJ,.R:=O - -(7o ZTyKvUd:b* w Bm$%𽩍DM3)yР>R -]@Ձ2(624 PFk (c`fɛ~~tPAwr&~4Km_Y|g9w B $))z+@b -BY>'ezE|m"sv؃vXÒ'm,0YUR?viί=$zVĥrr3vu$ ynA&Vm-ι*"hy pųM։[NJ]4^ηӘǜ$JmR daXC_\qƸ]69vnWmBD~Sy7.Wʲ$J%ϰ~eQsJϠ줊sn ZeH9RaWGg'X< e>^) -MX?V8hm+e>矚^as%&hBpx||(baW8>nWl@yc;]xYqRN*avQC:#\[.̶"w37KKd}Ȣ9 -#e\ ymZ=:I=ns#uunArN[7sk/xuaC]LORn-.f*5 P]HK˔XsB\xܥwgg}*#qHL{[a]=MS0vguaZ'5?7kJTZWWBޞWc-W\'l/_-E8_RaSS6{ۼ@-~m6 u5Xn>RZ{oj:TWeS Y/'u*sgQIj]/{N%oyX4y-xN`Q᳒W. pG@y屳m0eW9;4,-S%Vf9!Wi8()F\ MCo_qxLy<74? 'Ρj#:%}{\x{0N++a+ݷs^^G-vw4 dW-jIx%uJVF]l,yRWf#َ -O/{;ι'm+A9OeQ-AnsˏAmq [Se#mc}Λo~Y}D}:=FŢ\=܎\ox}r&T\7:[eoJ[ˬ%[ö]31c`!41[K207o)gwH庵mw=)܆ <-{ٻuF!(ܴ&c`ld!13_Yy7cbӠ71,kkQ{CR=Źڌ7UUEUn8sǽ]W] -AB&lQ)TlK -6d59JX>(Aն݁^Sm&+4A\ՓTyR%k +ځpG^Y4Yz){^4{'=|?[zр*km|FħﯖP)kVΊ48/㍒Vc:Tuv=:34a)ڥʧKSFHOD|-a|ާ;,9.H00E^ -{/, -Ӣ#b$,Oz !N1灰-a;wMz2H:7/ZLReDFEw2W@ٲ4:֚$XLF"a/ 1 -Qwط^U-6jr,8I뾸x&Oۆ {v3HY}G֘OD5dFuE?3@sҧ$JblOM[W&ׂЊpr_7>πez-~窕Fdeff.0}1ce.aJtLj3pC[B`qV;VpMUeA1z-4/tRI뽒6P1yF,\xU2auGyJ̨ٙK~69Zkke]=Wvwg;^vjrmZjQUL&.ᖒx2a|xR<3?: l>+LR=-8%F}}нӦ;PM Me mHFN.w/9z22ףYPMu+ҽ|=BUcymAlT9xq6r b|]C\-AQL:ӷcW{ÅNśCi@ oVv+ -19͠ ;$\t+DfO2Yk.*DfT{6)Cz՝rZsZW;doHUVX Xy}-vQ<ni]]:BNMzX_1o*QKMn2eJ~SW"rb}9-qNWJWۤUgY\敟^<%C"+oF tJ!D q)>CbHɰDa`aFf nY2tNg}s;dkP+k"&&!&_"*Kt" p̝ʋublǭP'/SBYQb&O\]"@/h&w<6OpU0֨/j$~z$y 4jwh4aT:"rǩ|M鎌b8w 1gNveWB}p;Ԛoߏ5Jz4(IJN1wScÆI_FA|zvT8&͆d3GmkCaXNn#=M!ƣgM`2BOnB9lw`AKR4sNJ쉹H;zX 'y)M+mz]JBG%)HG !{myd$b "Ç%s2]O񮁌ݛLM3K@F-iYGԮds⢶*yAДQ ,bv!!;t<#sB ȔR4;0SMQ~.n)> N+)fȼ&|*/B -Ǒ.ۦ2>:olOX&w)uk#3xLe؊N G;&rjB14@, 3-I -R4JN! CW@\.WabY@̯c@,rM2jjoT %l?#S vzO r H#Oqn$@v_ {șr7.w);@O9 c r>rO5q(@N @vE+8 U33j9jϡߝI-5SY"v;xĞ43_4! (e@ 4Ssh8@hR4\u ϖ Vm`GR2\zY1V`If-(ϳO6DIY2mUU@b [3l5Ýz1)`fLHU-&Pbd7`V S5N+M4'2%5V1%~f]rJfR^H+GTt02~Yڀ-净 c^5 -)9Q^8J`,`~ 3*/9Q?܍^V7hdD~SN%:\ bX3Eg?/֚U_+~=A˿w`sFi~M"#$ϥqvK֐"IT&vk/Q`5P1OUfAk+{|c;#\=V(ffiv?5{So86~Z/es' MaS'@1 Xq - -@1|O>GUMF{+~0mGUGs U}Ό7}PmRa=%Fx@+Ym6@kW%8;|pXx]Ku ǛgOž ;{dE$ rؖ^&n"&.FJٌe݋x5矶Ν{Ab{/<\$a+Qe>֧H>곭}#)\9sS8:+eUK=qo矦Q;W:u9v7^(&&l$GG!@cqipve6uPoy|͒FL\PpyF^[nS,Xa_d>A{b[Ŀw[~e18ٔ˷{gmC+MO@6$!=p@LߣcR7lGnWGP;j lFg-ߎ-7-x߼ -Zh0!lՏZ?s2~erʻ4P?zV(f>w{P\[~ȋh:؇UH5v "`.h~l:GKOܶ4kXzfᗖPzPc%^>w7R~m.\m#,L9aR|N& GuOLKcn[nk>zo],j@Vmba]{bٯ2ogJAϗXv֭TdfPAWqAj~Sdd -cXl*iDZeg6Q Juh6R+\꣒Ì扜6;w=5*Wo8&p2UX+pQ5E뫗ViΠ`MlMۮ5iM/֤AifyZiU&rIs -2w,W8B1?|YR2-χ~wאnMnXZrX&۲X1ܚXAw:bXgb6bYQg<gknU r_wWlYc=k ^rQTHV,kRˢ7i _A6h&YGY~x4Wfvq-׏{8 X]֏֮B]!j^";_kי}~]x-Elj -wsYӈ,?=M &cbf5bg)g=.Ê˖~O+Z5jUZ eFb3=Ԛ47Ӽ6ɺ= -].xj~YJv>ƶP B $~a2u'&i.djWWV:k)kg:s_*׍< sVyT"^U\!D,-g1Y"Qˉ\G"QW͕92"9uMV3#[r*19]gMuşQYSeR7j24T%G\PV-HB+Xw"?E¶`2\qgÝ!ϽK]&E~Vm&z`b1Uғ!f:&b۷!y&]0IiE.*LJeHLG@?0:LFXs~Z$kdݵczDtb"Q`"Y[zW.ƽJjH>?~9OEMcQZ7]LW㗴 cZ:@$ j5  "1ѹ{mqipRi!h`%tb#Le踧[D۷heS̢Cwy~a>zn3'Ҵ;Y7%r+{HPFQcD__!Nq4X 3mA=SR;ГIٿ;oAHŤ?fIQ. dvX]0a># M}Y^)-1+#̓w9 /lx=XMLt~Cd9qUk ({DG!xD.t.;wV -u -Ns|_r#|_ng4j2E;AN_OMy Ѐ7g 3,c}fFw~ʈ9});bRRE3$ -Ħԉ4\yaU*v|jXәaͮDMVױӾ1 ̲ oO4B$s-M6QN*eʄ!-9&0^> ~"I=ȥŒҗ,~̿oeu"Oz Be𱙌5҉~xO褘u3)u, Co$wj#|t| {92ҡEQ=+*' vn/`3I7ؗ\`F]ލyvN@Y U V )r#PFuHT6dtO/(%[J%?`./@!Eq`8ЌP1|{qn4,I.U/-n0(Pu(dINrG -jmJnЉ\W8+fFs8qZY\T\zKmA"5QEf.C:eǝ+d }ӅCJdB3B.UA;@{ r{׸m a#T]M}WsA[*,vvp;?9}؟zf;:߃i&c?medS?S٧&=?սMT>^x |  5s+6-m*8)F-=̈́wddb>|gYjh(k,؃]qrջtB7^vN:m:a!ll)Nמ`&<}r@as3$%>ck UO>ݞrtf>N}ۓ2߲ *J;d޺<{=vi˒mjJiZC4d`SERo?{{w{RD{]f[~o {2z*5ރ+CuO1e])CjTUŰ]5õoJ sV9,xe;Ql`|~r2$]&n6l[΄C z#9h',ޮ'elomwF T^lY·35r[8N]&daY~6e8`u*ݣ`7Wf7k~GY+뺀fwBY[OO:i=lPɑZq?hYJn9˺4 "b uB7=Z1*1g6ٍ -ŌV2̧Y׏~K.IJnkWíZRUMR qT T YC%rqd,ZFY^DdcQeD>mlj:ߌ &`X . ŌX^Qu9jTR} 냊bp+OϷlK͔%[li06C TYv/C<_:=ԞSøSh'rb8+w]O9Q+U;ctBy/%{n闿0󐧽K'& --![]H(M~Yz5u9UJsNtGFpoSlmLe}#9F뵁;lg -R YeT(V$-zBBI,'lHP] dz -x3u-p@[ʱ]abɲ==,t-gY>Iʣ`7yZld;)OPjfSCd=%V"i\.B;򇅼<5{ʉ{*douge *ߩHSmrV>73$#1>o˭A;(׌/Qv,ڭk0XpwMiR,('7q,K.0k% 8LFm~Mu>C͂OrtJ4MbA&IgjlC ߙpf>pcQc;Ǝ]ǙWM--X4U_P @vĵߍ\r>a4nfH3laI–잂H7:g"c@s7@Z|vΘ&]\r>vuQNs~PRkuE;ݳNr2(|i.(|2%Q>{Rw g-yyjKmG#*o"L}!҇:rWbn98rPy5t6>7VGp;*5W]Eyҕw5vW[{X#cZhG3<T~p9.6Hx":mfG5LXlwz{&Whw- 1b u꼌 ʸH; [ދ3쑞"5'?2A>gsYXyC; U y<@B_XG[ζrrUwx/ܢr P`s0c:Rb0/dmmXhNѕi$wư(/-G6;rY+͐[!)q - oEg=>P%K[SA]=^L} +kR*z3{~ݣ\"|!~xS7<>XZ᱔C7[_~"fn/Bv' 8ZTY?Pw{b `+ 0)s_E̔` 7'$/p.6J!`VAJ][=szm5ۛ -:DV_.Twygɬ>GfGZ'jg}fDno}y,p8vN D3. pwyL&7ޤ0ZIǮޅy%w+63fRnüݽ_oN8oQ@8Y#C|h|xiqx|JF J,"~"7m!Vs}|H%/;-״ fXPrM%b}/~`sw< ~g#4{?WG@  8:ǀ @W8  ]MO]D w) ^6>b" -^9HY|)ʒ]]̙qa\O\`;&{*_tмALa))K - D*2%@nY@nR"^;?%AT@r =vH2i~CQEx.u |{ƳC"$hsQzoLA-6Xw@H_CN1 //7 -.!zdt -.^ -PGKԆ0wAr>Q+*Vwe{s?s>=1_ȸT"B> P&OYȮwM@A0 -JL'2W~+i{07 :qRŏwUim*:D,<S-D|[SZgrPNrŤ``w3C`_@y_v};nڀu'giD8yMtkDcMfvOY8AGXE7†i._.@;2'A` -@W}r8{zF!U:ҟe1Hf:Jztq4#-&#)a3}S7$\P [ H\Hg -%k6$ |Zu^Uroe! ,s KPZSTy?9a7`?|kI3+'ҞëَJ,1P(Oow7`s~ib2©|:4"&8{[{]V Bk@ME-Ж6 -7?_z׷g@h(k `V,\Bt9'̬?ZR(vw*?ت;il=`vq@.*vܣ4 -K`] v.4u)ñ^l{xYOx],>TP,.?S9~[1+˪6WD }grlj -;.}vjǁ8Oi;objI -:+d.\tnl`9Du>o: -rF24d=,4UJپΔ^[Zݰwu՗0 cmO]m%S4I[^c=ӆa7 jM4jcxu>aW!48U{kqFoyEv<~pвQl 鐙v]#OpůQ?_lriicF\hq;uJwQ^>t[Վ}|WO-?Wlh'rKz+#ߔs>cQ^z/mPՕ^W\ʸ:J\^+Vq,nI()pY -:$H#Sr/d A+SR[{M1^%Ҟ'8ˤpVaˠk E33ȏf{`Y\e~/۽i+2cQcRT;M.-ZMRŨE& -e$0a|/y Dl3;I%7L^nśeMeї=eo M6`H,(z0 2>ݔ73nneXX\`Fսr4Տ9N&Ӹ nVq:J~iaZ - {6AED Y,DJYcݫ獊q2Qq7|FM8[t/^h%%'TmgW{'jc*)j*Vk EHvFeص}% WYGere-Xֺg2*+[<Œ=~+SEd̔p]^fղh?.+.m[^#ْťϒ?}$;$8>b0uzb0cbe13MBt\nY}ź5]l2Sh#{^IYUP1o$'읈˓˖hSߵXV+G&É%:!gR_ g~4!-e%Kd:OoeH+ACVˡ魝{m%u*SOnyZJ*/,ǃ AAQB $,:-z -*V(|na#,p5[༊r5鳗rAF1k2Mi3at Bs]IF 4_yO9Wp -[] < [{tYwzNye Ʉ+:hw~.=2>󀠦EHѤwsMYAY!ٔQS=oE-dWU#Zó:;P+/\3$8Qk벰f;–=Ό؏鑷HYAR!Pmri4CΟY7bDQQp(A#يz%3mz;.l7߬o 2{U}V9Sf 3F~|F?K:xS7}rSAA‡\@],_QEN[68}~n;D0!3XCx0nF]U S>n0zToʳ6 -L}Z: f&S`L M>sVĪ0etu!-·my -;_yQ'/Xg#h[PIĎċRU|gw'㢉9Z̕bkfsrm80;}<鸔SgJ,Gd!QgJkl#F3~$h)_Qi}"a ag \҅ nK dц hYHBRֳ Z $VɅU=c m~9'd1n OJԾ]X:v1s;L&-^ S|Y ,#CV@7; -RPD}{bΙg>o0r䜆)E\{л4Krs2hl'ĺ]=3緇yg!rg.DgCnMpYG -4 @Ȭ'd?g - @$GJl g$+oLK9D0{|t)AQ!LVm* _z_S>/@&J& @f}Pz$rMa - Ke)@Y PRL\t5R7H]S"0}q5Qi^[I -I]'G8r9 (U"Kz=IR"撏yI xP ̀BT(# #753#8S[}MCt+v&JYJɤa4F+jK"(#ˤ1LW;k ?SVR~>k1T>邸YgYʺ`yړn}C8`g&l*熏dHs},։7sOpquO\Dl" l9} -4#ݔhjԴF^DWм-\]axPU.Xj, _́#|g' Ko>^|$U\ NdA%rl\@?=7g/#`[ r8Vɓ"`/Q`%dح0$F(sC֔r_9?rvY`3_0\ӏ -~T_o&?rQ_ &AWjR3#nBmvC\N_pjMﯳi?km ,L&R$@"K} be -# +_y~*:#Zw.=hCg;N"҈Ͽt407ŬX?_mJX PS)^.P65P7PlLvny-|#k; O KYojNI+IsRDg& -vHǥ_tW-4}Z?nY+"a zm4mM7?v#1 =vB0*wUJ2!nsJ>0IcynfLyom_`MiPj#ױzzz_lӈ۔𦭸R|Z>\o)>u?Dג57ާߔc׆6 mGn 7/-pa3?П&bm*"faB8{mb>#kpi Rs-aX.K`J|Y}zMj3׆5-?fHei Ɵs~9561famz̵> -|L{|܌yg1`Wn̮ϟa-֟ݰvhwAh3j[pӬog3p/&vV˻Դd?q?5^iZY_^}~$FAc{#w{u:e$Uo#fPMluyuklM}j?!87,ӜA +֤8X37Rr+ `2tJc=F%;ev-DnTR?tJ+;9Sol.Zt0+^+eQ(duKh*K$%2ʘyneijgpY2ֽ}ͨhW Nf7kR Ֆg[{]@zwBZLm5gj:HaUMjyܤ7[Ḣ+Ԗm4**z[?8|XO'gt* ePR3ldl`zQP5jVRUG[1xz,ǗRGgْ?DmLm%|$Z%,R48 P4lo~W7]j F%ʰv`w"$O*[EJߛJ~%[m E1?_}ԞB%; nyܬnXnun[wGB-Ǫn,)cSZ"/1E-_)ߗbn`aO"ka=bb_U;$<Ϣ';y T^m7ẏ+ ,m CƄ -V+#ǶP6 VpjHu%E8/JsKd7 WwiG94nɷZM2e܅H}6\K.XMWg5Zʭ6YX,Q"n%Q#u(ev?of9^kf8"l!lb8>W~36}\Kd]GlkfG=,v4+"%ߏY4z4![dnDķbWNvN")V?^VׄYhӃQqvaQWwO*H#r:%rWT#~|}r[[5Bh_Zj(Ԫށ͒y=GTwɢ 2x9LM6Y"jvkqCCC[Eū=N@n`t7=~ fΈ -khܻ!SosAJ\8!geTbHƇ|cancR`@.֙.NܤĮTz*r -[E:J~24;Pe -\,ϯ+)[}yVou7tI0hj 6]k!kDnwp^\s_U#,Klz4ĊT -78-I,RSGh' -BD 6Rr({Cr"C2 ћ@^d?B= MDD.*cG42b|yϴRM]MVg1*٘MRQu#ek 0pӡXXZX#M~aP+AbR5 D#19="3Hn#mƺ+p+.PPbw6dn>tE+ WOtH,$27kD,Fb -(͇Ğy'Rd~C\2 +cq|Bs -yy!5B㷺V_`bO}[Bz83A0"o/;1D z$'Y1 ̗*da$8Q Em}$ʔ$TI`|2wDz2cX-ooPXHH<0 /f\ߥ$;D(,;8>[u6HҭZHr*!IBI,*Hʢ5r5cblnsg ѲĂV -0~W!l.5< iҘ i*#JB҃ I76Q$](@0@6H|+ KY$Eq7m4|Y9J#2&P1q7h&0Yޗ%K3|9d9Z$; -H9!dhɼ$x$#s7$̨OU6K=8Xo(5{oUol0ToX*tj_l} h~3|RRAioQ޷<'ݑ G 9σ/KXu7oo`d~r,%bp^#Z RJH]"-+#e9:u)s-mKɴ`?PI_z7aQtPfL)xAquMaH49fk`NCŷV9 bP 2fSmБU3`|<ZVD@x\᭪ -s\~4G0'6RR[HHMŷHm\gaq803ΉN̹|pcn$|&.nMy7 qؔx*f{0_Tv[SU$s|E:cixۊ9Zav<g2NR|["f'b#w"&;"@5Lͣ,a;S_R96Jkg+<.Yjn{3opKWdq| pf~?8̏b'I hI;|4~'p` xzGeC܎ϹQ(atT$Qv,uOlavz+ZKU艷@VSh5UChc'> v'q`ͤOxn9z)fsj0U$t/Dhh GUO3GF3Ew)_Oa=.a e.X޴2fVKri.zP2H~ڧ驁+CVt10묟}s;^$'CD sp[㺳gJy?1sQAl}龔JX4TI KIyDGY{3zׁ6ו]3|#u|КP|&yY.j̸?EDe/=`"gWkJ - q؞o5hr Zx-]\uOaJSϛPAjB:mvK(B>Lm_w0PvE[#"k v%;r[A3AA,SQYZ}_hHa&2nd̜TR۳#L "%oa'$iXSSdj羉nHKxke鴕rX?I^6qziZNE#-GIh9A|xAQ22qt ~<|nd(ETm  - 7]PG4$uٍuV}uo -#HxJe){ # $ :X@f~˟v_n6. ~L̲h8ʎмW;50*h-<YL1޾|1'9\y7|Ep~oO9A3٠"8a -l^wN_Oo=n9,> ˽3!)w{?)ѐfrϳ?(lnf -|*v6rgP?7#kBʆ 9/WJSv-4.88WA&Ic?@Ծ+%3?a3Z4o핗7xGRJ; 1b9L >W)O"l=о%G;A"މ<.N/3Vaʘ<;Eb[/9FRu)h2-p_ZC\eBXJ"L4rh?> l>@TONhY 3*CS`[ŧ[opሇ(waḌ"~g~9DÑMC:7U?FU!*g)y#!Ωsp^;sG=YT|Dp|m9DBݍ,ѰG&xݑZE<^}irA{Nz'W9 wߘvvPoaofyf>սtq3n\FkCkE?-9v< -·ȃ;K7L{>RufRҖXM -h&GV<9'jk1 -qDF)4 )N}o ,:80ۓ dTǏM@38򋲏+6q\.׏\FEXG&g[ws35mt~ޣ6l6;rRyJՈ^g0[;QlWSFJ6\IS 9|O˴'- bf9(jxfvi5},gʆȲoY9$Wޞ8w_T;==%JL(^1/`aQz-3̏J Z.;E*xjI{PQY+|Aь,HqcuDK񖊉{@$bu9 8v\-(}p f ]V1bi+Z\qlȡ?LQ;mF&֕96YrX;u?-&hik0%Rf\}TL3~0`|2JtNdz3Om6b͏|b2wb> FziAWƭs'_'Ji0hYjɛZp|1RߒdbYZ_w)|%gizf#(lE iOı5 .7Ùي. zmG[wlfk/"wNpvSWԝ Gk q\vB^UDSusT|b}4u'"&c`ᕇ0OUtp Q~@~r6B'.8LC -SOO~ pi_J_ )+pS!cM )nw6hȉs6g1INp`җgq` -Cۚ $ C8-T=2KZm}L0/71'¶1 s2F;Ќ׎VHJ Pez'$7XN1Dҫ<}i]ETw = F/>/7,>|Eyl爗嬕;[ r3 NJhh)Ί姰^^BvE=5Cӥec20]y,@ƾ׺+KZ>X S* -P"i*spLHSD4= -ӉzH^ppˣy.98lYMtg=X>Ž='@ jhPs -@͝3N!"ZY-"잭( G^v8|!Z7\K]p9@DI2\D,zOv3Gx9bEA#i;6qNZYȷ!D liڠ¡Gcy 3{*ziĪq;'tS$~*6gt/F-s-YB(aݱQ;N"'T8ds_ʞn8L2*I~4mZu(b]j"E #f'm{eHANsu>D"?`x4pXA~ą?$;+o/\> z> i#ԔRZ6 #ݏL)foKƣ >q -m0f2SA/C0?HY 'BmعK惯D6bjD`BdRv.F$4Vu;dНlmG#~G|=]^] -Ϭaw+Ul SeDVތ*} <Ւ eMmFRo InJr2v)!x72< rߗ>AF.OɊY@ /Fr* ڠ~8"J! ?u1 1X i0ƎI.DPEr_ͮOx@K# -J65kSbak)tgfyԼ+c; -# t -A/D[mwH~f׋5bO+y\rC`rm-0I৞~ʡH8KI?8~pR3EX~0nA -XLHLyp@Ε 0}BL%.ovowػq&U\œ6o{.CJ?pPSUSNdWnCGwLb*݅E~pS[cwϜq@9Ʉ_l?2!J PQzqz/)-|1eE|a1GBc]= GǺ}Lw<*@HMqܚiFu\^E -C7$6;16mE‰Kr$4SG˭CGMȟ}y@3Rrkpr +Az)l6",V/6mGVbS*yc w3Ř/ --DxlM4J* ڙԫ@].ʫX &f\LZGo{M e>%39%}2nBzҷbWbο#ʔ9.CNaFӪ֐uj8]6=0G<[ j:t1~:D죷+7"ݟ -t VAš*Q%eh`Fܻx-]e"AwaL{p/-&DMzdaǒKrk!G^]l3|P1Gzun$r\z^G;YX ^wN];h f|aU80N -\Lt4IH㛇/nsz 'wOtI3c{Tا;溬fi{].gk%W\ǖYX-zrKxB thޓmiI)G,:V"=~Gnb -xXv=l:Q1Q+Mit⪷˴/ l UXOY0hc$SkΤ蕸Ыު :/%:类Qwpmo/jQf -_F2WvAl:|4#*a@e1w2eSB -J --UODg[¥uM&8#lm78ئ MZ4ĻY0(,^KЇƪ2f`|bwJ -Ī~K6M /F-Iv2Wouhtd7P7ۛ%ka81I7wJ '@;-TWd4;=G/7w(rAK %ؔq8"`qSi% @wrIbgwfBV}|85?\IOm\'qܬz t- y+R"1*&Qorbװs -Ol%' - V.jcx=5KLM{kryV},#ZJj;(;.ZϲU[WNPvoǑy27Fލ~#rbj`KdVnrWjuOvbJN䴆M2>KOqvZ9 4#FmE{JCb&Bt@c%MiqnNQf?;8G2u8&pR8Ld w6?^#~<^ٝ5"|z\ -s1cm%'zYK)p'zmT~F[=*wia+\|PXpTZIi#gٷ &w7L]wg~4{);!l^'ID -vHa -r6r q^~3/Q:T̎EbE#8ގ#EVZv(?[ILǑvnچ~$8N_8!~!"Uv#`y>LU}

IJE8KzJuC7 6j:E_{v)[ 2 -m鄫zSM`+K#GR,E+McċGWh48(q6 !U*S't'ʭb$7sOA&Ugq\ń4}p蓻a3u3w>(}!rTlf=}nKiK#E vor6J13٣:=ai8ʭ}@ .aH;Hu_+|PWlF_AɽK#o䉆{v ^A2V}T.qZ\iθΙ@M2 goD>t݄m㦁^پ^#@K#._P=/Q[;EW IXk qQ|̃Gx uʴ# OMQ^MXB\ӲikOI`~/<_0+5pMmiyx\50pƪ0t?123Otud:y@A`e̬DzzCV[ 3GS&>eYVcdy\Xo*6[QMIo/W_ 'WʒZh0VQn94~pGc@- ;Lć#Xo -c -gSd5k2*Qeڙrh]a;< #dA:;0ȡ{q:TP׹~hJL R]e4#QJ׸|kQZ0hp}347#T=(|WZuk^_:U$dѐor2h9fHSd_}) -Aq't*}y+w' [WWn`w~vQ7/C*s.=[e3i87ŝ+>/P/kXwk|xJF;ՠX/M|6Ne|YA.AjYҤCnhwpEC;NhW!FbM4_pVI%kD|gGb]T䦦wy2]禖.~sVqWNY|ojb2ϭ~RGdrm3~ZْG.*o*g0MpBKwQ?)n0n[`w{'g(C/zO<7>S6)E|/ZNG\%Zk?RZ,ԳZZⵦxϋ p-y -ҚŨkc-EHluN8z9n42Գj# (-|Z_LghMWUaͻ{7)N RQRjI+w6{ -$-DKcm@F-aՐzL[eDbdCG[pV"*gR:ufgaMJˎU^u}EolXf -^!Gerwq[jbS'Q0\ef>?9ǀW,T>2#X2dHQz:'ۮJ;R>ʂ9ݮuw"&Q4b~h }CQ(]yTY3$:7)l΁ЄAwOJ[ZdrńWi0lr\BY62x@Kne *u!u%۩Y}j#;bEZ`ÅPz˸'̨(@qssxx`('iC|\*ik87\1VyaƧۉ tn7XrmH|D3i#9A[}p:pkvJzQҮnV9+-"G2{ٰ#K:tx$4ms-%H_@(wFDrcp9kKE` iVpp9\v ^S%3UL+g"2u1|^bql/8ؽg5tt%kckܶ+EXz}V:H!0 -@ͭ,c𭤳oe| 3l>/7AT/3O*Y9WyLn8# -BeZxhRhaFU'J1Us2H1S.Ez KCsv4CebhľOwŨ5 Kyys\rbfy5U|K,S5#&FWNN NvvNܴr`0Yq1W>*Ρ6y(BU>'Fq*qvh_,3î>?n٦E!oO4~qwɸPC"}IM8aN&|^v~f#c_R ߖ*@K}?[+>]I6HDF074(W&2N$mzPݱyC^Wp hG~*J-%g߾ߖbi>*^5ݥS[|Ǜnʝ~f~J@3V^\:tѰ#4Ƌ .Z}M9> -}<=ܫѥ]4ia[L^u:kEK5z`;[iE>+}ƥ㢬C~%b\hhtV_zZFPL-dӏNG*^z>uҜќ99HM#?G'~Nh .8A3?&0n9QR@O@ P@,=#ȟ֍R]1VơuЏ|c6@&!g9kk 8]) RI_d݇/pF??T&~!%TUܩ A3UoG)1ɢfσ~Qfsw9ZOj͞^o~rCϞO4~^UQ%Dհt,}GToxu':Jxo>?;: -[lXvWq!QLQ1Sƙ8Xս=j^\"ytGe>_EXl謑3_d`eЋb\.z=phXbPD^9oSi -d+z|txKn]%h.~/D'#A#w+M~ٲlYmJm0nLKw㈟pu?+_PAOVbT$t4R\$6mi;ތ덀I+՛U،uup^L0 RIVN>in*vi5\{c;d'쨦֘fCKWTY{hw:9D8ݮ#E.]v*j|o~Lpbm#ّy{s"ffFnʟ?>o"f?1=ݼh%k2^Dj22)q2_;8z BǮ>pu ڳ<\&"7G%.L fNXХI̊uTKze?z7V,ucF942e(UvIt-ѽjrˉMs\h<;ꬔbmNz5'b9&O> b/\c6Dy+(a"]aԐD9L 4aWF[,c^ຠ+S'^JN">AbzS#dGl0Tti8*VPMf#Xa*Q?s-@rXOj-&3Zkz b+37{ԧ&Br7!HQ[8u0cS ]lC[zrzÜX5H:}nzuLkm B{^Z[\Zk[髏nS @YKO#t?ZMpPRT|2h8,{+b6FzpYê{Rp 8>vqS?.C|Mk^ PNzjZK\y""%LFǦ'EobxZeٜL7ar\d ,dcğzA[# ,ɳw-}aaX *ODR1읆'HҮE{̟(U^}~oI#Ǭ -z3=ErP}-O/zEN^B/U?w^or~N׵U8w楙WՉO{X.A? !TU%wvhcOy^suX sCiO哂m .ve=۪]fg97'̖(I{Ƹ-7l^[*, %L$#+?UTUU,;垲~{7랪!dFlWmQު1ؔ3)/xuHw:vW}3;fS a2# i,z=^#MF(-Š&x}lSAe%4y/yfGIzs97~^mk0bafXA1?܍ }<%ʸ+ey,uZwnPriF?NBVf8YzΟtkuP݅+^-o/| 89h}ß>i+#KR_n'~ -BHon l6 M'aBiБ7ha7Vјhhn]j|f<|Ipvn>FT%-VAU1.S\b֍)qQrZY3rt[ cF[^Jk8|I=Z.?(ndq3,ӭ -#k0o~l(~Z*?Knʩ09^8S"z\ -6'c4(`8Ncq=mpf2] L&~ |~+{rl"@qj1/ OH3k WݎS0b{kX(p`F|Q:!G/߽`I :FFn8 ?A;P.ӎMP`CΛ2WXW C1.C^d: 9&>yYQnA2%}AINJANhڋ AFvgetH4}sS 7lh1*m<m)iA E %ݧaiF  nDky"Y&ծq"AA'׻+G~vL61lϫI:-aMKp#U_{PGU8Q{NaDq?- @NBgPE {',Ͻ)>7Mg!`+ Be>gGMsFVzk[56w$-.vfWg[_xƣT+P[_x t ^ODM2$@[+v!KD{3չ+{/͚3Ϲ94 |u+ѭMb8?\dcD3_'0AYs>q_%zgT/g~>P5RVI,4zl3޵n~) 'BAk%8K 6;.վ +mwk79Αef/ =}a-IRR>k[z|zn=nVܪv.YɨΚo5!N+4\uK?8eZau`4k0[[tܾJ6J~]*ϣA^ɔT^G+Ϛ[eU3V9X;m +|6!ݴ^g}C4]{qv6/yPM (l҃]ii:޽ nB*qE|-]P2]ёF:V9[İ?(v?iXӴNp>ZqE[*q0 PjZ+jGu9Xm[h!}'V,drxGIH=;+NUѩFCqw~N8/tC7թ hڥ/˴dEݑ$# 4:WS,g[G -;?T[):4q/ U7 ^qF?~-z5Ɔ,-vv::GIx_ex%֘ -L??֨_ɏ;QQGKE˳H7?on-,,hߞKGd| ]`@uoNa/h+Y[9o/Ub~g.yz,1ˣy>t9J2k\H ě§`HO3qzFɜ\97i%_\{lvuyb&.6{bQ`r^җ5Q7_LubPL,UWtFy~Hov՜_'0@w6ѿd~,zWm`묩$9ki:tW nq߇c}V2G1)w;n;3k?qG_u;`49%7q~<cb&jI|4NJ2lj .˿9Ur ͹NK}{?ڝ/֐r9B -s~K{SԫOm2B7 Y)m{5 -f`53tFL$fJ.%2K -O_|aVq0>끭ju}LZ{  ۽^PwL#hA;>>pvoߙlNooIY '7mVsOi<Izh Ul~͝I^"xƠf w8MgB7z;{v Ϝ\7ݢrA3⪘c3\iBΕqj .u6o~ $&ĦA1D#ԑ;dsc'ߞ_'kOs_k\dLڊϧb8Bq4@Q_U?,9pAJwT•s3nz%b_䲅 kϲլ2?"ӢZ\4J //jm-;mGx4kOSde'ΝmrkqQ<?D96-4VRJ.Oz'; T {⊝8f!{-~ )_NlGF7{;o]VҨ?ӦeF -fj,@NmMՏ3>WZpQ xt7z_@gl'ڋna穗6ya4ɪU d}dv)8yM_uUz'Kdjڤ~UJar5UQTa*Oq3"^z*q3i[P#P6(p^czIA۠>@; r' -+ݗXnΰIaRknJ7A/B!f&/A|h;eʹ59=V<߫,Pؿ Bcv &x7]̉8g5lnWu*FV uCHk!n<nn5wuqЊ -T`TL3e s[_69 -%ՆWׁG-ݔ T/ԍ(졯i8| -q3*060 -㟺./œ5MwV<:Ϡ@P8H3PPJ:q]/[nOܫ$a)F%al7$R0P.`P 6%H7d}dzv`ZƜ^<=Gb UST}P<.@EVC-Cs~Uz޸UnDSCa"j^]}Ms_ g'uO#δP~(7h%fEeR4= WO9/JG޴n^N^A栍〛_}NOAv *# -diV-<ᄐds3@q66`\I 0P 8-NAпY^ՊL/)Y#Linmn+5,|k,WXݳǴHxv]l z$k4 @Qd`iPOqPՄ8-|۟ҁ߂BTKl-E-1^C~{sd0=v=w;! jZB`kwuqrf, ?7 9;\E`! h{@-Jo-h|X Gz jޥd<].A;g;-#򯧳W1+m!B+hI{׳ R&@鲹1]x Fq]ō*WG]j9"~)n<.bsI:<強+j5{U\(Bo(5D#_b`h]Ul % 0^VzC\㖚"Cu/Y꼵PS`^IQ;^^XnlV?n(~N߅fJ#keLW ܻBD6*igKՅn{iCuYQW[˯*+25H5s3T [QA}OBO=߃Xw%'Ӭ_6mF5操W|M7A䐡7{ifFouV\+Yꋕ[Y ۩x xXER#ɟ0+@,U╥ -)?!.3E9VA4ڷ#we1]?؆( -b5hnYpX|~4],j:c@* LMX@:[7yVໃ`mĩMoVcPͤwQl -NV+mtk=qL%2+T; nq// VlϪ7gb<|':Drǃ|I}Ot`szd?jmIHspdXiq-<]ډp!R@WZEaT2F~dR{m,>w.|YnU}[S,S֫_c/̖Y9ZfL3ڌ1X1?N!jSm5^׹C2+7=Khffyl6F{S;n@/:g}Y客en^LiG>\GLG$gG -+CmӘ@ X K>[U㱫=ℇv ~\"Iyq[-P.El}LOv9D'o4=wl"#4߃@qJ5DЗU -p䀲νK1y>|.].ҵUv[a􎜾Z -.F!58݈wI;uz#ܻ3r,B=~W)qVP\O@ྥf],(y$OUH}!Sؼڣ7 l*IMotBIv9 GOsCڣk+^K^;g+p୮F;{[[vGݷNT\@wfI PG'6]e0p,>;{c%[jXKV~srY:yrhݏX2awl;<vrnzh=Mlg(H~rw{;a3J~BoZ|mYږLL 0YqFq|.9kt24A(9~Ij=AlaGQ'N!,;9s[-l].5o1\:sm8;+{( ~S_pΨӤK/eT,.A۩\{aKKUoQؓ >Q$RYf/rp-7ۥoqδ ЬGj#d4F,' ͬ[AMol$sɊ\A+{i$UNF57m$SBN{cܱm s"꧛hA~?0z'/u:6Ǖ-3J"6)lTߏ6kSj8[fi.ZĠ`1ўW ?U eNK¥4jA2S?ˑ/6Ӷ!o[2M G/G󸢄*/])sLۺ)tgccuyOǹx%OʞǛlX%wvو:&VN=}΄?Cu\v+̉S5_VwOy6zXiis5U -ʕQeh 틍]482Z,f.kJbGf`# -b> ?i/A>@M2 (w57<ȧȹ's{8\'@ΧAv[G^fUyn*{B?i,5憐4…8G@^ jfPMeA @~l@޺F AЗayqrVr A^C>H9 *=f,toƽ:=79<{O&g6A66x ٸbr oBa}$Ux{ڂkR<7wg)t%>|\ޗ_QcXIQ.'|6Gkt+7(S2=(COC>AX|&a&[['ҎW5uvv1Wj~:III|PѨ?!}+GЖ/,ǿw?UeQ  w~m?6o.i߹6 x/Gk$c9/3ʑV.Bxt2+G| P'nS{I3;YɵP^H:.;sh7Օk~ 4N־v=ƽ.궓Zi[cfnۜTz<3@1/}oH؅eQsEQZ~lOt"GR\wB ~ _K5]/^I5ӟZfm2o{`^q|o#L}~,KY.4/<+w?L62.Hśou:[GZ]!ٺXqsW{<׳\;n(MѺӚ̬$8_Hm;T?O{'N >Lw>21f<(2^3SWnL -ѪxS>vy^I' sf 퍞07I /1ڄ[jS4զYFESZ7*q[4Z+=w ,6aVR])²9Lꂙrܖ} `3Tm|*-#ۀ@iL$sO_sw d˫QGy͔|{֢zDo~Pjr=t,Ǹ-iP۶u20VGW͛ 8$Z'Gah.,6 +Awt{ӗ2H+nqrΘT5"1Vh8$B>㻢Ev5El[4ݾ]ǏN,: h- N&Tm{!\}$+ȽVyWV0#I yc2έJK;ؼ'2 -Tgc[.<!cjF!{0uسdx歚Z_ON+KK_Yu)ãiPzZ.v?xE^9ホX.U&l? ]X^5$^qmk(}:o˯!O9g e5e'}V35m[N']pIU'gvzλU=K|gk1ɍiduUy0?h\m/[c:zS9jr&kdRb/4X^fhIɃʕ7Uy^;=)Ỳ2՞eªAKSMJpmXEv>D+طs.\bYꃑ\'Rr<3nd<uЬtϸz'Wj$RV魒mReSzI+^\noψ[Z",J:LTzeC{⩔Pzm*r]9l]ۣYʻ~ѩ6[VS^dR6JKoQ3iN 0VQT+]R? ްq8[(vAGʠm/Q YcEz'3[U?vCM\Btybi6)&E;o:Egբ& z@ -BSsL&k:ioDg2yms|ӗ^}+jdī Z+£ے:j]Zz9.Ƌ)r,)-E[ʅU1 -T`kuJg*|fa2oAlr?M  -endstream endobj 302 0 obj <>stream -vmE#"\:dd62#n%2 -2t5)<=85= úRЯ&Wd2yY#>4ȱ, _!ߥ's1*}dȖ*m‚^_ ȤAf*Am!s˭_㭶}8rY Uf _wG;+@Vيls+ rڇx@NX -?P*Cgd<e[k(;݃lJ7(TVCl17|) 7F RH, Z#@`` lwj/5v@I@ߠr A}}{/`h|>@Gӭ#Pvр!Ȩʯx ʻZ6AV<_]G;?[ٱ6?( Y(u=F ]|$^u؁vUŸSO~Iz.]ܚVp W].IξcT.ӣLJ^~OvJ<Gp*x4sO1h]NݞU=ucZghptv.,m;қ(+|(ˊϊ9O)2}gj[P5T?4fb@[&Ș=s&6<;yE7W; ':Teisk3Ŧjl~]&=8IFd4~s]&{qMtrOZEfNOJ #51&Ӵmd4Y~{EdZ %8IR=3I:x5=b ws޾zV]rU' -({KRMzV -TԧtlK:}{t}Juwd{)r;h?wޯ깾|Xz}N`7L̵=8Mvg\1#*ő- yN ?ua3d_ d d+p6Bs-'doϫZ|&Hq̔jC,@ܓuO!px v[Eb=:a\d΃/zTPI>^-=VhKVfWWUZY c*TmRj<`UL30AzJN~_ߕ '<7{P^v&Ea^Vbc%Itt~gk'xw Ze%(Ua71E]Ru嫏FZYUO$'!Go< יca]c MV! 7&#÷[\7wڧ#r 9$z- x[]F͍(~rI2[[j>'70<{4yNinSj KiMz:itͦd׭ɪNs[7񄴖岨]YpT`p݅nʕ2N n,TΉ ~gטw9N?mә4V9؜еTZtfNzŨ˒M7\yS齩[]ZP™^J8z %@Me2J_mqmNBӝL?Ji|cW*ZJb9h -zb^IPj*S%j֨tF:-ib1]ίNdvQ+5T|ů+%C)NQ)9R<3.I{^V Ucn\Xk~b]܅jE_RD5WyVҢHvRݘh#UQY鏂ܕ_,vPJ-I1;:dd3\7gg8o]dcݖ8k#鍀egU1̾W.՘Xlfq_2˱_+Uό:nĨ'~X3f{\k[rXXBY.8IUTnC_ ֩6qjfy5/?7ѦZ_ -JAjb*3jTz]i1W\21r`jl>LߛkV Ld`G4cQC۬W}T?–I_9>5ഢFTJ+ך]+(ycߤ}A/S‚O0,u6ӶX1ácS;;͐V%F^X އ?aT fOcw^_&qU6stk:.~븠O~ReJc9Ҡb0~#CG>*JtI;7'c"yk|Сs<~Ax$g̟xpk~:d,W;7]3jONĽ7|IF6آZhL=tVF+p7>2;tYT`Z0o? {rKݞP%M{@N)J=fP -FD. 8(v҄bO0i5[^;A4c` U*DFWң2k PgB -@tF?&$a+P cp \!"Իj a,)`ci 1Aѯ`aԠ:N3y%Q6MWt\i4 ;~071(5̠Jor5x"Pl#UsX|]vMlDg}U:V|iTVu ڷ~vW?P@zzO lm$5 u>҇5x%ҏz)-`s3)*ؿJi\^tǽ']@Pg+o\TH@ -E @[@l kaPt(O~JfMe(vؠ>cMٺiLsGh0Oá9:@&Do -dMd>q:OTz@K9\,nl+<F1oͳV֑pD\Obo$Cu gsu UR>O&9oDf`N78< /I+5YU<&"btd+D ލӺ>mseJ) @K-@J?4U-vy4_]⏫dusf3iOxoFS^*\C^|/PwbӉ]:.'4jwחrUX/fy%y$co5ST`7u ԗ 0́4^qO7 -U2l^< ^J\tnDGm~^q5{&8'`נk$&HAl ۸p/Q}fA|Lg2+vz9^jPNLdsׇ~w\j_u%E-KaK)Ĕ6 3F)M'^o99*z7kZ&OA・h;[:\N5i_6g&Ǔm֩O,H7Ҭ՘Z̏˒f}c?H (RwTߘ2>tUṔ@]۽ѿWqpk}b£8oV-qXRM[9nάtp+XiKƛ1!kl?sS:{N?d܆Rr"V 1?L_? />4W{: W&Y<'nw¬o\w~[4Ӗ/%'ھ Hcbpy ^aL ZL6n]n9R7d~ s8^0^/hiX {q8ݶXeqfU Kf% f;lQ:}j[ߕZBRd$'oxu_&o}Y)_m) -[ѢN/tNn!9>9v/VAKյO϶EZۇ[iXOEiCOgkSuL홐޷7X*GldV P}0vՌsК+|}67ҍq?_MHWcۡz-Dۻz6johl_\lcb5?@gdkSSohϗ*Mp8ս^+_TDGf^"-~vX?^(I ʑO/5CI?9 ڹnq}W3:uw-Z3絡3+/>Ё\* Cv[>k9jSiQC@ZlI)l^{.Iui52"R?a>IIbW~ DP-,ffiQ!ݔd~c m|`~Ѫlڍ_kQf} zVq 9"ta?*O{@g*=\d%KO4qQZZn_9.a~@r'C,oozyJGY-\!.ۼ~jI@Aj5Pwerr̟YsBi2ΨJi͕z심ԟ_T8rc=e,hsJS]Lb+uΎmyɇ}I])[]1"[]85]>9r^W&Z|"(qT2ʭ܊+;O$J^Dıh6;c%MZuŸ dFeܶw,oGjթnZa+84?yvBCrY${|K3X2AsW0O Y͓jd[-?GFwڧ{ON;\n -n]^uǢ,A/לoNlݪSlMgM'.am3%`.g^frYہXr@1k&_] V2N(;Bb%Q _\m4ʶ,(Mw+u#ʱ2O-vfFbz=mɟ}onY] ?cC:}eh6ZjiԭYmbK W!פT*RZ3xٞ3ڤs:fs_>)a2Q8ӱra^bM?,ɤ'B7/"Cd$zA T{/ƞzw]$1QY]QTӟ;Xũ=azl_Ӷz Zvb''M)"U)wG Z"f1TRn\#b9KZX(ԟFk5ʍu Dr 1HQӠ uP84x @baād1dm ^sHad;8b} f7XkuZ/`viILP@O9@ME2,@4xE_yKkj*r!fDb6X)ӗY9P˹hG`2`232[VpB(['1. -XX^tmاڃ}"*7d1@s=T(Y#79[)QY,j=R]\ioXCBNO?~5_7 n8j l1|ч/R(,ÇP߀ݦ-Z=87Ĕx YvNX5 -JQbQج.pvXE (u3Qx&zDh|S\/ -gXm )sg' $ FhԫR38> lc/0o`6PU|@! f ^d+_ӁWg`B*x -(84\XP]4cpJ2:w7fJ4Z!%k9KV4yv.ox-BR?@b <A -n"mbNCT:hq_r ՠkɐ㴲spa}D~c bD$|tր+: Q)9z5~ɧ|{JzX߻ݼWuRr /kJ-_ v.5{SJ {re>R jt -C@qta9/i !!={Q!%{w#{.oWj\㶽ܩ,mFӹݨBd7"P., -~3œ~&LM"@όɜqgd޿ -g(w!@2gQUN·sT2qڍ|>܇`\ͯ,ImXCs8_Ags~Ta Ȁt.|Uj*E.Ҿ~ݫŲd^l6^GCsyڦ +u-̍hum"JxN{dMXc{:3˯{(%ʀlc(.{f\q!ѾUqxd'G=O{2wynYlƖ^~~]ҏy̻n: -L[Jfc86%~M $9&zfu>tg~MrXę@sp0x/7o}\7&uIޥ既MφAe4.\󣳩V ~<ǝ$ɴѩz$@7(UaBfa H>w~Go<ў`MrŴ|0袾d27IJv wqpyųeY#2iɶ'x@4y~e\|62r51pݟoY$݅6l=62pGS=[#|9'8Twn9(I.2j1+ٝevi-&ȿN'G$MWLn9kX\_Ae!ֿ:/q~c|ʍCr.Ycɳ{huw$F{Vh_,L)&dqȳ~v.t%=?ʽB^kJ$֫N⢍a/71hq\A6soex0vbjlŕf*y ɤėٸ;mۭwן1^ܫ<Ӝ^ 0uLLt,.:O]lx[c;^)Zq߷8ީ5~f>U]_zFQ);jl޴wSek!RKX 6{ -QbK,7)Ɖ5Cz$s-J*}Q6+[L%|ƙa5v.A?2xv/Î !_:>vn^f!\7-USyuyq=PmL5D=U4SCnu ޺zM+kj3Wkz)Uų`^훲)W*Zˮ_`7z$s35z >ƕ -Írrl=HYe'lR2&]]HܓWUKZY=ͻۮądT$^IvWҍor\o;}iU۸ۚϨoTq 2?|J 0ҮVmT7팡d6 6r)9u"F ,kݖ5bY-f5-_  }<^j0ճo0pTʱu?$Oߛj~3;]/i~ki}̯ato-;}5|0{8:t" Zf;ƫ+o#i-4jnm5سW5=RxQzFz6\zVPRiyvՆ[|f8ܬ*Zs6Hk4lNϋztLA6,/oz3vCn-\&C*%֋k^3QCRLYH\XPK|~tČ);UOK0nx1`z 2?wM)44#wBZHmUeڐ>Uh͵@r@{&6w7a#gXcrn"aw28E/{njqU-=܌R _zn(U/g@Fi(W%RKv}Km'Ό?.ϼ/_w^1MJ~ʵ6qlJr#} ^n$F-sn:skß[mJz^.K:Q/wLC1V~ -ZXo&s= fuOգ! QO=8wբP}Pkԅ4٩@"T&{W쎃J?KxJa)ln֙]mǚح$(O}bV2ŵVKϔjrlesߛ)aG}?mk)teB^iKQ)(&*)# ɺ=h@=.^;Rk6XJH+]ߣ둽̨KJ."L-Gt2½*=]**>h&"+e zue,7Wt Jz$7{OzbYjftխ9>kz=o(boHUw^ya#UPXTY@Jxu JS5% ohG Fu֨6@r HQ#AH-?G+H'HMF(=RfAj!f_\@jaPwUހ(w:Zz(UHA3 TO+ EZ <.HEXh'?m)~i[:`nyu m4:"S8r(Zr+h Lp8Bt}\zN.+릇74>*Gډ;:O"9o}ʯ?֐~/wV;.3|Z+ tU|ŎϨЧCMzy$arWgH%T C}w &ȀHAoX]tsz~u! -v/?U`cS~tco@@'8;}rͰZY -Oh,d&{ ŢluJoUmɯAӷzxX>WWNM`[\?v>e([ﵾ\ϟeqm:PB,VJevoAvCO8#g !&x[>^F~_sio[nW]H^G\֍=AptsjypKyoL.\}%ܱiሩ`2``&PNrpt~xsBY3A;dDƅv`i=5w$,7v=h[fS/ I|w6v֋;Z*lӛyv=/w6l H[ }-@x'^t/;|}W7c-jUr>aU.56Wz@5ypvLY`ཋe9Li^T;r*=8wx|>tHGw#ut -}!^vQSnf'd JfǥB~3٭fys;Ke5Sܙn,v ȯHAx|mнq\Hz:v1;LvWܦ(bèa,1jͳ$3+]./BϭS 2ow6;V8:(yo ~lF1('\wZϫ~wfr~RsUe[- 'd7j` ʗO{wNqzon_qk```[:yWN؎ēҸtWX!'Ĩ֡Jׄ>؃YFQ3k3ni;Qd0-u^xh$uMwuru<&u6ӕFwaej~i?&;̖McM OǹaygNE;Tkδ%[\MaAvs5cԗ~>(հW)3BcΞ7}t{߮=4r>ڢ XaM~GbЯ՟ Z٪z^U{ .@n)gT"Z|7Y;q7pvbHHsN~f{$A:+k 1>Me=Mge 2O!FVWu]U J{ePf*?ɫ#7jNSnԭ9֜ vӊJhؖ8{τ¹Tr?j̶jMgu=,Wp{pb2I/ XosR4=M9 S^ :֫ 5ױ0_6[|.#ܒeًIyއyVV0C&q(20#G{lM]t1ֺLI52n([2OVnj*@,Tu6-Yg6jQ-T0e,h2#jt| WʁÝA$!ԡ]c*,lMf6G4whSl?RݙJ&]Br Z5C -XKּKV$O#n1HZ' sus>dGo~G?6أijTV'n9zmr[= bhCz -4%{/Sf)E(_ЬvFzbb\ýPy;*It0Բ߸gB?lQX_$o}5^LEyt-M- ^M^>'~tF d6} ܉-.ds2LubnFDwGV=r4%p?Xmv$h`o/.zkk2SLO;Kùj/w7bS9kori`n*;*=y^.YzӲW0 s=^`G+])m8 -.۠Uu8wfua_p9 4gPLZ Q~̯5 Π@"Y.^m5p\@Q q`='tllT7^~N}Qm>4֓[ߥW.Y_+lO2,4wyI,L -|Il-pfgֺz:ICc^FtIR$J*TV^y~3.,uYVw+G?%yD)CUd)^=6][ ejW6ƶm%GKSv-wa*kd -S KQaɪ~a}nߋ>Mm;}1\K(Vk)Gkc'`5޻r%vF\+]ʛJ|4K,T cgvbH"9hTq,ff0fr27*n׾Јuc6j*MOm5-.K"ņ~'M9{b͝YrzE桐}Yd䥼-N)u%U 9=:FLLp*-8VBb+vGrwb2AqY$mW7}J,Ȝө7v#3>GbDjauJ$Гd5#cU -µDҡy4#  Ȕa΋T5R˙ٕ"kTWb ]ո)[ko x5MKXY!ѣl#t!i 2+#S!7ƛB!)TiTH}ȻH$E㻉bwbG\,ދy.2Q.lZxj@6bQܲo$28v>phX騌a9pzl1@tn%~$1i}Q)SXIOϩIp=*=&?<)uxJ[@s&w~Q!f G4vJ~.9ڗo=݊|btyQ.Ň ~yw]@Z盈Ǯ' ?c&Q -|yLG*K/J>0FFO;Ax]tVy4Dg}ֿof -ySJ^)|;W/Φ#?B)en_0" hUEگƐ$-lx c9gF7Gov&U{i+B4Ew.kb3g+Mةv{s{}dns1ʼni?b9φ~aN KMIZ(u|Ued!ہuJv\js~84o&g,]ش޺? 8r6 zg ݼ}Ͷֲ).6=]9h%qCn9b Lޔ@:KO?Oe"):wk_/`Exї-w>ڟ|OgQOch4i}^v{" /]\z0k.yy1>Eezo@j/t+IMۖq4eL>K g;SX=&ȷp<0mYwi_zWYCVT]2k\ƹhlGJ( ?f@+$SҙUyΰat7k{-\,f?d -iyŒߕN*%훹bwa^2]26J=qꤴ'Cbh3 - ԇG5fJE@tWxgޏ99]^CfTn"ʨܫ5ŇZM~jH ?ZadJg>g'5!t+8{~2wŲZFfU΋=Hq 9;eu2UnR]iT>5FڔP7ޮE :f[݆h6獯mT㾡nZPҊ3ᶽ6ٛ*d31WJy'MR,Lͣ1=^cN?nWS`6{VNv9Ymy䓞3MuZX_ѥ.;`*IYbH-Ov&Xwmf}k^}~q_j~gd#`~G`˹n6'-j70Fm&AgTQj]f|d>ߒ&Ue(fgtp\ -:W ֨:|vj[/l}K]?G> O~le~T֍֤ʣמܽ ۀv/{ֹ_^ZEb;R.tiΈ?d M8Eb[D`m"?e.ك?{sRH9ͿF8#t3q^1{rz/kJCcn1å fʳ#5D G B5B;[piMl51_Rk2=E5S<<ٍpX2jezju7EʑR9rD_Z۱D+sqv]# &=SMԷ kvQk>kn^=֜D==tkl%qǹp`=dsWYJI/YW ۤ`kvU/L#QO-݁`IGLvognR.=[FH& -XeF50]p<٘]fyBڷ?ܼ -sslpsok@\+^ČYq}i$%KA'],.t(l:CpeR4:9>(ՋRφ}Ԥ;thOqnWs6m\h sU|P4b dbi.n%b嵛D\\P\y)E)itHV -ks\ Uk+"Wkֺ.v C/-4aaTLI-16mk6;Kq=׭&M}U']Rh\kWg|Tyo'݊77O4l6_F1Wm$T{VmdZ~uz686NvӘU*3[v*hMit|2~g>{)T>ިRY8Ul$V)uajԡTW*s}se>_f]sOXκ?Oݝ~{6ycĵOO"sU{rGV?IUAedTL:vOWrQ,V~O+ûP~uck7{z+s3`rQê9VdU"?+\edYiqʖSJ(oPr,RN/*| E}% c[O{\6ҚrfF߇ ?IRw#%3@Grzթ)aZ'D)̬~@]Q th 8\5K]^l9PE]r$,W3BewKL 3]!:)(S=|8(^-,K_ovq {qa4nH:3oZ(>[\7:)~+ji.>)o ~. oI9b|t1FWGm}D!@EG֯veZ Y=N>8mdR]t:rקz5zݓkZt*d)o -"4!jzyCRp5  ]#'cm!O` شeRc6!ϴt|J=H)WL?o@䑋\KN"9\u}}# HjNObƹK -VO0^]-twv}/ _3}"CCmȳ}o1DYF(e[ٚU •؊%Y; [ -ƹ Q,@/_G`'ArQ<+f -؊9*D3  YFQl6(.%!~ 'H?_k pC`nR*@9BYH;@,/ܨ0ϱ+|[A" ’޹!]׉ݎ^}% =ח#W0 X%Lɟm䨝z 0d:{ -@mHR -@KU5"CvcH:l.w*j?VlYSۓ`vHFƏO6ߚz##}A^t)7,Hn&sV+9\*oto]:HEejWWa`wχϩZJZ..hA+LY\ Q%0ϖ00WDn}* 3/O\ Ş?8Z 4=VmT|pXY["smǏ4s<],+ny \n?qg9~0}؂cO럯 \Fh5AyyS<`k֊jsɧg)Ou=^yut.2Ȕ{9rݥw%C3Yffk1;r(]FA'iIUh1-/ =ϵ!>I~ôGcG{o>=s?m}GNQķ5mY&n۵AS2?ů/I*Ā@p>H:R;IKs78osw)i - *kχLY:0Sލkmj;m;ol$ֲ8nr|%ljyZTvc>>89Rש H| -cr)uQ Ǔx$k~֪27ΑQ]$]QjaZ<9UѲELi Uk;QϷ5&99[P.+ڏ͗S t`ecWZ.:BLgY\ƜFlQXhoVpAզ3i黱SLu:x(ܡ24bt=g?-/y[ < -}Y.ծΰ\rr?{۬jtQ=&{ќdkXYԸ ѥltk= N$o?mj93vںVg9YWnLO2ɴ6|jQ Cf=Mk:va[VHقXR/pUfI1+]=Or2j= -BZ BYe~v[+_&VPR¹@|Q>w< -O~kgu3̲᪋g.إ<|hNvLuڮ75s!+X -1/^t;ǼPIf)9 h2on~%dg{m$R??syb1[zh7 hhj&Czh?9إX> l|҃]a)QWJBW$uNВhPU)}M>fs4C:ͫ&=ҢG}'AH2#3uQHzf:R]sd~HHHnF" e0'ȭ$|"՘+S@xMztSӺåVX4k-ݡB:^ 6G~_2U Kt:bw8pIx(T'X.[R;yxZaA;F.%|=!. -y+d+/ݓb|cCJ{Q*:A\OW"3X/]<:h^[ =ͷV`A Bl$;3!:2yO#bw װwb=1֕ W{ "_쉓^_Cd^PyN^u[myi@|Nߤ4;J -7NMY(d e|+elďcvO;L|묨wl-X+ddZ~i>z M(>!f5;/:; "X~9[9ShU$4*~Ө馁̀Z:md/~>-^{Fk*`}6)U[?ݤ5$m0HX͈dqvZi}Y2FڱUCf@Y6.0w&K -d @9Md/7W\ݼ{Vjp'#R?騁nTE2 ?g2eƑEV -uֽ*d~(X [ymlTs[U,^ -eq!>e#Dޙl??p.|˧Qf,kŘN.K+*[yI)cݵ޹#^Ulgynw-ᚬZܤFIK~[ܣG[n~~ZEbAL<ܒEFuPտ!QY#u%lqO2Ma,fx؃,b0GمSR}PcÞW{+txn :lj]iљ3W[qڷ9*GRV+*G\d\F#]ݬdMI튓uJJp[o_{|jPLӂ-{_c-bTzj\u6)UFlQu5)*`],diԠnh=3"Y0E:dVpp=K \Ԝ9]אxm;zgKE:F5725[.+b+rrlusa?1d]ww2m"b%2TS -&/D x5vz~CTFX\Gp\KH#hqϚ6 @z]tkt]m27~vJ+4iMt1< PUń YU ^s0Άj䳂NI^nRA~z!O^QY(>(^Q<৬C#g8o*z3B ^"N!m2@paCx!9zPY F%^!@RP(]ї"ҸA4\}D jsrE ʐf2@J#vF*WC-+`Ϙ.@4 {x#kG_-[7X@NSW"&\X[}Y -r}mTeSqxUjo@7 ѯOa7p7 -Q؟<x0G1}]Gq9EqA@䦋2d݈btQW )eG?"EǠCjϛOɔyZB9/FI 8:][b:H   Y$S]Տ8^7߇E~y,Kx }x~,߹~G=_7k7a+/`m| -/ڐ#I"n`'Ԯi }ۿuz"=bI>`[|xB4lL}|Ȣh7o6(|-5v[O+NAf~1A2r p'i""CSH"yFR}gV2xGLvkmyK~*nՋ<u}WAky.wcLJG,rXtK{7 sd~Xz4]|?mSog.7瓥P|⍯X\Q?)q#*-:f}Z9՜NG ^BBdmUK8Z7_LpޞMޝh>khXiun{/y2q^}"#Gx6܇8 ȯտ.P9>r.Mg^a8'=8l7g|]ZNMfqoIw:1d1v*Tg],NXr>bFZf0nMUS(t~H*P|?bwP䬕[f5'w돇5\5Vgr~! Q6sO{XՃ @?뎇vХs޵=Fv6Q]W{Ӝ|Q߇Fqi"4cUM֔vdޑ<{.efݻW f}T^C.NT;QƸuR՝/4;9Nd6,l@Ӎ.9?C^ᴧ)z2 "&W!pYn\9c nૉAYt_Ӊ]XӲ;}_q$-XP!6R/p55^uuSDn eW:W.ڤ#PnnOTj0hLк 7TtBvQ?\6H5{5tjd|mR'_( !Yt'!l%dIs<뭉榧,}N.y]AwWxeOj;+kTrj8[U7'snl@ eE.d`kX 0V?Ms{?s~@,`rj:QZf=q_VToI7ew9lదF+ U[RT12 4?4ho=}| ņŢeI lPMt+<~\qkg7c]{L5s&l}rΊ`YuNJn|j+Gҕ;njir2`5̅l4Σd+3igEM 7^Ʀ1֫YW+T)UyK3{áb6ΓJ+b|Ji6LFv0P"H7:ŴMlGF>|< 3gH}ճw W5"z_SsM:'UfW6}*&^0K`VM7(&R7X=4׎Wm5~’eN%ufW%nϳcVYRamjZjW+JoP,ŸYjOZ -}nTQo|ӢԶ˸\Kƹ-luj/gZ֜ TŸҿ\WDVOkeag2=Q 4Zs{딸)9oǦY8)0,L(:ݭ)dN\:fq>k)k9Ro@ZW3yRm3'nG=UCʡ%؋ -7 ->d!NLD_g+&ҧVrk \-߁H -ĝ!]sl/ReJddNCZ=$2Cru6z -yorQ(УϔʥT0Y]14uQe>h(ŸTqr?Apo&d$]H^0y ᚺyd՟ɞ{}g1cFsmַ(j?A FQCV:$DFyL7|Q$INĥ II=dup>WEgbsa%>dn/w/cJkލ(=:WQ4o CU?Qi"e!J26Ā%E0 -O?q,B,xeQ|3`:~}fѷCoQxEຆar&I[r5dCƕ jD!,H  Ǯx[|;a莿I.Fq:ZgW8wE-]}+>^Kf=G4󄌾7}3h!"r܏^.lá[>G~tXW~R㾥Τ@F|"BuȅTcP}Wֳ…r@<,Ut}$;yvz|Mr|9?H \pοy PKz@zt#.;[ HNgoc=XWrMuƄ+T;$\,5~'uTxBO 2:M`>*p!nPK}zϿԝ_Af?5#K"pϣ8?ϩ֪%yofYk^ @v7'=^{WݹTBǮ_`pߊ tf4prT .K6ڌe6f9.V^[?o.b*ԁ0KzJ]gBt3ޣ%7x%zd}f::Z$}'('$}AF\Md;!ZhQ.&Oi=K}9,u(\~v'@3/ sFSD)/3~UO:V/=&udzֈtetO\qzju ˧vz֊:7оg9qj7r -K%T\Mu-,5RJA'}" dJXy󮣑ȇQcu9:iWg%rzȷl};}Jf3vpw6EaG9u- jY*ypOΪ83݉ձ)OjWj6Uzc&zJp  [/#g5+!;K;=m3[iIc$Sy~^c]US]ID@sp]*m 欈 %H0A{1ָ -֤(Yw͚hpUxVr0ܤ0SRo3l2d.GV.3, )L1g֋z,A -5$,Pd|v^oHOlʤwT -(zoyV@թ Pe\rBP -1G㓰z~r0^`B_]ɰj̰0WǦw+=(Q&QB"~+{ٙt|ڹUɷma֣Q?aS@uν2[r4zRm -'N?lh%\ 1d8̰00w\lf4ZHO;H- {pnphNOO'[nxV{Uy˱< - R1ZvŊBrY -xhMOQl_tؾxؾd2,Xg3g䇬Wv6+mί,OÚ jw՞C@uĞʰUݒCCIC>P}ZZ!NLO[_ --4:Do׻=[jSCˬ;Hd>ӃjKe$9e>osuPp~6-d)9CxFsX5ez1:؅zXZ4Nw)WA0F}h]֫ (|:z-&3M-*OAZ -sj(kNiBRv[~Z1  -ÏۉvٶgѠI!UUuyLGWu"VZ6-SQ.n(lSPGK7)|j{xSt~)!5P+AZA%>ug kEKգ)е`w-^GK&iY&l\zb b=9PI zjkk0Fy~7 `OVGc -cNyDس %gMRR -S_[)TÉ8D|NtI5֠!9U WeZtsTIP^bc{AC9(0+ ")B[{;6K:ל$t] Bpoinۍ!Gޫl㿼 oty0 oĨa!u@#5j/;~{{h@'AW#v>V>tsJ:{Yߘɏ4S)8 -->j74?Y?5^΃T:o'G;2 ȴC -^]@)t;bviOұ(fЁίqkּ7j A .z(;3҆.uW!P&TO3-Gz!NO58d.V\u3t%bf˫bO?M+>My[fڴ~ /np>?d^$Eaw'W6ws! WiKcD߅wyxCѪ],lxۛ[sx^\f2#%کæowo-݉_-wF5X 靜R@~ NCS/s%oTrOT9غ]}}ƹ  s9ǧNOtu9&mkoo%l6^\&00]d9GBB9NV< E0KZj~|ʣx%g֏J?|ۣmm^%z_;u&a5y?-.+>oNɬlESWr$Շn둣$gMy<]+^JZ?p*sBkUD7 ul[Cӟ`>qjɴm;ћ~0<~Pt㠨!QA9I.X7eJXB-a_$: UR.6}kR1zwNA,A/E)V-+0:`_ެ_0Pl-kq/$ʠ\&A$3jntRzb×a]}g|*l= -Opt)p_ *1ކ*;n\ؙWשkѹ]A:nc>J;?Jk/kMVf?+[iڻ^zzejʪsӶ13⥈ (k%KϠfP~bY5vaVg#}W뤣 \»U)M]?gܳ?C卿5_]izBqWbzM"t^ -F˒2G ^V`I dBRSL * Ƨf#}Hn:>TxM#sUalaV] S|}9+Iŋa= 1[;xeh}oy 7 =l];jB[]b_~7t%*@~J]_6a -Q#o~}`pP3/qyWe=ꪝ1͇b|;lLql)^cɍ*Xn['Gַ-}Dnp^ΧMf:o/u_Cus[4XN -q\q64pW&7}. 3y&}x şeR/5z1DD ܸϗxם6bpcQ2镓2pjX۫V!BcPSFs^3:GЃTmGR2~G+qd_r=d:La8 Z^QŒ9r=m:n!H/LQ$Գxč>̳A^_#hq$zn \EV5$>GpyťW}>3`z$a㩨:yd Mݬmpi^1Ǩ}m'GSQaL,˔JPȔ>F)X-K.t 3j|1[C{>N+U%y>Q:oйaڃ^]/@JR/8!q' -~}F8}'~ꁽ^)!+myx6cIDٓj%'@5Um8Sbۑw(y}ȍ*^v%ụTQLOkam?v=) # &S?YN?FȐm`axQ1)y]S^栍v'Uv}v 4ƒ -- -Tqhp34-QJU8O  ]k6p\_̏jb~!Hk/s9:LC'z1qk.z^ߣ;Z>]Xhwg'@:qdtⷿ$jSޚVId͚KmcYyYfT46R#5'DQ2*:/jҗj;%ԽݲeI#..+>wTj-)nJ̤kLjt9_ߨ4;.%jWJlc|8.rT<39,ۿ=Mw\+[YF )@>^;vei٬_6sV؅]{?[)|U)9hM\}NsI$v6r9rMf8_eXa$+ׄmhCK8]sԭ/hsy PԢ99o~ }5+"@;@@Wl@/} @n˻aMVZCrp7BLl[{W*9[72o<>Y9]_/ޙn.qZ8o-jIȼ~&E6?IzO}$06dN^3-}& ,rkǓӷ2bs2/$չDi@_b2y${?LO_T S;AE~k-Bj#CCcJUS8{{3`&C>.RH5j.]+O?OrOTTD 9_497zV?Z})5Sfjb6sjeH4dO)I -"B6)ɱ$BL+~^kWiT"!+?fjoQMu&VvrOAO1R -_mA{;/yy\ۓۓfޛ[wqZ?ӡ'T89̆K1m߽?]ৠ)Yk#ހH]P˺q4nq .^&S vA&??c+VE-5"x(L{Ę 7.ޓc+֢ ^W<,u*Ht&qx3O6qH]WA+^ st{8y ]kPbvm6:geAwkXjjo}`jRS˕Qj5{ց>v1=á]< zfȡZzX6M5|*N=a{͵e?]n_g`%t9E‚/|\?%mғ%KM_XRj~_bl~OiVæߜNR^i˯}oP[}E Y jɺ~LӢJղI|[זzڡ Nnꖙq,G# 0PL{MGGԦBOB!V -7O!Y1hk,ZۅP׹ٱ*f֭N/ͨ=%<jL*|b(3V`r ;e[HṀvڎ`R(:sp -[DVWS/Fu0o5 ioړ٤Ih|1ᇊ^i5!5[Yi[o_K_QxqmO^˝~]pG^mpv?Go I.4\n(:Su$;x 6[?YV$9y,gMX'j6|qٞwrt}Trʃ[0+[7ѕ5N{cZ4r`P -<)ڳLD,@X/}[ d".p^l;\MNv -Nb$[ѵ[(.~\uZUQ}*IZ6LZ|$J٣D8SX<_}bF|޴bN8kB2! N?<:*!56K0跚ٱ {N!sk5fF#ִUoRPZc+kIv)ӉAو%ʖ+/mKP\ࡱYqp)wga - ;ZQh8y63]0Fo;[{k%fƖkoNkPG+5o+EeR$f0!jva|c.8C-~J5\_ЅyCǏz?N.3I -HU缍]Ѫ]UЍcX{9wZO볖 !MpW+~,>qXdR/qCo3෰3_L~ƕzjmWർ3f=d e -iF U2)m∟D'RrE>1HlðNe8.&=CtX gS zȔV^U\M^V|&% l5`=cM6L0QÜECqe#iH<0|=1h==`T!e.19FHǑB,>{T,YYɠnלRzf-q騯,'U:ؚĽL$NWFca# Ǧk:|=Eԑ|]@?- lNgylLhM 3Ur Ҵ53lf9W?%.?0*IGn?[m(ޚ`"f@G(}VT{i9P ZuUnsIdR2 Lo5 ]os|dt 4jZ X;n?vEqN+GhM87ҝ'!Z6chnfh"ޞyk&[պWTJUw*ŘxF9s*X z)ΪZ&Y)ee^nr\eb(l0k͞W݁ˆCQ0(O^GοpmgO`恥׏XE.m \XbWSH"vEN<T*,!HThyhW$L(wF%쒼:Й]P~ZgK"AR .a2Ն1Fx~oȴ4k-A'ܨo4c\Zr616gwޥ|jS0=!%$Ghps8HQog v= {/-MbVa؇d$ dlܪcЇ7' -зp43GZ`迆}j)JRp}FXb*xo&{u=mU[<4TK+߹woi -z}PP^X0Xl 6hc/hxauiqȆy\ ?Y5t -`<Ph^.WcDp`!jʗ3u=&^ (8@] 7@,D Ngb ZO_*IaapH%\^9:$4qg޶7ePf3k-{{oԒ]5w޿28F?h6l 1w"俒8XZho=NʮfSȊc>K11S4_-_?TVj~1$&Ͽʫ_?黙dLV6)~%<qgbK+ҁ6'*;:eg+vοJ\{*LϪ<;_[=l8Tj*=tkGAqPء/wſrY}ǚ*Pc G3w5v*<ҽކlWծSWxc,~GA_qd-O?p:|{#FF~軽{[wva/_øxsOp&i{~d%GՂoumwrd>tV"xɤMKi?S`Djt-+wHiq3>:j|q:ǒӄ]}cP;Pn\Sv7|ԫ5zxWDzS\~7r9nsg4#vmg~*AT[egTȒ?ˋ5޷8WYKvDLAo&LcOzxǽrXp@"ϼN? /ovP?"p14>q}mvpvDaLUt ЂhZFvd5E_EnsLC+e3s=vZ9c#1y@UC}\= ;υǢ| BO똛d|soQ(~eb"aBqZ -$A`>ͭ=EW/_Ze6w*5`X -ow̩un ?qF%76HW4yMzu|UKH5\ (7q}My-w\Ѿ<;g?[?VUV!sh-=f*ޔۚ -1Ϳк#?x/RmND2SN"_ -SvrOnMюl(̈G\m,0KuiAV*ʡ7$4;KT5=E1/E٫ܛ#Z~x^-B;%j*R}܍W>K+"ƻptŋ~uAf| Avf'iUu -/[s)=$%NLd - :J6A=Co'?S)3 _勜:8v4JȚ$9|^XJ4%_1`I7 z2;atBz:{s;Eys -Zlp5OPK9ql^Uw{ϥGͅz\-Ⱦj`U{ƽ8wǯ/}Ig"%pQ7yr19\)rIsI#lώlOv*lI} @j}֚yo -(7z&g&,wYNaJ˼e%l@bbM~.XhɼL٫^ .W(`ϚCGWD&t1.g(P3 eLFhNޙn6̖&y:b8CAqݗ ih/Fo;6߰ɩ>fٵ՚\?P&,'VqD6POMC/rZO-?(rx&^ {4S/9g1Tis*B%HlÞ -^1żDVU?(pl~KfASƷl\Li4m:rR~@Fb1/;;z᥆߇cXV/"j0;5# if'7#k0x"d/6k";;a!хkV;/Y@+ol4LyuTEF, mhU%%/.1ߊdI7΂?* )vxY#h=v =&z,utvV -'SH>C-c -ݏ -K,jZvS9dֶP $댞`[ z<P:.FEֵRP. ?&TQΪ:;wY*֐\["| -B|Gʹ?X&@-ntU0AD*mnm:ڐfsfRK0*IuEnlԍ7A?'U :9ɠh+} DϜFfK.ƻ \x1\\ ~$eǿ FDF[Kxz"ŧSGav$B#<&xzZ[fn9(VԲM?xV<P3v6~Cut$k"й̷sc'Gsѽ6h+ġ âM$:&B UɢT{ę3wjGHI/]#7v G2y=MI+`z>x][}[(e$S~;#Bn[;,>˘3IXd]~Dr'r;2Knَt6qgiZ~ޢAstj`BlTWV}k͔]ұ%K1oau2>1Vmqi |aǾN&BҜ(h|zҥN7_Eۤ53X!$mQ[^}'fu՛ޣv\MZSGdI^VRq 燕~?T 鷂OQQi†VY Jպfc+G wD^|= -c`  -@KhrW;6<16-95 -.G~1uOȰmCwFVI5HCrbaXĀ^S@o޺8pP*KF\'7a[z`~,Ysy ؂ZtTOC3h.;!:^)W|A)j/ -@BP1G[O٩yT Or - Kكg/c__Ht皪­QE$)EsО͵ tӔF F8~cLFJq*3t>VK8,E p*z0xh_Yi}D1`,sls:Rp#/`ip-O/prD>(NE2T㉻s~ILznUZGۀmt];c -pp|R|ԓ ] 3k p{3ga4d0x@*/4KC)P[`Q႖2'/%8uKjYor|~rI6 D`]&4DzDqo_BP6'XNv!_o{i~\n#2Vw]/  -E7{/<gؖ'&ӝ-`l[Lȩ>7V9s 7 laecNRFzce3Q:2"Xj@4EJ%Uw++Wlp%8|N9C-287h}_۩kuPЊe/--n`~Wp5zH~,Y(Z -\ɒyVTjLܦ 384Q+ h|cF47LF2MG~ސuʤu:yn ˳ .U(~ -QC WZ5A gRH h|r1=S#ٝ!Z,烙 kz#r ;3(g_C -yٯ (V^׭3Xp~' rocsG/.eҢSkdDi^=Kqwv7MwKuA; SMuE5e :Fψ;wnYo`'x&Rbo8 0'cne|N6wC#|+F`5?[Ѹ2-O]h;nvDwS;K@k~-7x O/AeWydr6YV?I 1km4(R[~Ký~Z/uMv<;ZGJ gZN-3뤻k-录a!)WZh6n茹WOrzc++w<#݃[; ϲ3NVGJ]w^yJzCNm˵ҥ2Ao&nf8תfƩwX4Gh35V5^<2:6R)M-"`*݈dr_+S9u6F ւcj@kR['IKŔ$S -Y>)UhTy1GFL%M%B ]wR :7e7 o]=K jx/y](g9czgUoM8'~gnWxtUN[!oL΅cաr+dUYz*4C)3D-bnDŽ,"E &t>}p ,qSdن> ]oMQY۵.)e+ӥzSMmo{*_|. -k8HoGd闤!$rEM[2f]t9v()"KRa1#jADVE2doPU;}te{"R׌R[h:T^>ݛbBZ;׊.{ߴ?lܬzL7Z}+>JLxmPX;6HpmM$c{;J Zao*U]a{anxpU@?3LeOφG#w{:>:^w_#FN [+G &u\=hU9O/'UPq)|x)kyߏֲ@i-zp^:.&mob<,ϱޤ|DM螪 29B -j<(vR)EhP @h#;j\5/XҒCҊֻZYE>HL\˂P4;<.)=s}^qhO):)nF5*M2ZU -*W -T -P)]LC tRh&%~2 tEsc~.WeDFQڮf#7mu1<:#265t[5/&wxOFybnNvVt1֝ -'O%BCV$B['udTV T,UGmCl a 7~^ɔ*sԪi`7+;QҮ R,/b-}ƞMfsWY,>QL:R V/頡N ?r=d2^Y"FU:>eak9Vz.tid.K%|Zb 7EuZ?GCfG-u^4_57zu7z53ms7-6*5XFl8_h6=*w$TȢ8:ՂbYahۂ).4dicUCMkCsYN -3FxmwŰyn'5ꞷ{Lb{Vwʒ[҈%Za=稺ޮ{>lV\z9"ȍ -RIOyخsVqu0;҇,W_Za?b%XN][L!37>̼g;mRJZuh -7͹dUvÅJѦl8/C`]9~{83I"2Y\W,ZP} $TpNlJmgj,aQw VZC=.~oS ݥ!ԕVg笚;=z^h/?M-FDd|'| ZB$%} -B.WN4}L'huNq GĉH~{zXMXh@Lo߅5$ E+7m:bGlg^xT9d$\EGeh~J)Ƀ9*%x8}#/,d$rYE?.M@:/ *)4 hR3|f;|2!T-(n=ǭW EG8(F5#Pc0*HFC@%6S{iNL~W=-&lr(/lu*jk N̨Tt*j8,"Ǧ5+4MY)?/}~=,Ve0 -` H;v΢]g ؋ ӸYuxZ>q`jHdؔGY{ ogm*uO:[cGIIjpOU?k>h!oPHC%lT ekFdȽ{`Ӈ)TR'Q~o__~e@~z@:gUo~K,) Nu?3+~C &Ьvc?ݲ?BBgT,,K#@CqE~\_Ow}9R< ok@f~]߰ NoMwJ?Җbޕ7<6vN߮+AX|oFC->_o쏤*_zޯ-+Bڥ_uGAolc??&u m-7Wg.[f/\r>/L\+tNTToZmzdWA؍w,QمLNy<,㛵|#~%߽^{"t ooTA&`EDpCfEs_ %UFgʋ ùHӕ6VlkHtb"~bO9Μo{+gk/ q}EAe'Bf 5]Uwݩ=&lN{xnQ~9||TOsXҳ/4.%Kuc2,ܮVN/5>sj91DƹxU` ظA숽`Y5|P~VSO\+\ȹ V#ǹEws+F 3~r ๋~E|Ծ6*OYdA :'}`!auWx3+x٥ T/ .PtgױU;猑IY`ߞ?Pۮ)/DyZzzޝi=\BPyy޿NP߫A(Ƶzj;tҡi 2y /|GgU暎n{: mEL[ZyҙMin eskq2?eEc6["4X/؁e~]jvݳ1Pg[#vq;OP޾ryPj!/WcC5ۋ,QFE>ތ+wM.GƳX#h2Do!JsCgrԤ']f1k4?6 ln۬wD:U{ngͰR -[`.Y{6nt.b]ӲOy_ds;i"Cב>z9Cq`h97eY7lbɣubulEѻ*MݻnFJUdڳj7.u\ue܅Dɟ_/c#a}ɄY5-"M^IuvjVT ֔)D!ַv8L^bVhzإ>L=^;A5"[àh&8-rbUxޞ![TީA[CB:joKjxTKTMktXufzy …Hg -wKUMw)8{3S}f{>{ɶ]N3á(P q]Cg6P&i6-Xŗ{A4sm=B:-5=OU͒dv+ W N4z-o1PT>WlG=˝ags(ۮWGQ&eE=,9uLsė7K=㘚*Er(2Re<cnU -&; 6hsJ4ӏ9 ߗ7'uʽ'J)Ǯ<ĘhRzT{i^ɛ~ 8Pu%UdnEF+)ozK?վT -ޛɮy'0Z>lL~S8XEؖb, - N+I)@O~*giC+vQIR?VQIzrԄdk1,+eߩw*`Yusr/΁oُV,ֱ{קwdoA,G>}*m5_TdX{,)6bv <柩(պ4Fi)WTS@,(SV r_fƭPHuA~=f%xYDvड׉Ϗ .Gr*{ylY)4aov`Xg^īR {:=I{ X8Yrhծ ͭ*!u2WPD@w4/Ⱦ9d -g'< ,b1Rf|)$pˤEMR|`Li`/cI#D]KkzOG~ч2z:gS^t0(;Vϕ#)A Iƥ~ -E Dd3 Rˏ: c -+<@EP] g/AgQ`Qe_@yDMŠܫA\+NheCۇ4zNj~4vDjkjT}i|Jo.ȹ#2r3P~v|1H%Xe~B -R`mK0(@H q~~D_l&cIy<8 Sᔆ׷"٨lF4Q '@p:bzIJ-#J0@T lOV3 ̢ ;kPk0?_4d*7 ¹&KH8C &vU؋PJHw]xgeC]کH'U>rޑyX6Uv<@qP Pm4`)5R%@('/,xɩIk9^OM{5(h -Z<8ƯX@]Sw(H~ `0@fQ,99#"`&BXʺ%2G::M LC~ T>ɀrБ+<*2 (|uhX&t֭a;5?Zv -W037-,2 xl^o4S6$'רOM4HMU;$˲dT(O 'v^-szLk7 /4|wb-DmbKݓ1!1'ID*ٯK5~]k<ʧ_W׀l6~yQfrCj^0| A@"N*Eh[]٥|lv.$O<`[d6hh_5/V/\+BwMޕ*ܐZl)>8=RιAXӫ/v9{mc>/VY9+<)lIm -b!AY2nX6qj07-Usu_H+A|»1o֒"$#pStm;jtk#}v{ ӣ'ra -;@ KwMշp;8Y?ozu"vnL3aK/8'_$\Ki}zÊT^TFWDn.٬#+÷Xô/u=8 Q9\ 1V{s~ܫn4)w^puK2hWbYRʮm0Q`2#9=W䎏 x1%]^՝ڈ_(:N%ҵv//frs;ݾ;#kIesdAڙ fdʱÊO]rF%w5ZʵEnW-Cy޼?s;y΃.hlu`G?UzPKɀl33g/.=w(7LwՌZ0L?A4ZMM'.@V6lJ!-w7K=:0(9YG~N~)b6T5T-: v\y0g7D}1@{Uաk&i̬IlZ%Q]ie*%fJyLYH5;SDf'CZ獵 y5' 4zaz`EkաMe1:Բ}@pWǫ<*brm;SWy(LWdv'BmSphˍݶ'Zz[8(5qoYWxn<{H$ h-Wc亱7z{檥8VgvjU:UYY]^^[7PSˏ-*R'*dmí^}xNmIբR1}Hgf̪o+SNwmW|z^=rL͖v9Hoܥ 'e/(pғoxތsor?:KJyzvL!XOiL^_3'9JB^-VovGWɐՖB_ -l~,L GMM.|J},^-l[r9>3̰Nofkj䰇`YGD:\{gZZY)MeRut_$YzZ4W@3"TKT0ZbV_vE &7Mf[qvbɵa+\Л!IOlu`D 1womdz^^=׭(qS^c(MKPɈ#yڍ<*>y7o0nE1#= {,1wgTg.5-%I*NI2ՠ$Jq( j$홵?Y3G*!9|}R[y|wixŘK."j/=k+3#W&zhr;15.[M2XBA,|P|&'T%#dg˸֗%Dz1&|-<bEgfdy\b5/ KD1q2^+biofJ, I3sW+%VۥA\c,\sٵ4IuLո~rgf[꽾,,=+jG[3/~gx9`jʮ/aBWNT1i*预t@4V(t((46)|߾6UֵMT.4+"=/og_;RݯWDGN7aa_zdKwK|_+әb[RHŔjhmwL>.D)3䋥|aאM5ǖiļl㉙/k+_fయ><O>sX\})RX_Q땷*p|^):thR@;X.oN䤉udYV!@0>ȵ/(GK>@&; `g[ff)dp}R06f:/G.v<7-[88~oJq:@|Ӈί$ EKo%vҦ sf߅qF :  h1Pu^3/ Hq+P~[zI3oN^#Ka(K3:FB6oS)ַh蟖ykE( 3tj+1 EKV9|8:ؐB4  `Rۙʃ*$m,P"#v))6Z5~kba?2Sbk/L~#e 8ʤ yq h> `Q@;+`GBO0/;snv6A"0k/\sk nv'c[%ZY"V*׽w1c>Tdo%]| ` ʗWT5B8$P$xBWx%z0v|DB\1#9Ð]U/( b#L;×Wz@d3 D +S_zS8)T-x{@6vxM.djb';.jR.8f,e}|(dR63u6)]WB#)P P TVfTc -RlT}Ĺ<Tng*cͥÈkŮ5Eg6Tɨv^I!GI+~NC)-P>G@*jTt }^4` - -0 j0Lui+a;3w 0^rXZ*O֤3YpbUؾ"=ߵLRsJYKl폸7l{dVq~~8\.[]]G6c Cr^CTo:/hCsNff_ Soa!<ψ~_urBq @uF@D7 ғo- 2D=3Q -D!?Oÿ!oLogʧ:g7k%Xgat sj!{X -r;lۜl; #n6ޯAv?⮎_ UG'[5 K\7,=&S+[˼xӎu"u"b=|wf'p5_A1%诸Xg~ ޷_´y3yW膴eK7]|PMo= p 67r/z. J lk,+9+bwk?!O[C&]Yѫy zܙ'@E#}gnI½L6NV\u!f= vz}NED-BuOWZ5&[(ʏ{4"~ҼԏAzy.hn.NjR5y<&jzԂ&d[lqBq/~*1ujG+W}Ay_.Y/k 6vAjߋ;n"g5RXW -ˏs>To/`VBmy ; ҵͥmap;Cwq/TZRe7ڠ Bm0E'@ -ܢ63ӏ;gvgPwSO`^;Ht<r# +;SCJs$=;7;k8~߳h NJ+l(_x@.ySBq4ڟf!fܓ6;fa(?H]a5QwQG #A - fՌhZj9opKZs61l،oayrF\rU/  -:e N]{vצoYsJХΣ\֟#]V,_iۋySx0kecvf*7d3bi=ӓ`&Gn8R:;fjm_>]Doc5B3I*Z4څrl:hM;u=̓5n -L%;3petK祧UyR򷞺lk亘J2V@i_CaໃY/Qmni؋:5̔yƨX C>=j mz[ғ^ڬ?SWF5liR0+U=[J=|G<З<t#zCukP3ը4G'vIA1Z19kh6|"JubIujj]EǦbw61uukN jYT{QgۤLBO7;/+bMCHG}R_Jʹ,'lyCOH Q_af)&Wܐ=Qe2J&$'s!fÜ0!Ƕ ~̏yc\L&pQ@BoK䲺y)T@95|^%3̡nRm8P٭UW?Ld2?T1r:TTk2m(ɒsbs97sZniJg0jQU6fydXAT/sIgrkQy&ӷ&`#C=//z|Xx: )w2W-NQ1j7X8.b| j5m)~ϦW5kø:ggl櫱m4gǒA9朅vćgM!H(eAg_i얢M,54Pv?ʱ"L7-aiA]yoyWH:gze<> BhwITQ|])b^8]gw+VZ28v!f}jN03fϕ>?d,Z@\QeSvi@W/]6}<$G}/_-G:Mb0"w9q5Q幗x٪Rs\v.$w&[b~?aIDad]S`0g7: PAzS 'zYۮ[uhDFO[ի9-4 T~BVYTkK_.ԫ'\ơҐle JӕWLU OsOO__._¯1~KӿZ1FS쵰-9ªܠ۳v -R3!T d=9 IFB[g%qN=*9|KŅ;04U#=lm\KqY;9>S k~{va&-lo6|yPWޕ#gTZI̽KOaͳ{Jj|=97",cN GVƯ0ӎ,~wWkҽ{M? be-gMc<+o8hqrjqWw\yx@߷-a5 r{Y}L1Ֆ> &^ȹu2ϴ_^~ڭ>݇a/Q>NNQҢ I&yse/ȘFnkiO2lR\kB֘R@;TEb*\01:ӻCkOD(h(}6EΣׅoCv;NC5v)<Qp g.q sv'Y-u,=8b:QR6kxx;a cҵVV!>[CMGU^E^,GFnGMS&U2oZ \Y83B$5 qeAN\?e';/1w<:3=bllD!w ~Q02_B»_{8i-*T`]yܽK~LX?;$> & TzH_-OK9$Hihj)*gO3PԔ 7)(X# -CxGrDBTgt@(s" Mi~nQB)؛tN~H_w 0Mİ{3K:%Hz' -h&}}b^ n"WG-[4n>˲ԵN$yê=~_ Ů“;q\aC9I1~`u[:lf%˙ c]t>dPIp̷Ke  ̓=Ts&_ٲ!NI[ڏ ^kt1h m} 7lK!pL 8 +Y%udf/wAs|\/kp@!D'Rqc8z(@$$H>$;a2Hnx[ ,E>)Fo8ZzO 7i; -: iL$ÿ4~&/p" -T,7P3PJ>jmJpmNwPz䭃;K0ZalĐ+@V yηXW*A.پ~[}N{So3 -i?7&Иhmu -@W"=a -2,H.л5.cR+xXwڬv$70tU9b :mN/]n_CZ`' ̶_TsO&tXF HYӗBRI?i=. %ȑ bho`o4O{g?=wE#MNQ_m*kA׊_q7HԌd~+K1V_kZ^qމYgSo/˜cD E8>ا_ç1#1liBj;Puܛ4O,⏿!w;3gv?pq=0bT@{4rBoaTccgu)\:>.vLzćTCdU ܨF&s=ҝvG[\=[ŧ߰c6Z sWƲC=[g[h>>9ԁ6Seǔ$Bx1ʣ:G~ -^[]t҂;!;bLLhJ-TY:m5/)?Kcu =+b>~?$;]hpwf*3|߼zPwQkGުPv|LpLA[4vhCC{nu{֭ F@֠/UOVͣ\YA8HZ~;PeJN֩=xxO\ў~vBHxv ڼ^tj#7֠Yj8]+U )W!vָqLREߢc{:M/@+PO^suZr{]7f7khR,A漀↵56`_ -4)ܫ *Ħ#͔vTb/C-:['~cV,[p!qA~Ahc>}R~lW 6*(df8L4xx`V{;7ɦFD*^WwUA7ū3-t'A NJ>_(7 9<3]ft7gUޕ:7lOR՛1f*rVGpVlhzA0#.ss6@sx=~r<}f~ C-ym?pG{󷛣e&~JEk8Sf- -r ޭ`veK~˨; re݋?Yf~4?F_<9v~9߼ ^@r"N>>Xc[XPx2^ #~pndLvb3Rq7T-$n~>|,:uZ:}ttYRƶnlXӏl0w7@%Vla:7NU^VyO=@m0ש6qZ -}^,+Rxkkk%m8?zR϶&Չ5f '̆_fTcY6=Vs%kfLjrlWZlᥴ&Z~`-wۮlo@6i;L7#CV(IwB#%(cʓy׎zyu\e ~m3Ccyu&hi+Ikؖ&3T)9[TQk+kGZJVr'~>'-Nr!u:j䋏~Z95lж-Y3ڤd>qz>C=jS#6K sBь7/?>&F+}RQOm ǕHKh.L~O@P?vX[~Xp:ܻz_ßBjXUJZwHiKE"Gor)=iDhɹeq-Kp - !6c~]UᖅqĄSЩmM 04֚٨WQ/)"U9-Kem&p+AEO1X0BP׷wuU?_喭O=W2D kL6\=C֜v^܉s·]j[ 2ɖ,HnO[|j$,Qs)߈]o0n WE}=5m2sm=Fy66πi kG W$/6y~;%VF(*g -lu\DEՌe$!vfLzڞS\kbۖpTU KJܦ6WkkC ]v߲%*t(3jtl|pp„a@ch!腍(L+VKf DG˕vʍ~ں=Uqy\b0`,ȕT4j`sf`[7 -*^ Ƌ*aPlDhrYp5E#H' iELmv~llT+BJȽ˭{GAWNZ9be,s 4& y{ -m L(4 @t%nG ȧ)yk@'rld_8'7DT].y=-PAF\}bvW4jX%Jq55D5E`+3N`$Tq(A4; :u@g%I4A}u/ ~\>& /ӉR0xt3݅:):j [ǚev v]2ʄUa); d C3tl+y`(@l,`ȲL;cw_X<[7*g19( -bMs٨[+żf = `MlM;\/ys ؋]}4Pۇ6Uޑ)Խ@M5Q% b*#d.p7\˚r<>/&:!aZj&,?;D z|xZov -m1P֧E5B>i_>OE:t*A/{. =) =%q&fl^ >H/t;ׅ }6/vH& -`z~ 0OK9ڍk8a6uof B]}чokoT˧]/]Q^?p9˳^xVʱOڇOtڣ˿ߌ8uΡAEP>|R{@yWAȽF5W18NB? ^-M%ӽེ=x%oR;E_xOKPo:l 'ѱJߟ|fgVyvzԁSC%nvfGZ @[ދxVhwiܹp6@iS/4 =7ɸB1 -.#a1XU=uIEBCs4a?ek -endstream endobj 303 0 obj <>stream -s|m;Ϳn 5=6#*{ȿVپt_1гY䈸Cq;_<> -?Q[e܍-ze1[4ov=iSv)])ꘝaL嬁v~_*{v+A"E{olԺqhU9>VX8W_K5h;7w\3m4j5xQFY QEr+ij%?S\O2MVoOEQ{g}]݇;4ZEm$u66zk[=zkQUsNͦjOgfVu%. -'WҮ1|4c1Fg)^HllؓQ4О&E쭵 ï+ؾё\k#{NUŁ_^J:|9TjݞtN` Z&' ҹ3S{C}]ɕ4q^,*+tnВ -Z)g=۳I'߬^&O,>&ܿ>]jC9hD:[^f m \d  d -Ⱥ'SY&&"g'hjVJ!۶7*W雀|냉sxQ`p[\ovsT.@l;AyfH@F:j4+@ -Hѱ)րJ0 ."%i &\i*Hj_UwU&9"%lV$]lU,~Xd*XF& ?S7.T*J4뀲9l`HL(7lvQP%d)@VEwc</;ן_g p L Re"S(MV$ " U@F~ {LXZIִFr-?x3##^Pؾ4+mQڎvwjiDM& -}^ұe W6&1|[I95 '6;@V0YC0D3x4* B$/*W?:t&x{Q#==}1 -D $ /$)^Shb 4sJ.Z:ZQ@+:+"[i,B)8gWfQǩIZ{S7tx]``t5):0^8BȖ){`JDRf TDK6, oSIAF -ۿ^$!7ל1"@EpcFuu}{gNó2{1TTCM gi{oxC}{褲t˖?S?V~h,2a@1Ȟ=iIt0b~*>BCm馂^z.U> EHs&O5 աWP'{_PNT^x+ -CÈ.{ltvDm{aLJ櫘Xh{Xjma_ihܟljt8֔&ԺDsjM3eSl7ߤc}Ҧ -B\6;cfgO*R6fS 'X] -ɏIgtx0|R{TZ4{n6ZJnVEtwBR/ojA=ޯK9j|sQD``?aL/V?*:;O7Ȍ?&:bƴRlS٪t>>z,\f~{7:?Yuqr.c^(HI։-o=7aY7GFtE07knLYf`<30== ,z/&w;Z:ԶsswV&KE8 \D Nj;vl}֛[~KΦ,0ᙀj5sO՗wN'ar]ݯZ-*M*Ul \lyR/m{~T>Z,;84&3fwjdN_aNOmKa@z5Y5OiMZU6WѴIS{7њNs7.W1q@n#E:ֆ9ٹs0oz/E7grE4(iz~7a\)uQG]똬#Vz%a$7ہAϘJ˼:Ǖk:88n*u2Q7yLjְ_hiLҋ=SLʽ -O^\U{\SVOG_CӃd|B ha4B>]RcBnUfy퇎5 _W W,[9LIjnܲK=IUʬ[CIgd/Iml"D 򗆎W z+_.mM9m;X<`;js)'YWᙎ(8{kve;kP¶6ϼ+3My sa,}78,^(ʼr?eYVfQ6 bљwP;x;<*n7ǰJ[@8DExEZEX Q$wsiq7˕tK#@"~Ť,1GTy$H7l232mh[vU3zW+WT\aZH*O 7%-c7hKr/5ĤI%s^%hL;j\}L\*ԋ (ҝN,61)Y,}.V%軨] EHka5l.Gp[@o@v@g -Xigea5x!S= {daܠQJ9ʋ;|TlΣȑcثKm:#VA4\T^޵: a)A3|T~?"_ ocp/^NV0 I:qOOU[ld-bS!&c!gu2hgbАlL@ \`ĈZb=b# @L @L- ft:Ne@= ݟWx2+n^[dGfÚ8eZ:x\l/Ɋ$0 z`#% [֋ v -g& NqLlW閬R l/4UUɮd޸o<=a|S/H襽N?`+erHh%@*H7re@v$T?"lYdOO l0M@-+ HgO=+:j̕KsihݬWYPS}*xӗJy@^DPD J2B(~r E chg7@I$8^Hzxۤ5@FZ -ȏNaKizj2:Ƞ⡭aۆǂPIU@&Y/|#+4Гf1ա` Gw806TMZ3DSmySؐ'ESW?+a=}OOVC- -~[5 6hƄ:3YCۇ`H,n7kZuL{PրCGy'?]繨m'819 &00k}Ӫt -]@ѺKD$_,X\@+ k{ h dGٮoI/;AIf,Hnt0{i!٠ZJV9ӗl}W@jE - -V -HHrJ $}I1$0:OY9 _G;cdVs'q9?xi<~!IF&o_k -P4Pq?*^yDPvPzS (rJ嗐+tޅKFq%2K{А$9ca7}Q,f3Exq 8ګo[0_Qy׉6;d9٥{VwkC ʧ -pgm6YYX,W-"?jw}j\oyif6*}޵¢9{oZJ+3L'f4~ 23mF]YCfoMl5oz򠌕Oʆkr*2ϗ~XU[>Ud}GA:±ZΝv&TTF7r9֒'plZk֤,[)LƶnΝ'o4'+oz}]9-&LYU'_"4>Z)}SMx o7rԦż{y78(]\DyUecmUu3*wR3yHV?oMa!=FZ-4uj T<|3eH4%ToRZ4$ԩ#lo{57T - &C;[̪رǟi.ߔllv#.dFTuR\+Zg4](G~S^κ T U,u۾iVI5HMW Bo@`98fǛpNzKBYa6E.N,RDWx_%`|S$.hvGUb*m}0i^mHOFUd۝.箜(n6-p]㮦[Wi?( \$)H9rCT -^[f/vjY -|ym^PuhþԬ0> -pI5q+w˦7OwN]cߩU~<5Hai8|| C!$WhA9; U*3hhbQ ٛZZ@A>{8zaJG~M*Y nvn1(I5RI}ٌ/4bx/nQ<]!΄L3\&!Q'.h:@ όN }8"Ƽoga#Mա!y?83xxxoHId2!Y[k+YR˙]䛻<>.B9 -i_o0(N9PN"H -H%@T'&D2!am@b H`y?6Y{.Sujk~+A.Աĩ/aluEPK%vB}0;Qa|1CCGb7IBIIO-ƫT+$[~RDѫXk} &тK"Nvqνgag1dJ)^7[YWI5 #)%EBGUL G(DRoD "9eP$@>! g14uHfIGr?NtmA>Hk%ȜceK>g@G5MVc(1ҀO@P $g6 hdR4u")2 h|Tǝꛅud_5/`؋#M'Z(9,\zI1SɲXԗ urQ (@; #-@`m5r)AH7!<~ -0Y%7g9$ݘSp1S?'msW79j.3Id+[V]$YI2`0Džz؀`S -`kKs\]_!;plw#9@| ݬO3ĀlW3_h.'uz\._jUFwԟro}1 -'.d$"<_~~H~:"/(hqK:f3&ݪIjh*áYO% .z?/l k-aW -HIf@n8)_4Uv5ߝ & iMS4^(?~訦w''~cm ր2瀲fHVK!P: '9~j@4W;[?p".pFl m]e{EL&pL&ѹG .^R@WyhO ڇڪ(I㍪Ɔ\^OmVJpo%"& e75}X{K gL":_\$*׸{U&t7`|5OmҒ]$ `-?2SzΙi|/oT vwp r"sX觉xIZC'v3Md߆i&`+]f vаEp6Ρ;-#oI$i=&O);㭟Yo %sr~ڎ MPplg֩P\Nh2O6sYfC9L/܎=:>JphI 7m7iGxf-?:' 5Ik#~*oc?ZfefN6!?Mn9Ѵ(pAc}Tdm\{nBo:uέ#=ӽ_AlmNMW26$F٤/N6fs. Co& R|`K}lrͲӭ3~\_Ʈ!ٵݳۜI 2ráƹ乿MdV#RxL/50gyKUI҆Hbd*8Hg+s74[|sMxH5a*|T=xZ.ZsWhRXM1Aϕĥ<*M٥wnzMdo¼UK&Y6JU8!m]6Ө*ڶBwR_}.&(;),\2 -.ژ''n].f)?UWEG6n{g^0W\N87{o9ٿ? $# IVCy&CWz]byYoEf4sV!/]~Z}}zWzd5 fsFҾn^Zm#XƷk2 -mJ[|1֜UQY:Tnf=3,f/Y~,Q RS;W\6ӻXae+L*I&e xWh -Y]*LUr3H6lgk۝%Td.>grGfe4h|ՈTjMXY3p͹WM7U RہI1_&^Qv^f+jKNQ; j»j|vu"j|4sBa]]8ܜhKfETd;1VJ悽CSأ&v]↫(|lֿ+I" 0j^d܌'`]ꫝRlk; hVYlIM#VT50PSeڇ%WK79MrzP6fHBϊDzH #- k{ynSqM7eUċ5џhP肠 ԸTϬܦ .Y+.m9Z&kPs\X@;j~@t+ фCSidGr"Yl%@RD(@5?Zy_U8҃E|~AZ5vp1L9==\CoBˑȆp~|WR.ݣO}rx\Q4 ( - ~ōՌv)՜%Rܫ"z-uwPkPņD;ݻŒHKď!bv Ffմ>Q1 /р/5Atŵ=;L=Zз -=C+ce*0tf5jم! +`'V|^@ p!veKReP!t&c"P 6l -d_ls'7 MRkmZXuI$>rHĠ;q)0 'E*bʡfNչ(@VNܝGeW$\;~(:$)"#>,9غJR -@ qhP*Ѱ!%Š#j3-djZ?8t7b"#aI>r -&&7W-hX{iBm~qPVFP%!?i sg%$b"o_koL$7IrHڵ%$wx`|0n%0fy Bta7-0 $oHoۍHz[Hv$u^+~9}X%#C)?5# /؅ݙ+#8M8:P|L{f8mmQm9Y̭twe ፑj yƑ\ }k|R9\'8lC1oYިN:s2sk+gWV.=''J:OjwԻѣ5 ;C$6),i0ĉ$~k◇WiHKup9EۛU r29qP9lF! -U j#~ҫ˟FG -.vG:_ `#0߮{6'\7aUmTd&=v$to B}l ;ZomCۆmohwr5y֘.˿jۆ՘J5P9 ҍClu:KA %SƛvGAD M7y$d]׶6]=4\brϧ.=Ƶ| n85]2*‡­0߉v-Ϊ:|$i`( %6vKpw yi_ۖ^Srߪ%XÜ-~%ݠ08v̆*8؍t.?I&&Hu,W2\g|hDJ?8d`KR~򟤁YV[G׵OۆZ~1V"Kj-UJ$V z`9J4Ζ lӏ6k`[(:T$-ښ4_ysuLG{L5B01&%9=l:dхL?f :m`kW;mӂcMjBZ͂϶aekb7whp&N>S,P ~syj^I9Kߐs"ye'N4&f \&SiSx Q"T=Cu{p^ S4/7xkr4*W -$U|pcˊ_%u9<sRZsuhSWS&͋w4an|O:Y,iT&j,Xsޓx&y'VJK6oS/;,V[5?'{T]Qa~4 )بU'aN p hz$ ;'pr -śԬhl׆iY' *RZ-0{dsK%5+3 -ItԆ8[ͱ``zA(B]DnՁh?=t T)F4@f<@|f~H5#1ILE'u]4+-x*bymjqeKx>!(o<Žr|`«6C[-􎈮-oy -F)1PQ gAqTʍ*#A$GtP<(2ryuHrKhȄB&C)Hێ<9QSGȕhk^ os 42{(}N`fn ':?]R$YHS;@8ѹf.*Dr~>k.ukM#R/]6j0`o (VD@xջΰn6Eho-`t$b ,IERV"K7#<fb¡M0 !WhAr#l;$"\o/dy= -' -%;bȭXbM@۹ zs^xܰ CFUn2]}/}I$<R8%:Lspx}g3*U=|"m纟?ʘ&5`dU;5C3I{&Yר;-rmo{}k p1<z|#셄C93 ҋF`:~64 ~xMs_O|r^)"X^uFUTUY8c_ -u3>B>i:Fg@ܔC7^7HJo&9v!G8"]yH>@oc@o{* j-իT>Nly6 %*M/ļ'@NZ߲hov|J :flz@芟$&j#l7C@Qbg o=zmYFӨf:O^S<p}S\3hB13XEUJT1[-?țry/=*3Q.5Ʊ7!q¿oL։Y/seX$Mt '\ z"p0>@"C)+,~fc /_֛Ԕ U"k8U%cj&&8W8J 4π0O ?2{d&3LEN@E{ZشqA7M%TO9 i~H6qjh1ZƁF\FwRCaWw\Ȗl:Tͯ 덭8/R{޿݊=P,h/`SR6 L6y=t @sWu^R61 -l֏f91LZ'|n $O''XLtn &*o'Vo/׮A.ܻs)slkihWبO~u5_e '8l_qmR`Ҁ+A֤Y w_'5Kj.q>=b|=?GI</3[{r^̘63g|,OXxtq~Qv  <t&껽mmxH ow C3Zț $οy HGmzɹNE2H5z40l`ڍs{:W'MB6Cqֽݸ m+OBMxSy4敠Tpcrpdl4w5E& uhoB){lrΣsN>ЎL##bުofsRl8R_:_ZEsպ=Tνγ DY M7 -3/5,C~7Y0$.x5rث1Gx\=4Y$6qg|շ J~A~M -S*UomUǕyO?pst$_FOcŒk6L$&!n8ʼnW0P-] -5߶r|Ens^鐫yظg=1NTHi5vVa6[+XY5ORy2L$1gs%Y IG!O:VhGؑN1>ijaǚԢu?L,XhX ;Dj; T%]vS,|EJRzã*5\C -މL(f-d!pfUf2vz `  oo'=dsє;:l!XΘ[3gkI?k #mz̐0*4\U~A8Z.]#1Sng@,t:CAn,;5s)M{~9+x@1mT(H~!s=I)"a$w X|q-)60MM]@EO7heZ0[&,H#_ ΘQӯO[PK S] -\'gdngItW - #)nx|}}ñ14Ѧt/kwCک߇Ou8onp -i=eJ>?)Гb1{LB!KӞ7@(U~ 4^賸04@ ]< -Lh\p(>ڀhYQ^Jazqz)񙊲,sqnfde4&=v%H12O0f~"z󈲓 ZHK.W :P^;>0Bѭ2&C!}D~9{s7NK ΐC//vCZvYm1'ZNgVNCNu>Uue; -G 0! 2^-GN؀yCr`d\:hKч")N}FfKdMűf ,dy?0W#qO\OE ^g8?:xBaKb<>sHTR8O'-UYx*q(H,o؈E`C[V8}4@PCn>' oh$ZHH;$X$ $Qk$H $,H( H,ӆ|&\XDX+'A‚,1DaDt/ ^!O_ߏ2}{Yfl ! @(pM z* fIчWYf{*a0o;:}=B<4v4@a3Q P}ZHp -좀rY@?TujW.05rM:DsRthѻuÐڵ~Cm<bs%7Kh_j AMN>`wV "loˀ9z7 `:`7st@x "o(Ʋ0A4*M}hKMPb#8,%_2k܆"{M.Cu@ -oui{v ҩH-Nb+$kحW+U8G>,u 9}I e¬,I\ eޒ;yCTA~ g|zܝ -o3c,dMiE"ڏ<6GxB(CwkI|N Q{;b 0J % -J\:J)w Jث k4p}>0-6x}?|A>=-&GxM̸[iwB5]Ƭ{v]ֹQLKMw.O/wcv-_ QsSx*]9OPCBx:,2ja=NU6=(U9-&׍+m}ZwDo 6RcU -3/wmSB7Ҷ->٣WuFH34_X<6/j"^me -032 6C4l|(V {-Jt uxMqfLiFۆ<Caٻa}po퍌XYF!C!b=yC}v/Z Rarg(_@93kRp7g\aQjJVaxjIFk-s# MU=;|pjpȹw n(Y8HBj(BWo%TS7כx6܏ _G'"w:>6jB/WU%jTpن@k BmQTs6xmʝ\+HAuiy|+, -RX< R1ŶU5SLiKo4:?h2>H$^mS)pS=@zZ3kKQt*iimRpTX}6Z|[bG_XCg1p|.SL}&7elr$y6%RLSupNALI2De#bJ[aPB/يMĪ7VjBt#&kWՄ3 'C#ϻ׆z&± 1d}'2&W&YRwt'*% 곆뤁, VIT; i'!,s*kn֨_:#n@ f@)Mztt,) ,i9e<+JK(׵e9jF6 vWb[3uxDu" ll{-^N;ELȘASL%'wE18Ԅ G EƄDwD ŔI)g G{6޲x)X&c .=愑Q"j_r}]_312ed$*/d -}@2}{Z/)?̓usnƓGQۥaI14iҍ㓫̏1~-{76C:2.$Q}؃Lƺf}K*XVc2z}Qb]k/}f{Bf/syKA2"RUD@q>cŒ^9)+=gWukX5"`o1cxgz6@F 0:z8ƈQv뤣BPwh="Cb4P&>k7Pw bQ% W 2W ks)~7|5&_f~H\WK.'E",xqG'c=be3QЫ QNl26CruXdop~:MCHe V r ;qqj% -3K᳜Pg,aMIMovIAX=ǒ/hA2h8[A4}T.}!RFg"F0(THr0I2@1@q u*}H&B43a)xW.9ÄVba4QFO6)QHqAcG eRS87 7R @-w (ī93@v+@V4@U1d:'XJO̓2mdֹ+~QcjcDI3t?xT|< -v}.'}x;< R1*N~(* P1[hhhxދ#բRaJ<aBڋx /܍}[lV -F:Ж6ãbG$# -׶5.>bEC@!\B;^D `O9/J#FD56S00<飛]8vq|OO1{cKED}Nt.(w]Ј*D)_uf:~ޭ QdP^- ʁ詻s -;!HnxIB4Bz]Y(Jĵv;_>=Ø= -*3d8F~z7xn嚄-3%%``0;AX!`V!ЖQ>vT X{0XX&#-z:3."}d r|P/љẠ9C*F^ =:ɌATDU9&`G8Xi8)#0O,U1́ZXBDeƞXJk.Je(%*$X,xQR*Z:lw%b4'q]Y]@|mxx!GSw؈(n .V U0ՔF}?Q3yUYU nayT̯h" |W(FdFL$RS C4@b@bL@[_@Rg%7|m^@Ӭbavbݨ;qQl,XhqEP|䁩>q_:W0k" wBarnDf2 =ܸ{\ -$31QY:'!8l0<^'`^?iӡ!qs5װB#6 %ZtAR+}PzP41uNjnEd1N$b.ӎ.C$:(dsu-+I L=Ҟ* вB u E̸&}ϚNUVyd MN\ ؊_*Zl_ך75\fV eydsߩǷ82rVrsF*9j]qo7_IS.~+݆|vj ݯ6W A7U2)cd6:kZ1޲oTE|3bѵLN.4{@VY+όӘz* #aȌAA)lTW=kZIm_`'cTZ36&vJrktqD#}^VиYQSt^̼:sҲw?T-zx)^z`ɺ1L*u7=J440OlJCCE5ts.eGXwx5 u2/{9%b:Ͷ]7kn[144d" -[ Crq<:wQVew, $Lq_INHĢdPczNOm;U,fWl!bpP`+N)YvGgV:^l f\j2;*8TkVx~e 4Qa`N;`UQ t>`G 3h*}zp? -Ⱥ0p[̽}Wxj 7֙n9ph]K~~6dL|Ŗېʯw2x\[~1O="=:UW>=>>[rU}\H.a՞w2xb8}?Ѹ̳Aܑez?`~7<ɯR_Sj)ƟYln}Iw]czHz, ( pBwF~7|,yRJ>$~L> -ӻLjNe矻}ÿiЛaQYI&}#o|OyOY+>{*lӨ*u;nn+OcƮf+Cl,Xt936ϩ's>jC,ܭ]oOB{pB\2w-z?3#ZCD;7.v!1O*/y3 -VWq ʽK֗mN[";]^pSdT# ]o7T~@UmÓs/kJ;׷w\i5[2}kש: { M~z}fwCڴvF˳[پZmmsNrhc89-C$%hx:'W /~(5Xٺ -\k0;Uꂔ͋ː{|w.ԧݽݔ\ (n~< |z?Jw 8=VyP'h2ʸN<)̛(Gqz^zЙ>/l P кi?^a1 s`TfID~Hdg{_7<31ONKa>7#Ѳb/q܅3j ^ qNDd('OKN[Enmdw B7(ԱٞV"n-KI愚Wn]OcnZܫ6;9.x{<5LF}JV/߃5"jJSJ~f/]w;e nv9T[tEk}rPIp=?9x``\aw,kw0ހ23cb!tZ/&qq {Cv?EmT$2TiP1kt!L %U<}]gQm|U{ٹnvfQ'wl U?]8+oR_?'+& OM){ۆ YXo~Ia3!pQ!& "?7 -YPvN%O1-}jjSΫ-G]ǯl替}|->Q7I}䇐bٓul){8I{j"_ -4SlA6?겻ÄOEG9y9u{ wֵТrQb Y̢T{TxL1cx=g -.^gc`Hɓܱ}*Tqz>n'wdE4@d9yg<;|M$/ѲifC,.Q;d?JͳzYB爵e ?kQ4Qx\I/OG5H5|d O2\KQ+ߍϑ){GX i d^Q<\fAD0\yR;8v=gGn=)n$]Hz(ld3rV?^[fj%z]~>+Z>S!U@&>uэw8c^XeLσ 2 q ŒOYh^t!POTG `"M=f)IZ:ZL\, yd4kk@%7IRw"厐t6FNOQhu ޒ;O3xY>{v}AXm䮒r~MFRm5 -eu4#tGؽ3tm>˧&S--d\8:}:DֹS-ehK,:(>|do0wD͍ nCi3wTO ^N3:;gEU:]]jͷ,L.cz$OL|OǺc:YtT/|}ԕ|w<ebZ6fOts2+nKTYeVfa )!xa-Ct===@:Sab4Zoqi!CQz hۧoG1Crݔe3mf?#L& - 6}Owo7n7qOmoZy77u7Y.{*E޼UNZrr7+oW\R ٲL1ҋMfp8D'ޏ6c5 iUYg)-զEZl*vUCJWdndv e°i7D~}y.vo͈;8CyXu~2۽KAq- c8YNӮ;}g -gx#E?3~ R{w{?D!0OC?6#y3~3?;~Ť?y?(N^[@u|z0 QY3$Z$:ӻa6?V}y_+.k[*m f)o7zeOGV>7Z[߄@ !|jT Z+Lo}̴X)t'A#j''1}3YN =̵NZ9q.r+4HU,@SӧDzϬ8NIԚ)ۛiHߘ2$ڃÒMf" -$taz<[gSE4L-MWkkhGWԌ}A~~8~of$g}rUuW|!,Y=m]Enҵ/ηbogZƛoG@R]˧UNJ{Qgee=pW *|xL-V[YC?Ų͹5iZu}h@^[ Qpq[^ sN_,>vls- dz)U c%Vd?b>i@G K+!Uzڃ7:FS `֋o]OŖqTiwlyS9͢Y},&*HU_ E鯟ʦ~63~}3>޶s69l}f!n 0T=*b@ϽQ1{ds#+Guk'qΤ g{gmgkUocM66荎R yJvߞrmT|`zwnarpOA(O<;T|1I{k"ή_oubJ%:ChV%vyACڳ|2'͒g]TMK-А>U U^KY6$jXvjv7_{Gίv.k)O kEnwOB4l#-lF_fѨ -W|}jtYypzxxH0kkg%, j)o٫Xmzg{H X\5lZpaB }".ـe$2q4BL=Jn)mLb#B Iw N$-it&h#1=/&{U_ѻ (9\_粘rwR`FeP4)j`On%Cu|2#>ڵdo51o=NFݎ| }O(m[+8wSܶ7[虨6뽣Ѐ>ƒ+_: ʻputm^ȭ&{ >=x5_!Mӳx[cDK5v9XuW m48ANⰃ47\o}hpmz׎j{Cdc3}< B&u+6b HދR ;3c>M>̀MTެE޿r׶p$rUgab_QT^z|c!ûiĒW8=O/S~?{L?s<=z??n~Ia3o~3O#'#|{)VĂa=Mǧ֧mħ. 9хfӸ,ݖyBl1nwxv1hR=题6C⛿(dR |C6>wYkBӃ63SVSQseBؾFS҆~7ζwlWS^j#/K\Kr Hߩz06f'8F'4fk8vz t]^vc/}jg[n;«f,O벥յ8g%XCˇF.偼'~9y?OVeOqMzR0Q¬^I7#V=eUoL~`J9S佬3N8NjZF6_OTIH@^0:-~kk;=lvtnP2~їB#$gJj?:zI?|E^Srg{g^f>|u;Di%aL)*Yʭt^|5S:m}$Ozǘ.UEGɮN&g2gY+觢s{:{WڠT{5ZXϷ/q[H!ʹwyYVk=>_hZ/FSz2~J|PH_}|,׻{eu~Wyo7u>u}.Omi1fj>M`OS'mT b' U:3k)%2}3"bHڭg[o:⭲ A@<Ch~#d Gi I?2 y^sXF^L=f++x}[f4眨 -kQmfQa꒒e_lyjp/3@r칐׺<69VslRL߶"ӝݩB͂в\q`Hp Eԧd͏ ;P 0 -dFx{vV"MaTnFZJ'/OPeHuQ|6~Hǣ/::&oSD#S F03\F{z{ ZcA^gPg , -z#eXɺ9S#f|lw$=wsHn?j5ݗRn~ۃKL"-b BLhUbݹF%9ҙa^Pd ZVk4:t!YpLDʧ3^7o5>nw6bXSM.^؜XɉD]^btL8d=-jZn=cx]S'G~hhy[qB=gvyT<ץ/ƫ[p1I(6-~_m#٠NPd`POqJ 6-*R-kJU*j1?m*{f+zY;0B|t=e/AqaN]l37ZW]$RV<ڰ"7NJ%zƣUVG |H?}%RZbj )[̔6{6:dԦy_-{r"JYmr=.ZeĜKzoy- (aC+R0v)|%'1OvUR0d pJ``XX>38cn_7ҙ3Ϟœ8c*YlY7y"/R_IO -9HUBJRM+d1z_ -L^K"Og⺝h_ǻrLUs- 9pߒξfy,}!>uOv}uZ} \irbϏQ z;f!0b H=c1'~sO  SOȲ J( Xͧ[ !6:y"ΝԾb쵥Uw+3w!Ѡse=l[_]TWy -MJIV'@I#v .Ϋ=rN.M:xq(Kujn(j[Ɛ ua߫H#VUI&~DP&];A -]1s3ٖ AiFKyE,ӹ5B-.KsʾKkf܉/w1d\FTV2e#ajJ Ai~|b@m]ta_<S_K!ٹa GzxEkK뭝}G7j j>e.cE|ޢ: nt{"+^GkrG.ʹZ[ӡ6;E1%M%VyhgJY΀# ߇`grQ6[k b" "J+؀ 5&#ɺo~P..Ng>myFjuji~z,9}BsOm~%닕8:V0.caaoeYi}ٸoN}NjCPFD`$wIBn"Z&V(;T\5nGy[V?55{2riHr'T:nR:XAf@m&^)Jh357T,̎gF :]jsEg†|Wݗ碸XK1n.\f<\ܪ -~zU_ȁ;VGoim&v-xNL\gP1^,Qt1R#o}<Di-vĪIJ|0V_Թa&׬ߒ)Z7 j1m~j,{hA].xZJ%6H @x'+3iT"pH̰qLpZ٠6n7|ޮO7\ E:"|Ϛy!$^{Lh 5P:kjɣ)y !^e'-s#"q5R;ߤV)N#A1ju:tcKiMGK 9c`Fr0m6sxA%ij||a 5H΁]n4r3vv/JWZur2uYR+&]o)qp<{Qݼ(+OD1t /7'٪shdv@kP[ mct}⹜L6m,&'Wm;̎vOȉY[ۈH$ּamj&3[;}v5[˜0|mpvn D3fCݝ`jX.?yXt&3[(M, -)]O3X̯TOD~lߖidf->቟y9("Ig(o S,<2|(sDAv}O;q}koXơҾPaH>2@aj|Pk+Ȫ[,v5cY`XSzP:Ux.` U!IJr( +=%s\ -f=hky+1%v~}܎6,sgQ(]FJhV-Xa{$; ,&(sHNA\-ԉ= Q1-[_c;$sֺx]^]{cDn5$guzu Py <lʝE?/WȡxZTGK`}%*O==[y7.ys8Ŏ+<4HvSKR3R3iVtC5OO3Ou>ӮsKTӠ((x#k]"bPz\|XOWs[gi.՝h΁6Cُc?J#̻x^qZ+r'OJ OZYYy@UT*ژ|`;x>ջXSLv &x gy8&,zeHi:6 ItD:jǑ4#1V@e\ -.蠒=c$|4XK o7B Oߌ`kI5We. 8Ut/V+(Ip'~y>nw`xjT {P)Q_I'%hZ+~Ims Fxvq8#ko3fE\7)jvߓ@YA@5@Ł1C?㿯"TzT8kEK;7j2p.FkR|6fV|,R#mJ{Gՙ8Tt#=K7o\uy:Hӆ|ʶ|_kۍ5:WȿcQ:y^ ' ɖAuX.{.5T.:OUKK5qqrOIV?_V=IFgŪVȚ$H,#.;}ƣ.REpU,Z땆vԞ b]\#GKU9k\ M+oMr+>IFkZU/;=]o:dzјA{bKm׸HOI͹cӈ+qz߾dv[L5;gzh(zfėFTs)@)ԣxTb mT/}5gJ`˾,Ү^2$Sj_>X%y_N>R>ӅE:`̥ʂ2Rs M.&]zPP)*Vv Ԏ< -kc'N%q137ySR}jqMy"?IGs -y)s Rg҅,S:]A9^}4Lܲ5P/ |Ό5[޼Dնu݅zs1ЯTZTpI %$~YX*:e/~f"YY~9\j;5c?6!][ɏn}\17mZm OY4Ocw޳ߥ_Pc*?~f3,q/h馴צ/dWh]|gs }ެ2nY7[ùtW)M8uiMClR@<|xb]"zWiY |H/'Zn`TLckhS H[.vEլ`i%Qi~UԧFMl2bKR"7/ H> 6R+j)x3 ֝{4w'/$OgzzLfW|Y]s)]1[(No:;zcW(4;t|D\.W.^Au[} _+:[Tv3vʛɥ4.J+-r>ͯ;X)}a %eRa:}3f$ Ү0oa/ #ֹ:Gzzm$7sqvF7판aՃ;8‚իTFrcD;L!L*R73n H*ez2-j$w£vK I*-cVt4{{h猜/~e5Mr6k9KrJ>ڟZ'5#*a\2 -iȺ4N><ʲH.L- guw͚֫LM36k۶t_!!zUϹ7Gh^  ,q*Q/j|d/ ~9wP j){!H6oYỴn}flZ -zn OBٻO9E٧hX|2IH1.5VܻdZNO3;;%<&5<&߉88ӯ7}YHvQR `b:a)~K^C=6)]ج9+!/ވ;5dE}aߟhÆ_1vTxã] x>meNTBMnE鲈ۊ[‘Kk`oLLBES^NF5ڵo<&mYaܠN3":Xb>J -f!'oN2rqƣ={]`aѩn5󝇾Do)Yw"e4Bk q.aϸg͹7ʛk߯Aoc2( {{\㜼^v[}X硝3۞YqV`zJkI/1:/!Y=abwPp~ }P/iRAiC)m_Ɍ!-${Վsyb5=hqT+hz.n.r?s)~R3濖q5Lu&'u}pܧ~0Pҷr, ~ -J J `3A#ߒaU2/qWHA˽-|m.o4i;m;ms2 y7_x&VԄ8=rȫ -P@XvjFe1x=!]>*tx\ŲKQ7ջbw% \ Uf xhS?=&jJ͌;aq5#|qe&W׀^k*wd{Yvk/,zDfMdzW!O4QDH])b:O]8*LGN/>h;yW|O=mzv3^Y<$-&WX+)J^V^ c1dgԀ&}?[P߉Y2l&j N:ђzyC$m{o]?ZgՏ5ͩ; `]f,ř0)^z$(c@ - ?@'ߥ~U/&ԏ3P&uvP^= ;ۣ-AS)WwrR=Xj@!/Z >ZJ.#ZNZ$ڏ\s30gznM8xf TF~{#^2n^z~Hq1\nB]=KKo |+\)>ti:f -fG+>\-IN3O"K-?@Sztⱔ_8F r?M">C˦\Naduj;=u]/؛v=X[.͞GrkOu2M (Q,5ϡ2᝛.ڱu5?a[U]Y\r}nt};TRzcef'~`2;fv'OJb?X@m-_hDї"ɖSu#l jtX鏥;[v#_ΊR7z̅%dh jUtTH@bs_/| N#Y~~N+-^ 3cp6Z*[,B~,ؒlV8ygF݌(nɐ{)S");!G~%M?GS}ӌPmo`} s|!tv%]}Ũ~XRHS۱RU3\Ho3ڃ5}ȟ}̈ĥGN~ -P -yRT;!9kxA{v~KCAwĢhY_ϛUviDܯcb7a42i<6݆EԢKv -] W/>/HiS@*KT -j) 6 Q #bpwuaĈ MBVs謍 =G?tzq'Oc*N?pa|X*x,0`~ -ܰ9J^i!q!zHYn=)h#uRK(|S\LY5G`RS2 5dxۧ᧕SL;yk;'6oc Ս-=7;>*@qT 1Mf/f>B< Cנ>JZ䱷gT4aG;$Iȿ)3]So[<7.r<3ul{b -m P/Sr]6PQ`WWA 5?h!9U]㑱>:ubĆ̥RD٠Suem niTb_2ljfis"E)_7Dcx9Bk{Ux.ԈhG``v';m-Gװ/zb(}wm0X9d-3(v 96xPsz'vy6Hh?t[K{&ۍGh 9y&uS&Sgn?i n !WpLxG/A)/xoZSR@% -U9z4LRni;vM\D\7@gRO/@gRWP[ -`Ή5P qDPKX;ș}}6 N h7@q"]Gf|V"pw֯T5ݞ:^dי\Db - -LR=xJMx*࠺č{bh<'Q24հB;{f'GWٮ~},uqk -Xp JVn 3?F|XzgXqk: Q8Ɠ}K gywgwάqi]N-O)^ZVbn,ռ} @j  !RXnX5|rǘ}5YЮe^bf>T2N lٳ|{:ĽuP}@ R#K<&@rid=ދ RxՔ -x)~8=.) ^F~ps7mwwc֮۽|&f_=4(IXלĭ*P4E/٬BFQ9CaČ z:V&lSZ-#V-Eb@n,&_+9j ʧI -~>(+rT}dih'鄈cK$(R&%iNiy1;EG @3}/Ӎ1Ǜl,9$?L ȘxO0J[)*~j5JZ-7rTͶQ˚t0xr/o 6zšAf+5UGA$sO=uO)Q(0 2.dt)6۹í+.z]E~pv͐l[>u,\Ϋ>,ǟK3#;J|rl%nPa+DB[Xmo [>O6nth;Rn;4YguR{ți,Ƌ*Hf`utOuJ꽁j[|jr`sWXx&'}_c[ IWZzxbh'yhF].3g< &F'(ݽJ=j= -0 -MLqj su]Ex]L'&׭Y b_y1ZhfFߠ8')pHVtBaq5W p0xXJR (}=§(>KwG -.|(Wͧ-!3ޜg_؟fRK(KS{!;5{$:&xOT N"&nY ;nϺnۭ 6r Ko͕[vپ*֑BGp4j}2n }^ĭ)RIwPL#PW߫"qi:l|1үdi jF=ܕ~o 5]U<(qUl_(>`64;$ߥ> TF_'?xY d),=sђ9UHƐd^j#Z btS j;K6'GKdʓp,q۴?xϤxI_EUQO޳tk7 3;ޣlk]Io{sfvXJw jdui–|-[h,иomK [VZ;?u,V@e@-/M/_<Wp˗MH'=4UZoT! ls~n [㺮\F>ᚧC|:3~˴j?"IOOONX*["U8aWV=F Yl `A4Y,cGXj+oN=^w㝕^n{e vov (3ϰsZ5pnI$m+Ֆwޟ2JYlNO;iJʈ6ә)a=M8vˋڭf8t֥2dOECuBFD^/p]gi~I*c:6,8Jt\IK=ě/WveuD~\MC>9[a\m-[{zߛn'02W6CG+.\."{\cܑP~nv'tk $YrKT17ót+uQ~oJO%`ך36Djfi-eSGy= ɱڇn;˷mZf+0q zMr=tcFv t#]IԪ+ Vxb0MJe|s;2P]HUVnEMi T^q?ePNP -J<<>IwE yo_g4Ho^࿔K'&(xX=K-6i p,5zS%R}8#␮cBz!(H,{2x+Nttt3NO܃"Mt h&e@xč@ѯ>AѠ3^ [8nb5 @dƠ`C|4>JXf@hd/;6NZ8b3@%Kdm0nn<b:ޏ V;ҹX5h5Dl9<,錓yvqaf–N -!/%(+PL)q?ar.=\%Vؗ^sjS;(X5&/ntjj3oڋUJ1E*>ڹw"IK.WxBA DP>(R -SA#=:Oxfx_MqM; m0nίpC )w"MzqkXb %Aw JJuMy(yG -%Q0/ya^x=aϵ`݊ir -U ښ?D\7heRM-X%M{q-F`Q]_X vMStڲ`Z>$ =Mts8-݂ãW=-K@0Qqğ9'bKϿ$Ė;!Qxm`Gz"^5\9o#i -{ ؜JS p}3KMnb0Jbdv@(x-MnrOsҜx/ {tњiAc^?1$T>MW6 /PmZOwhOfv|5S?"{M*T%)+qVr| :(nf'PTIs.ʽe۪m{wpθr:԰͜y{ɵև;ґzw貽u/x,Nq1_WorpZ{{S :uX;FIi~dҪ<;}k kṳVu֤4_Ϋrl*}ߔj|wz.SGQrl'zОyy=h;Nqz*yTݦ6Yï~ukGM&eF'y]Me?|(Bb># ?]o_GgPb8u˲PʮmW3l5O6<B{dO?gcIR W4&d@"%/HR`X9&+m[7iMA9m@hL@%wevtO)I9v " Rm+356EhU`}1e&?!DaʊV#8~!ȋa$;oRaDn~_gbAu9Pv.קϽ2×/Cرh=-eZEn-(A Oe iݽ"w= 1 Džjʿ@T}R *Z8mo߭{v;C';4O36Lr=;DZm|8zEj9x`W|oX7w5f/0/4SfSbkLέJv|$v v핺툰Dk r -TZF__sPC)Mg2 r*yi1ؗĢ {JTqքy sd?W? >?]ӝh `'{͙:oUL2SΪ7 BQj'˚TWlէ {R LƩ(gYlkt6V6D~<&=P=˳ u(noJ<c8؇5+lYHc^]&f;KqE3de3.VG K£QCM6R[JJ9X{rZkTn^7!KGB2ܒwkfFSjXVGE uYo5 q %H3m =/S![L+@{~T_Ww 2@)lEP/̟QMJ*j6ucHoǫuXٲ1sM%'^jH;%$ϊ8{'<1"{޻Czwӯۨ\A9Rq4㗴Ճ sP+kǼ>'yϊ^3L]}sztں(0ew[ Ws\馻[BJw?r),8 {?D̙0,d măbhoOzʾj;MHq~kyE$\J^0fNƖ -*2s7[4[Կ"#(;"톿`6Rwf}ZA -Ƈof>wRoFARJ!Ġ,}J@M{l04m\ ?Y3@kKi,7fw^>VFsIu~B&wkIW3L~hns. өC4-'譂c/+]NIl}}8?^Ȕ-a\Tis-eQGZ1LrC{݈twg؟>Ɋ+|ZtvG?!F)js7f!N2{f/ưCRͭ3F&͘hU+)j؟>U]c&Kh)dAu⹨[@?hWya†P5hFq]NFqP^ʱˣ[1οwcZ?r״jN)_±'!RqvFWmb%Pͮ99f- -U;ij1ϒbh6Pm-q_5T곡i_^ʫ@oْL{$[G}(HR(0?ZRVsfVx, H]H$v5Mg/4$֭f[wJȓoJC̋b!^i.6?:BtfƔ8u)Y@RFns3x*@;YZW^'KgS7 -ɊX?X9L#~cQ*@ Qn[h]Vc\^+ҢmEd}w7u\.JYWzDj4( C -suW޴ka?G+ñ#Fy(:KPosM, -EaR?4 - } V_ :\DtA \ypD[AŞS6;Ì.bh!ϣϪS0}ʼ}^L?eslU Bb^U@\ T *Q|.j0s` `%0P2J{؏yoxV#fy& U, P?`;WPNB2j2i?F!~1%@8u,)zxoex@b XzDQj}'lCI/v~*w$n1j\ H%t@}ؿo Y@օ* ±2cׅ)'{?\.Mi"*sQ';hn6v %9υVix*bꖕU4}!f)8@Sl# '].n -<+X7s0T3µ(mT!Oc=ί޳av]wH<2&EơSdǶ5ui-2}|fi Rau+МM- z@5㭥u,2 XW=FWqZN3Zb_~{wgo1Q|:T,n>PXoI[#sg@ Vy HJr0_32 -{ʋcsÜ3:zpkcOt+#׽skIYۚ6E3U۴w/зy{l2JC$0ry#ojhޑ0mV5aԏkvnҼMs$OWğF1{0]V\?}pR+r.e٦la5ԇ'0{znU5.V^|̨(TS\ ؖ: (Z-&X.h<-aDwi0qy_V0k-*h,X}0g1*v*͏ψv,Emx4fQ?7Pۀ*1dL"92/$jTN r?G'}#n-`.sk(-CšϠouVH vϧ?&סOg2y3 1&u[@! O7{~O\gT[*k93ZoӃQMrNor#rEPtF1'h7'?P9l-%J#ASWDuY\S7tż tUCrМTxwJ;=ӆn`}6rf,(#1诀\4bF84ȹ;h7Fۑ /??%^F{-rV[eOadT͚%WW0d8| dN4fr@j0N?|>A>{ ]_'wD䠼O[+4[QiZ:5xѩ+V1ZhG*0a\=]eiGB}1lݜ7_U-[5GM~66cRk -wV:8)oc7;zM.=w5O>$%+ǏwT9˳H'^.*gׄ/Ej5.&jNJ=k,}v -ͷU?^ܦ\jj -[j -GBtCPV h]7o\s^si2kt@sѱzöv&n@Y\ tkMhɪ,2倚i' -r_ԕڏ?ԲND9iCeQpDqxsǵeޯ^CY;n]2q]2i.^]FN=;mط ]%"5jLF,nlS"ޅ:}5l).U+:XR o}ϝ+RI: @ _Kʔ_2>78u_t~@J;V[?61ue``0(o=?O3-2@YlP{fOW"@ޛ@ ԅ}PWeZBR(u/k6 8ĺ0-l<8¼) uP:d `4r94OE}׈;#=1{V LW,C -sdL{+*qNGWP=޳}֍T`_UXH -nއyd# -=&@{ XrDWPV Վ!ZQ.wg1^ - Ū=`(:>|(z͒7j-Yzn_e?eAZ!1<+,sJ5U/PuQL%+ y/~> g-]02 7t=ϛMxzU^a}qu42o _Ѕ8$t­,-⒝C OX^;oeP^gg:&Ҟ.Oѱy4Qn5֭(WHCIxTC@ef˷^cW*cNӿ -Jg),*T."K^[O$xC;ŝU͇NW4C|V 9:wGSiw7@WGzk*b<0ڀp&aJ?X@ yt}MY%|ܣ \w ]]<\8*}TT% YߋZwyDeQ<:Qd->%~FŁݼfM֩!UY˩mnNz*}OXx{9wG1w}N9—>>8 -Ѝ6&~@_dC1 gPt;~6{kGWjrϜ<̶ϰ^ƅs+g<__wms߬xmo\Qjzod\^zXW,k*?]wAw 0Kz5qE4"]dvmpl VdyIpZGz.(]0C;hQSKlLEj3tؖ,VPyLTS|Ìdi@?c]3 ,mPym/97q 0.{֙n^a6.QǨY~/G˸PH1ghn<}5mBܼt# P_ @'j4`V>jxɻGwo\Q{:Ƥ[$v\L/v\X jD rDϴY78]fΐ`f"ۤgML%@4l -IrmvP'tz&I2cgw.[z^M:z5$GwHA,DiўJ vrhzƴDLc>S|#(+ G{ޕzTt ibht򶫬qڠyN1Z0qzޚЙkLJDjAGIyMc?! -af haL@J*ʿjS7l#,Si/}46w[_ eYLF9DLUF E\ܤRVG묥`9TZz[0D䰬A/Dw)u왰(: dqXѯl@M_]h۵[ny]bi^+P>_ >jyfF{FkG%nHuIj9̳Cdm =߫7>2AX&VnJolT-W8tyo`gJvzN2l:>DkQN&W"?Ra[Zـ>oghw ue/Rr:5֌NgLZzi)(8tsJ3Q,r6M -ui@Nw:'ӱo/d~7꼵|6d8Zlm]9pjl`N[3IQU~[R0E'cAU ׏:ݨinet[Uk+6LmyI*+I}t؉uNJf#wS6k9dnr9_[Xf۩<^O[R*X'ڊv,g곭T(JhݜIk~owP3Yq_{EvfU%R_fZ^YIb&S0 宻(Ϲ0s4 V6XMc}z}``{ 8‚ >wHi]ky:|tshXOZGInp]ϕ6CS,O;q>+5-|=Xų/2TCjnrG/z/;M4 -_qGfYZ۬^Vi/,+LnYh{_cGN'E ]["GR'mF%f|\N5PAsamH aJL) Z3Nn+qu51i9"`4Dw:ctGIP8| 'hlM6ͻN{({~ vt(lUG@-T[+! Է٩:w9rƎw:m+JOGGWV12&bBEARmIݮU?yI%=TaNh3w)ǣeb -'.F5S{P!u:|*TI벞o$Z0/7-g#E!:}_kc5n^+9^ekZ'rWڌ[I(Egb 4($xU_r)T5:Y06 ӷag+ |Zr"ur^ՕÖ NwN< T̥/uv+y1kAɝ6 ]]\p *X&?̏2Gy!/;$N}֨|jUPX HPeS^9ޕgFEg|?+O*77΁6-qzSdRȓ:l|:}'i ~mKL4[4'lٟv)HX{`Ȣ?S{RbM̔fqA2“ '{;Fz1$梾wV/tM#(9 Լ \H-=;@^ȼlB^A(@tdAˑJd6̶[Jd4IA%}djlcO_`q{qJMP#q/@@FSE_4D T8c&@OBbIYy{D٫VY΋"Q(oPhuHBo - f>2ӈW |x.Ҕp>Gbܳ{K9 kхf+?HFiPj*CEݻ0h@`Uq -J(M4anO9@n`EYoCƸ~j{|ntm4U\폻w>;,@>r`Ɩ+\8Qj%ʓ@+Uh6wya+0ltdz*ujߗݾ - \(}yIju ~PxvZb`\ƞtbQo0遲xs52 (*U*䳚oUׂIz{һe' @{+ Ph2?+}~׹_~Gܬ/z7af=Tᄐn/g] -wQ{y{an~@V`v&q?tCb;1 2 DT糜>^8w3vO5-nb< =1BBZe.EĦf-Kr?.)Q߻k+vՇG"7>ɶ@ -: ;=^H {Kb9[sx8Ư+|z5}k>lyJQJ}jCwj5P%纸z 0n`Ou&8 -4Ix_m! E2ZA=RmsfҚ=M;7rlZ~݋ p+X+WU碫NL&CS-jàQ& -.P7 (r]`+*[/,?>\747\7j5^v}6k@F^h< RyqudyE,`B0%c<翐g6lR"9J9_@w4]85±XLJrYo2m*bu]N1|Y Pbb3-ϙci0箧9ϛ%7W$BZp PDh!$vzBn΅x5uL~af}JrZ ߌ)㖝տ)gieUôi^^HO:RMc@VkkX73GJawwr Qܕsv B}_&@+Jlit4S09V3>RPOΩyZaWǣPϙLF;Z>_=9'v6Pjfn=T%Rɛc~G 4u%R~V4>yz"gjG}㵚8&9T7j41_yY<lYWUXA6,x|8 \cRO >ȝr~W9[K^c םsZ:`i9vq=E17(0j<‡hqhPx %ujGe,% V`wR:׸`r G1{8peVݸ  |[LeYʙTn-Ce8Ƚ/~@fScWyWc=DWN]$` -(5zm=<|ݶmyM~9uPw6D] rRu{<=%Zn9z d4yZ_<ӣ8?IuИ (`_^4jv/~.[  -o=TRO{=;v02H./WCG92k7NYL4lEOO1W`R %CH\C?l!lKQ ύH >X;6?(ڱ]mӚvjO+fIè՛^;T]QϢ./6[dz^wElMJc?A?aʩyoWu:vly)uڃ1 9԰ǯmi -0:bݟӊ䴂bjU=4υ*cK,.ϚKsL;ʵ7i7=vzϣG$ǟ^Ů(5HB/r4Y[mleXwo^+:;y$ -GAwVqb<,nJ9{'(4$S~L׶R;cܚ)=şxqe6q55KA)#s%鱣>`GM*c.*oq#QYj' ѭR4<-${% Á.Ժgv7/}c7 N𧭆xJu6UkǪfύ-W*OjJ̨Í::W a?[*:uBgWvI |41CƏ[{P]D3O]oa~w^idGi3?hX<Ô3/b ՠ(8h -w晤wIMZ@l]F=y& ([fYSYz=_ce =9Wui2, [ K,>/ A@liwd5d2 1 d(K$x$Hll>>@)(Ui;xm` { AVA@G?Ow> [RiSkA,d1!2l -b KFk'V Ծwa~Ȇ2aO5 Ⱦg < U`&mHE zw2IFv ;$b,5D-}ě\_s:E -u~xō&qwCidD V@ٿ̂l|a@P,^ܼ%d5_Nؙn܋Rt4^eQ1v_~䖕&nhw qJte*5y> @@Y)Dqi 8v9`_t&Ni$GmޣGޗH /s-KA<֩Bt`n` =&{{1̯Koq^ܮ.r4^ԨhI<-fuX3mvL 9X+hGS Y>pjW .̚:ޗ(oqTrCY9pʣpo5Q~KP - is`{NhXP1c4T\0F@%8pp63Tu!/ӨBȫkR36:y뼢$W yn-t9qJpy>K g%sh?M{*}<,Թ`~vtG*G -endstream endobj 304 0 obj <>stream -& -EcHV{]YoGͫvH\OھcD|7w^kCJI/O=M(sՔ׃hhX{`Yu% L*PV|57`z.~`.oCUc Ay{eΊm,V)i`"=$_(v&  >yxQ9dB;>)/=ꪭK95'^'ͪlR.vۥmkO!S4\"ӢۢsWX )Ʊo/cN}6:H{y=y's帚^sbZdzS-6vZE-?'aƲPGHs@qg7-Эxa氇}wD޴"5ˋlO6n\{Aj8/ uJ --C=$ܾc.#vآ)O-[J| ؖ2 oq=w2{ؙ$]G^2]l?珷UdisQ_'㴹 -3V1jLLnZk],\JAqʻnhMRo1ԾiTR0z vB N;Pj0*:>.VZCݏ15v5+l?0ڹ&B뭩;D@>I-ѻ=%[|à~XqwirݥY߱{9up5Z3U]g޳z<p=Zjyo:ٔ/˧9sLNȹ0JE y_nL/5SWz,%̺W^u6w2;)>:E1Y$关׍/wce { -]uxFݍf}3tK֕ h \SQr25甂>yΪJ눋4вRvCQ8-u6?dݳ_y{Qn;Yt viWyvJr  :Vg9XZAL -R85ش:[C r9جM]E+3;x7g%ǫ۪~+@vwXA0}g{E-nߐi`_3y | fA]ZPkpCƲn(=w -5YfY3{) co΅^ =6أ v b6(5jSYN{Oz)[ rVRl/&fRr`j4xK-~DF]M(pߴ4;r.l"}`0YxoAѡK^$UaԖZ e=U2ժ&6+i5ƳfhW`xp4SK:Fn Ԧ (/ 5,/=l5]Kv`Hо֧AH1\{jԪ۫W1Z}:Sʨ9UaCB6}.S:huBo98wgm2tN!&J=6 [֘,v([32.A+e\(6\1y[ -%t!)RFM-/lv5{iŇt,Q鵗$3F49c -]2jl\{ -eK6\K-*r1/$o(C˅%̱,or->۪2J[S _PQ.z) N$G+Q#g{|Qv[߱C95.& X|˧lMvHiTb>jf -o!GUQQ%ntV<S9w3%x)ĨUHeݝb".NvGreԀn[UeY?T>aVnFiڭ /%f7l0eΝ+O⸮Dkd>InbYDtKh5gDÚbp_ 3-A'?Hf\pO$8|K  <\: O9>?|Ҏ 9vREfur$;lr]OqޟGD'rΉ:ي+ rdQtB2@ tH0P sJ`OR*mNeH)x sR$-zuDy*ML'Kt*!@YXLqsC#2JR]䯫ԍ.E5L@V$5?^y]~tO$NVs\@GzT#^[M\'J]- !B*{ -Ӥ}QJ^~QK١۩ -}?nxhh_v>VIA0Ƕ#G`p38mt}[a|̂ .4>4ic2{-ѻPta9^~\b4mvp;wm o'܄z/$*}xHGǫt d<(@08 -.ǣ,{_*(p|/޳ỏ`=ƏOA퍝;-d}dEY_Dezrou ?^+5nCT(~8896ݒ݃K*!)*Y/]"xt{$B\A^F{r7]7WyHцSd儴㧃38T/֛D(l_fEqby1\{&RbI?2x<8Gv/x) ->*eM]>JGn m{[mc*ij«hrv0Ycd(bmm2mrlOo2EMEpyxkо>%^k|9V9p0Uxc7latWDMm&GboCo,v6F(!F[:A%?FU5#='_k-S^̧hVmԫn&ȞiaKRg?r#ѮA̛/Zwj պYfsZ*?XmW?H;|ohzmG8:Bxw>M3ڡ`{ 9zo9duj}x˭yOǞK Ddӟ-0A.Y_el9/$K4[I٤%>y<1[ ;L?eA˷oI=ukd=y*rzM.a7]`:'S.LKѬ K[f.fgQƛJ~b' 2E`P>QU6@p-<=^* -w׾,:uuʨzO_Zymlj.b=W(9QGr} 49մ(T$q?u<`te%jY:,t*8ϫ>k֝} V-8ϴ*7@FdhU9:mloswã#~oE&k5a/$u)dKB]./3kFݵΧfづt|cZn׶q{=h̓8bkgSbVVU#e ~""v߿gaDaTrc:6QRE\;ZO#S~H]ZڷQ91Wu*C%C%Ci1q[uxVr`lVԥ*`8YϾF-ND e0&,dq=&3H4,:䤑] zd -qaW{$KQUьK-YMVoQ⮭jZ}coq/r)Y>*tI3F(qOi2Q!Ge<ԲG%~Tҕm] u15_H>2LǗ72S2oEn~ϱu#Z.1ng/spLڰ -HIygʣlYjj7oo9߼]ϨtZ9b&ѵ|@Wi Կ'?HxW{} .QݠV1朲^!w]mn+Lܬ^سy3v^,\{8p n.o8.ޭ#<_HR=:oj8˟dJۺC+F~X"a1W7I;ąP`x7F~29wѱrʢ=43 Yp";i4r;^V%rS  _T4NgGkW^)+?2 4BۧtìڰK1 [;uz :{MTgLMun NʢVF:U<rE+Ǘ*kcȜ_jrHFj7/wm?7q[#s)5!1[dAi ~,zufHSjz$st٫<6V9.(Ru`;~yK r4hߵӴ} l7 ih?[HN_.]3ڼ<;܌ͳ^b;&j;U/zWjn?n-yo^r;w'f# ަdz2v6t:up cRYťѕ->j59\7J<++:*zNp{J*R[XY $*w_{'rcmڇkLre4V!U+QsԞngQή6[ekqygD7(%HORĩV헚#k.J\VFaH2;n xICDb:wEeKGJݕS)\6:+nN9mlmetNZ&MB'F 5Wbп<^4.=qrBf;lTMTfV/[)*;O/GSU]B''|oo[ 1_qqh\;X469@ ˣ€A3 FtqF;wMuyߖ+0nUQ3%OrW-_g!pfm첯;w/2bHuӰk8 H_6 UVV {/sv+@* -@}=tk8^a̹(] :Ns m|YJp\hZs @  P.I E - h!M柯,"9d: H+7HVXB>p)0O0 d`K0t}}^og:x l`\ JF{QFS _&'폃2F\"rt4 Vx JZIk x]&)Zxdpe;m]ۯ=ؽ*L{3(7ҥ' sC"u%R_rE?Tc2?H%%ǸOn-s[e\}"z(o«OC@7)^_`.Vt{{>m;g i'?H2H5y"ζQt 5 zC+{3vᵙY7u&@DLtvQǟ2 Mx!ϲ Zj7tٓqN -a:;ϥc3_кkdUvx7'k+/ey3Նb_J4Ѳgy!3)MGc,h!5{qꎉ ΙHوA$͏3eݔq8Unt4+CAp_+gRfǑ;2YW:ԲtL0^NVzDΰJE*%]w! ~ eNRhN.]n$=8SNc;`F^AhdKNR4U.KOyVgi=ؓfI0Ƕ㇂hߑTg´2g -]YWoR|ڃX gcL nC>>,-6 whslE01fKsI3<_jHb/MKUȝǃy~}9][P -=9ݷ @|A=p`ܼo|_F7sz^R]d_޽ -):b;E#aEPzq& -w\Ca>!\p7+կ|kHzHvsNnvN=|ʶ.˘m4v*7lY䙯/ -rpC2A3rL "| BN _#FozDɂkܺT/\1Y Yd3UN/<o&'7[{]zZ0.+^?4Zi ߩb+j٦7q; -t{x='koUj/d?e+:LL=27 uS;"/rgJvus>|ҠvX~=B?J!rnZʵdqE:GP^lKa;)}5'׏ѡ>Dh#vZ Ͱksp~F wbL=h/ >Zp}/oUȸdoX+\s"s7l6?um%1xտu!skf]R[Vڭk7rܬ]?<ӊzo%Тq];[AU{sS`ulVֽl1N)]q\;:-9Ӫ&Ȉ\B%2CZ#[ZuֿDjbg mT{M]79>Jh0?H]psڽ{JU'v'̤Ǧo2.(K%VMMxl~C7NR{tBM'3VTjW_{T(yir -e8猗"Y- Գa/nُ((3ͧg{auԟq} Iicʮ_.[ꀮmVx?P:'rXRJv-++0*f|A^Ҧ@yj;u(Z|j3A/osw%^sd|M:I4JlWѐmDPJ~(VX el7ȖțP*+zaҝPu_,M.D^Q6 Yn3^g1f1N$߉L.xS` >3)uUqބ/+>UV:QoSs1= -r~+ "9MfV7,o hrH6$@&CsZ-vhɏޮnʮśN{)ɓA ƅX,y}޿S:Z ?Uŋ\Bg `{˞KܸQi j%96Gvh _yCr΍{woVDu/ݎ-6WqyI.~T\vgOţAFh6c>k6I>чL}O6ע|:Я6`pzZG|qIr}+|̖UpN6M ٥Ӄ|YO,Tdqtj禙k%(Z/`Kk@[GT?}jᅟ9nkqVqn.Q_~p \^5\vtkBܽr;ߌi6ۺaVv;~r$7DC?! -X᫑]$uT\(Gm<w ]IX{Z3.vϙQp)ua cw<~tl|]3x-m;x81*F]xuErxm|cZtPbK/Lp hyֻFd!=Y9vD>,Xs}YBY]`TĵZ7,9xyUp39N31ҧx^Unzugԛ-~!Fd"5~._z<ݯ%.ro=T 5N ; +T}mjCvrM46&6.tr'%#>i`bRW vWJM^?K2^g} Qٺ=̻4mn7ߒNu}9*+͇LRq:}6:4(LV'"*mmAE89"\`EѨ6 G_H -h⚿ExH=u?d`sپ/{~=.xm:[My*7i#Xo`xQclueA\JM/{t_aS1^ǼTBRFȻ |켼V~tsFPL=~;xnٔ?Fh.+:fle*`9h}#h/pC8<!SF̀ND{0,Ȍ%?̏=5?ι)RG׿'`kcu.Z^Tյ쌜annK.TV+,rCάCy҄]-UDRR1'W.L*6V/^Oڧ@ɥ ssnY+[wǩAoM9X wt?~X$+\' ;;G7ߎR~T{ys̛״j-?qP f3TC+t]AGe8&UI|x:W ײYo͎-Jn"A7k3?w&:l~y'c2 UߖWݹ™~09LwEq򣉊 -JśhjK@5!*:fBn&^GJBwimJ%DCZYvUPD=V@0΋f#)_HMR/{?[M3My*ퟳ8l,nnx!1"Cx8׻Ҡ=)'9jG2-;C9d&6Bw~{7%LA™m4zvfspRa9xU{N D+ 'ߝPzdGKmy9cfFT縂¡|{%%sߩھL9~51(F9^I Sm61zer"j!ƍZ},4K1\sZԙRݹe Pa\P _֋y2dD /[5ݢ^3:-*<維^n:uo֥lMãvwOHF=rU&*ІPnUiwr%ʾ{-6nqOE2EGͤcςP`oY|[76Cw9^d\+<γbJxv]puiUm+>>(w]>Ʀdu -~QVb~ A -iʔ,o Tn{<ҬiGˑIGm8hho4b ! eTOаɊi9  -زR஧EjV| J.~Wxl\[n?If狻HbX.Va%NdoFR nRY*,t|kŸeMz=SbЫ_Ad%ͤȍrEAL ~>"U]ݖq -ڥcۭP`h5:`줞j՛dkj5D) '8PR7o;z 2tZBk|}I_z*3VU"#BfeH|("wbƠmHp&HWMUtpizmӨJ&79ciO#@ y~1M._!;iGؽ-'8$5?ժ 6TGNN4LĚ2 iЬpwC@f.&x6T: RtM㮪/bcD;˛뚵 -O%Qnf.nǻۭ$NY 9A"dƧF -,J@ w`;!.qo$@ -joaBvCIn-,Po5AWR7}4E4oO)=՞@ɬ + q0@K!-x)@&{.d~f6ē&@m𢡊h`ѽ;|i>_k.Lo1}c_vzR<ȸpX2%R#,J;L Al3[/Eluh -fopqo2wB/gUZVxKؚ!]a\;Q?#KQ*27-o39k~?$Z>sn?nf<~8~SUreL]]INA}OP3(SJRݱ?tb۰.sGvYzv3m\D -Z%:H$!ZYoÊ?D9y-|ؾVmddsmfIv[dϹ=A ÛwyREQi{#u:)>!U;QYMw_0-C8ӯid?udl|&W۩poFd|dfwwB&dz[hW'B9 S@SoBRlLא@GWGh޻Ohw(8qr"=X!ښQpW]Z$`DsYEX%IEY\R t_h8<\7>Td?K>/z"n괾Ps0zO`}Y۲mj߈JKP9Dv=b,wQ9hVh[o.]l&(^Wu6^@>s>O/w_N3܀poT̽p^6ԷYXڽVTk9rqWI,F5_];\jx=8 -\ao;Nzϝ:f+tGW_$%KPNG ]n n U+ix - -X6pv|LVgo`"gp;[mlmٺvY%ߛUGssC;ͯ[\EWk?٩lo\.R#ؖZs -pfka.^,[k5!qmM8W&0򗒯EdsE3ŶQz'ΘV(r]ڈk|1φQXyOb0a< K?UEqGW噁{y(Uu]aW.yI!x3Y1Z`̼4B;̳`PoܧE=`H';0bĭaN@'3 #CYw\MzI^oa_}Gؖ-pkQVIA GTױ2Ç.*#zx(H5` <|[RıjP^i!wel?v{ׅc m#f8ʵWْGG]եHY_鱘Y0KeOOӹΊm@GqH7ڏ*^mgFf EUs<Γ'HvٺZ1ǁkAz_Ad_ k}cpQZKk'Sl:1-dS{VHExej%X 5.08cۛC!s9kD*%qFtQ(jnl):+ߖHsV5my:NĦ|c4)m!y%y !~deYV#(mc`i8G̜TRv=h:At=߸`'gP*Kvsbp}3R&$=XSņΥMY-HKjyd -h}AW:^wxæ1!}wzѸd{Ì*7[UoK  &{U%ޭ. -"`.'LDSFkb'o3 " p/E - oQyFvq?,W=uݷ/ϻH;mq%vAP]]{?mv /[6"Wsil}-m<KI< $>aDe={/5gMcPձmMKjSajy}mm4=l_h᩟Fh]q' #jȌAjW&[ڮLn=:V7ecXc+E=ߛx._^퉔tjzkT2PT_6J_6|P?Y}=xpw(Dv0ޠԻfB'K?5unVfh(Ϋ~*YˎT,y^W.]4uY-V[8*_QKi֛9ދE}_YICj~ -մ[R!.\޻]tZT[|\_ azWVѕWGNM -9{bx^hiH2gȷ兩]3Qu_U#|{i3k腋bo˟w$v?,.HN@sڜ} Q:`Ê2;$-;M?Űd @ -Hs/]pIm\@^Ȏm||:V} -JSR藿-qHn40%FP{YЂrKRNT40 - I)j__׽jn?v -0Oq}Ԍ}<Vc8`V 6HRBYKytdTS&XUB ٤8yo^]J{e4H{Ɵյ]x#qqrR]#H]9шcC)+"% O<}8OlvMڻ}9Z @i73Ln>w2ܼ3*(rr]K7JA*xDRNTAb'.Jykg}Ӭ>|Py>ʣuO\&-'] YM{_=n3&_0=2r 1MmV)u585Ԃ1;q7w%.k^U ?Da=F& 5^KW=7(0q K"')=KIn&C`mO?rf\hw x~cF> yܹl~5-w^z%$m3,|A@c1r6{W/j|û}`zF%d^E0it"y&}A㦞䃠:#hS7܇/z~tN||l# NwH=~eE}N Džퟷo៻GikäLJag _5,H PIaeY'B5=;NOǃ.{ i轊=.$Tt'5<z"SgNOZ=nƖe$E Vkb :2" _Z'r0i@]י=q=u]UvxzS5Wv`GZ4na=> њuSus$M%b!{5~#ZϿL;4>V߱]ܾf~J'`#ݱ7_}ݼ%_MuZedǩK]c@qUjq=[oT ^B\w6h,gsOi=hL8ًWԳ}t:]1v.љg7ds7J =uBs?]GHξV6MOMܒ#kYԨ˲h/ҞN~{sz'۷8GHyPRvoou{|1Kg{L/*Z1m>FFg(q1&glZ{H̨q^X`.DFlIlq,9[x%+aK;X0M}Ӓ;7W.Ft35q{zUdNol4Iw&ɲމ)Lt\*9 5~:eĴ| flTf)rrAPAg)nA⬽С/fgx]w=fkCy=F?Bɺ'"*Wi{%ss芽1ʮ}a^oGܸt?LOɡ AI22u;Q|e -$81;*?w`_d )s .𪲥#,%3MbPk.t7|q^{;A3d|~RwL $6ʽӮ7lgKP2ڠj $UM &) w2e?_Unf+)Q?W6ٕlCd84ؗqYЮs{7o ̼\)}nO }cJc.+udGX 5^4P4+cmOu8lRIqEyfByt(a=I3pwt?۔ᐾv>KT{|WX"ҡN@Gw F mnzk{(?h{@j͚TŵYCp̭Z#uH[6ꕚHt"\[u5}ՄլWa -7g[F4.=>> vobR8Q]4X2*HGu^ҧچok_-2f#1ǰGf:[]Xanfݩ\I;suv3 MȰ(ѷ[kCgGnۑZ'c -wr -6tP ( -4^wzZ?&>fлie=1G s:z\ ˀJ1}).VyJsj>=j E7RزZfv7V _ o&$"|?b% D-0]|v7++=1A1Lw9t7"7WU$Zri2,:E2ѿtЃ-08W%0ڤygvdȲ1|&%Q ~,h͈+N78>Ͱppjnk%08kOR<_\'-1S]R -S^mdZ]p(ɶUX5?@x/{aK{-1]b^_\c[׫Q4P'X͑a1T%ʰ9Fgwė^Nj\[ 4A%o%vP ^*}E^k -a]^#XiE" {-#p\1cO!<LѨ94{{|8ͣ`,;X.I۠ Bysjpa)1!._Wʧ7\$HPR4YoC* ;fxxN8N*՞M?FTkaca?sP<ʧ{ԯMtGfRs6!6[Ŕ -{bN:nd  @7KMmgxCqXK7lx9Y=tͦK >,6O(!F7MJm?>\ﯴ- ^t*SBVҟA'7=6{ѱk}Q";<'NhË1J')(MZ}}n9)9ewOyqL5)X5E&ijmq)H*Rvה+BV~f.9Fq,ȔFz/^_v} -zQ]*}P7CNȉ?->O+IXƉ#q"8YVf?|qµ^)7E-8˒}[݋^eY3kiw`t7ߑ8N$y @*o5"3k#ӎV){51L?akԟob^O0PU0T:tE}6a^n8Oe8{_U'Ϩu\FREN0~ -ad΃vw|AnKapTa|nLJ j :jMox7w=KMܛkG^]=OKћǃ`Il$18Z`^zElb6[0!au*T~KHo>QL>L[eȜ`1<7Z6"Ȋ=JXH5C[ںkըeWㅾvNExb}潻 Js=Mmv=Mۖ}OY;ir,suYOY{Y/Y-I?vh_K×qL -­Jv Uo~g$~6ZBGI,bڞ0'lLw#^7[ .4SjJQ ?Ym]9sEsQZiV C'8`U ѹDzcaW>϶6hUStJӥ.Z8_Έb@sr6&?YW}wiY:lm-3|pї;OI{L#D*P$H|sAF8Etkn[Fxɶʆ4MhP H<@n;u|yz.yd5ƴț@]69 ƾY877 -'U$N@⎀폘ʭCa"5]یg]jɻ5H8Wwo>粱l~<6<̹UVٺ옖>P7"ZN7:[ #伍+0FX+'1Csh$d5P-PhoS:ܪJ'tGqmQ[3䲁<'Sp1I7㶴nK>nsKBN Ẃ>V؄"zuu zX,{-L1#de@ پYŞ `v\&жXИ_*g`RЄm )ETjz$t;&bv]{c%)MA9+Bs/ mV*{8Hp) 9l -G3 aRTm:nR%yOȸˈ8ŘVxFW"PSp+[݉.Zz4g,-x|?ceFmg 5:;VҖ!/?d)lBpƍVQ3.zoъlRN<i}01>_V>"w'M1<_M+kLujJ@^wb:ڮ!.D,h0# T쁓ɀ@cD.\~pT\L/7J&VcF-3|oy|IB1F 7Ggd$Gkv,xXPBfM9g9 =Րi=cJ f}gpYV.)_j;Jj϶cAi2̓:wO:z~$YY )< -X+(} +_FԨ"XVo^yWs8o߶|_??x[j+@,Ud#ŐǏyJY-Fhj<`kk҆>E&Ab$hz576hu Q_i< ]} χ.8^;́;b6?v]C3jv$)T/)&^oQ,bCsIq| O8C{ؠ+p67(.}W}Da'7dI4Aژ6qo>Ϭ;D|RR=]ir?oqz Uv-t1UV̥.xm: u-0x\6[4 =R8+1f/ZX_`o{>?| ?s!Ra,t)QBMT:R%jCiKh[=}kn &̲6,/PUʥ -2P^esw -Ͳ?o?WyVx_6'|Rk.by4sNa?} \ݷ6lgw.=){Ѯ;[rsu%>͗[Yi(mN?{$ϵ03|c*Xו$^ !_kLYj$Ǔvts~u.U}SŭUrY+'}Av9YrClT;7@"@ZRh>r}Nft^.cPI/7,[ -- fdKBD'a5gt wsam5=;/Vvn ,`<'^˳06`|H~Y\.Z/;̝8U`m`robzԄ{ceT:x4.w3n|Cy׎y$BieSߣ> Eԛ 2 Xw]ВhiR -kK3xh w' ǷBW%mq/mX030cұKO.2_}QgĤdį -yD(7U:euțg{hjn/[I169qÕgDH )ɪGA1+p}gtKY fNW0OBmEV^4hc -'tQCnuR{b|]SK@ -Rl7ew&ꋼ:$'nPUOY>6"&ROqf1o4Tt0Cq=Jȍu9_x-.y=**RH=.އ{ {8֌yii|k-])~G88A8=QyPUnZ=>xٽDua|ObZWYˆ4B#OB@(cnPpE܋HRsRNC r]8+zEGn ̤Wr^[/񲉕申lsQ~Kܢ𺹁Ⱥ -Csh{FI@b!t} # A-=m 뽧#TO駏dd'}fM"x^$ - 6{hb. 8 *q|TE~9Y=-<8DAݵDM;iQ{M,Nj#Q\|&2RR:$W$ӭ }${n !_gPtjӋ =qwP[}}y}B?(&$IrU^V-ͱX0i^#MM -.'9CQgo~MO澒R?yVbch他Y]ϫ_حv`O`k"mN!60&R -{{>TzzuuHwOz=$`8 h{3 jnw[GK^f]Oh`F=N˱;HFmhtpuP{) <AQ}W aeLHrq_>vk!/%Qۋټ!>mՁ} u -vT,^BU˦okyvVTGWw9/1\%&DOP-Z]xcsMٹ}b.~񬂘9Pݑ;*%=GuFrXp=\7pt 0\m0(f[Hob* FEt 4y7sD<a0[{?E72{/#\ /x/7r(‰Mj4))INv0G&pz8"ݴn6eRsMgvަePcJҥuB CI?%ZcgcErFJ9}2۞EP:/Ң9m3?!YQ~&֛HQsZ*@_2zY5[q|f5HE>ΈskYPq8oI+nQ7Np`>pUo%9VkxXk! 9΀7C/N~%[S[gyh/~&F_2z1W?9>=$&-uJwi9":gcĝ줺'q(ȼ01z;6>r@Z%c @ZL)P`u-pδ; L߆_2Z쇏ԫOtLR{,' ]]pvZ`eՙL\st:Kr*h< }Fۇ# {w5xTU- +v8VM( : kڳ,د[]9L @gG5tŠ/ ~_@i'3Ne7"yHt9"#=j~T# -ΉA+SNcvn)<-_SOCf2kUjB!™aτ݇ćl%=1/e7/FKRսW{!98nVUe:E#rU9y|.4ʜYjaz|Ж ,c_Csi7ExqНo*бldi#OzȢdsdY$2 aCy8[?m"Xu17ҟ'oh+',؂fvf60 0M'@x(Ã5+cD@H+e .3%x P`ۯA9^b;M|Ev7\Aȸ`dq/I-j#@)G00~n3G9X{_y*L${ Ě w~6!u*UACrwmZנ!,7l.(h|,Tt &e>st?/l=[Cӡ /_-Ykg>[ m];#ri1E킋6 !˸N tcաMGe'rIz\y ׻f@S@϶t ^?8 b:4o(fVmX6~?Uqr Z'[J/ڎc_'X=XLvTSN`!]-5Es{???!I|O~FvDYX$](|گ& KDcW+,.4fiWV+"QH|oyaqlBsO/.n<:?+n?^&TI~)~__E# 054/~/X_mO")M} -ag7?'>Ox.KaWI^ ---iߌåsI[a]vWA/gc7'W_7hzBYŵҬiwP.΍XkWzo/nu<'IDqϯ^e]k.If$zye@~8M+Gv -UZXlAc_}~[gɶ91<6: ,]s F`N輶ylxoZخ!wwxbU:0= DE=0nxU9\']ziHt=i;rǾp(յvٍ#;m!- fvr E) -^EYj导8kTZ u +H_1nc^ZϪ`t8wG=vtF?n9ļm$Z/^* ^ڪ~waHIKm-i/0ߓd;]ɻuCt" {7z3'=K1S1lrC/{Tj\idNnKK{*iOoɘ^uLJ[hԿxg:gaL|9Y5blq>qvfj4c -ʀP&9S1^}Z#6@|vu]~p x/|A?vx_d*}=& J^3f.n[_\&v'aގT+uXڐ4+2Iu7,Y]Cx;@MmO G4~mβ:ya)Q*kFYZ[ٮ;_C)G]ID$}TY57fQoZqg ExE<,Ĺ5ORMܻ>϶Bn,5w -n+NѹR~NhB#L2)[kWբi(%er ݒژJNzȦtWcPF8{/ 峝1A㳖T`yn2FyA)oAIi#e֬޺觙=H^lx=uB.RK|F™>!0Y#|d!^BXwyO\`tk'ׂ,ATn2PqC=mrkl5}F{F]q{sŸ=U;\AM۶X%Ĉ["c{FKNH$/x^ov f˦QA{Ʉ`AlJlPTlP\U +))J)?7 {7/ ̱͒ Qv>[9U7:ۦ GbtV2"iajBWX-4N+4;3ݘ3duT|3WsYaLsՖ]WEaemֵ˘۞~M%j򹿨ɽ]^_~e|f_ܘp5F.ҬjϽike28țkmvb; C"MܞL?/Hz>I -dYb4mbO21%24 -)`6 ?lM/]:kƱ"a *YZNcC"OrPkܷyre_ߦ+@+E +r\x˳d(N5a6Sh3- aI[^\}ivS}"U#=%Ě>Da^;Y˫v,v2V?u^g? /ƐiCEֲ[SmW*h:;UhtB0lt[F.--^߄}otlE'G dHF98~m1\k"=jyj)VeqU tԪZ)q}t#DJu|FbNxExip\\2Ҙ{uS^[jѵlw@{ٳ9wT~mic(eQ=WZuk"ދi)[kux8:%̭dh^"dwg!NjqӳR6r1޻Ufki1, 塏+u\UYT;H1 }dW"6K07oV=NO/6ك6g(z*ѓEFvFL >KS3h!osWBeBD#Fsps9Xz+*ݥ嬦; Vi5 @0 o 6 -$صK:d&{ n](zAJ7_sLߏ.ş]Tgwjj:dT:7|/Wɀڀ t mdȹuHp{!nu@edP`TU1 >& -( lPl:Ӊ LvpQ\SuN=\4Aw֐3?t~tDb@ *&P04 ]D 0CC&8Z?\RƂags=;bzL%RBn\; h?1M)6sLLM0XvQ%{,pp8U\}skJwu*sM:J -xQf(fQJ9J=|̺tiGӡߴ;MNR8xZ+o~w76HN>[E!DȖg1_nq,2 L$cRꭉ[؎cn\=ݬFқ';5D+wo$gON3QJ%`M $2v!bs*;/Y+#v*D[LJk'>NM?H~ w?du;~I61Dwm>Bcn^eIk/ܠa(,Z% Kjpyhox[>7:oĶ'^ɸă,Aq~qw.篱w#~*k1iW0DűI Wz> ~VFJL%>*.(Y5-<w;=?o)܏+3T|@(}:{pS/(n%J$n;;+YP9#q.۽u_Cr)LNs3rtNr[9z8'ހgݽUv::(<ٸpa)3:;+4U5/Fbvyto7EbF^ -Ik0Y'-\Lw.{ro˻On[F,Gw]lCZu٭7藺uY27ъF V £Cք[5xI w} -ԆY* ]f䫞LruUl2h/@JTe}_{sc|9ZZN\ӥ۹|gyD&EՑ(7U.ٸ  -dsjז *wU~i I氇:pjk`bn:'N4v 0TD g --; ǧ42o־mMFʿxq. {iDP6:T~o#2Kd^:y @!C9ON][\setzGHg>FztmN"H;=26֤'誘3ڞ2rO2\P^rQVOIE$v17ūr8#X-s6~qso=78d/$rd,*MkhmM]3ß׆Nu坔wqM/ȎAm޴a -]Z=?UY#um -k؅+>I(yjGDt-߬|' 3O{ǹ0,"wM_4@}]W$ _}BýBzn].IJ:6z?x?y\L~5dUUijEj9ww<",߳\t0L4;,"X!`edN+,ycrэWm,ةޙw7׎P-eT_ov=RTQ)jSJ]6EF);&D,&';ypE^ecJ1}l}^b+=Ice{L wuUR:>#k,׆RߕL /;b5‹Bt|k/6L:3<)~1+mBX&?ɠoG>-u$mVs'&j[)(ktŒDdCHH* aX(2﵇:ٮݖTZP4ד|^Œn*M -]1Gә  5w`8޶֯#|I%+];līVv@ +ÇH0:n{%_~SYjnv\w[ʞ*u˞j;E/Zi:1oDmz`/0qZtauR{qjꦙm'El4tD& S %m -MTKFYo d>z ^Ns۷W=p}̿rd^lX"cNR4S%j"χۻ{䬧\Irb8L1s'vam ˢ,٪JCCm=qSP-'BLz\?JsuenI?YKSkbW0AzR 3|;|(];'l /h+^?ʎ8oi-G1T̍؃ -{s&/pM:;dsɩfSvBۧ^Hq$ȏYtU&LjË(mt;>/{Ls/!>zƐĐxTrDL{sg 牐Q=k}瓡ƓNG -e&mz!K~)UHG:cCZs/%J}  Y_SJe%WgzZH=,“ĖEU}fD.Z{+l0}iMsS24|F&*'3Q.rW(ů{WZ}أ{QDɋ5jЭ5,mL~X^6 s H}4ٮ~i6=i%gP4ȜtT\n -AJ B4!h`4/hhdb4_P2 JN4QٷCˍ$K45FUU,JIfsUre@a6&9N4Q&>OխINDq>l fdmN#7ω.{0M$}~.v^):B 3k ~II:V duz_cv=R O V3@v䥝n Zbm 3K Pg.{eZ>^njQoKȏąMPXGO5ZLh'\'}B@_:l7xzi ~vLʲu8OEMG9+I8nMx }k G\ -0-3xf~Y2,W݊/`Ap8e8pٚBM%~qRsrFCW:ch>㾑!캱MWJs㍩CpH^\x:z˱n,]W7Hjv>mb{~.HE~rwFT#bn*fuw-gHg^7όk]73:W /oEcw>寘&^nlZMG!5Q1cqͨKy*ֽɺN -a)/j۱ڌGC۷Q9ؖxYcؙqr4~6Slxg/^boWR2-\k:x.;e9ݓ+K>gƈa# +}˩-3vɽ-P| S7B/Ǡ7a^*F?hΤpr٪83YƑ<ijn{5:Њk16gQ1 ᒣ£Rڡ-ҴmEg6{M~%R}qz# Qxv'xlex\rq-F\?Ej4eO"ʻ+>v[ 98҅_:L2س;w_𒝳{Ža -]heBuuz^s/^j;(X=:ȕgۃPi#)da!5rh˟Hb[NLEpYp.vsΕ缌&GyMoiPH KGЌV9E6ɰh{ll"zX>{toY)j|HW؆FǭAV"O7_8M\e`(L[ ~J)Nx9/*nٟ I`OGcX35л7ǬTg5v9+%g}؟)ML~FxG Ѹ-M[%!Droה[W՛涫>}lrSߣ>Wwct__c;;:[vM?K ?H :wjj#1f{)L{' n|߭o)Ջn߻ɕEbk'ۿtklٚn4пv1_ ?91z8\ȲjV R}Fd>F8ίdaZjwVelmmITrYX2\(rg**֙!]2voJz*w'ǚ_lE[l,&Q+s܌m4:f5I SLM|&;-Շ͵7If1;:8`50P3w8j֮QaeQP~*1qcSz)Lj؂>`#@Nc=$2pDݸƖM^Ֆa-dKaM*NfKg{`rt6<%0!0 ]"C5yAlW]7kʴ&1V5yuMt$FЯL˷trf$;<\n]0}^KA Ũۈ|>Y"R`lx;p6Inltž-ca^+o:bzTʋhp ̨VM5;qEǕ -puzT9*wԄZ(NθόlD,ȝg_\E~ԈF귱4~Sa$U'HŪAmÒD wkݫ!Sw fΨH6uO]VDƛjN%SȖ~' 8;D^uu9 ѹ/-X?BXmrK 4o]@oZϛ746MOgFq/|JƯXȲ%E#W߬HV}Zʱb1I^p \RcwR`6*E4/ꗬև麎 z",cg6zԨ:tՋQջxw~/_ P37؏HsKpc H3'N9Pl"? -j8JB cCFION0w\{yǷ<A5ת+̘ҧ_r咘%.jҪ]N#ްV%2PNh,v:&}mSȡ<& ݨj>L,VLVY3"OVrwKt*ҫTn -Eg>w -fw ;ϖO1 PYpңY9&r [-9 ()Ի#]~: 멃8K]rwUW9ZPDM@lW*v!T)Lz(v.weY̱w9WϺr>kz];yմV\]ZRgK/k!$5vn}|bcWA:_R^h>P\̦Zn꽜ڹB&n)[8sؖ*Z]}kk~/@GiЃ:(s?bt(OIJo -վ5Qo?45_ -'xԠ /%Yv^ WX`2_O0e<%)`Õ 0Of:?] ``3yJ" -`(vNCl37Jݚ3Wm"*[W,V^l0A2A\H@&0#@'9Ex6 -$ykOw}@Igҿ#F\s8S" dJU~v  \gp%qdlE@ oLcsmxryRO^uyx n: \ z1(yrFi3R`;5$!J-d^|~rnL,[^Q`J'V|1hMf& $_mz@z! 1 (lAEg@hpp9TN7MbR8K 6nȾXC6uBʹ2}1~"tuW47З{!u}}:d̤>z@ -ٍ7ͮėh.paHho~њ0a_Z)w󪯤^8ҁ&8d3x\QL|'J9jڌ2 -)#T k]ۍ ]`=F5˿3H趖`6뼸Yt̞tZjm~h}~lz}L+w:+a^"ՔǬT\)TL5vĉ -?e*b9 4RϳVէ7*vT?bty:Snk[]'kψghOAK}_V$׹h*4u_Qj弲w(>4yS@vW멌Z_(r|?l% xH/f>o(Z漟1gWoT8e[9=XJs~=i-z#\Nqn)KV)Ls'oU猌-)LjY"!Bo,v,*BbS$^~s +Gj(҄1o$gZĕZO"xX<q%q\`[2pIw3yml*ۃTqA˾ԢJj t\ ~(-nyRS '$oj2d"&y!wS ;[UxGK,-p`1o``ņ"c{0TGϺm3GvcWeVPO+E5/s@dP[Ţ^+lVh>Ae*|´\5 -Gm dQ 9%/l헬\KsD55q|$.f9vu"f\/n]cpà;AAanҲY?_\kB^͊T8lB?r9X'E%?ȟDfi2 -pڐ3\\]Ѵdμ8M,74_E/4A /)[T-m. lGwȽGhjsn(x~ai -X>[ J孽,4`%n꺒kׅo|Rijϣ -x-~X / $7rQ"#4l4<2d*fм-A+fV)UA,`%; f.\d륺eVs~`Q1ص[X%}O΁(a^?zAE~g܎`lP^oLR45;OL΀T< Uw@J>JfNM)Jώ uhat㕯c5Ag~)ޝT&u <Y'?;ãW}َ{Ӱ Wa] 1HHiun׀t@e@< xdYۺ|<)sez/܃u'ŏ+1|×6.h52pS}7Tȧ]5ٴ+r'W_?y0n߭3 Et% -y9*6wǶtvZ)D|rzͣuPp(?33<7$/<Wso_^m_w{W|]Wro>RVh]!&X_oywycv7Clfq5ݦk >?!6>nmiti~D#:_=&E(zED&}k|Nzm\5fq ^m|unCayeWc)b!b9S.t&;NMK7{tiw5! W/E c~훹.6FoPK=Rtwmwwя5k~>LHmu", . dgqG^!g~hbkyE&\/ϦTkT]t6ks/ #Ց2F#vd"vr,\NgFi1]fGkV޽ElhzOaX5=lq%[n><|;a|:љ-W[x61n}-+W@y556ƠQoN;GZnRXjV3h߸~v^=һwkw|GL}tjgþWls7'9_+4oRon }N#%ڠjJiCrmNZ1͔{)4B< [k9Lrn",1Ҏ _nR_}:"&^P)悯ΐQ|m!YiíbUAm6dp6jn<x0o7fХlGe{p'YoݐK J'˹7uG|g;iqT -Սm2˪ꛜUMĘkxS:2ۯ۟3Y`|>n oX΍Ý -t;Go.kAj g֑F[LJ=ηҐSz[՝MdOwx3zҵ6\E(0,z+;M6l!)<rySTZVTôդ&Z*sXTlaj)k)6i2 ' '{m/oD7DVmw5%^0={ ,Z ٴu]TCx.OZjgT^tEFeCXQ,5.گ<z)qt{dUNޙ귖e!5QG. jfs 7g"e&%T#Xjhe=YuuA eO?J^yHļvF)'x}!ky?\ZggVAsPkoU PIJARH٥*MU)+/-t(2.կT -ˇKIĽɽ˱ʽ5g`W7oțCWTϋ]"\6Ai^kI7Q*^v,+-\ \&'*?>߇9/ZgnH2z)&;X}VOmV'L)W:|D|էq+D]^#ֶu)ԙuHKޛ<rFhwpL~^L&7l Lx]bv2l.0D0ת0zW 'Xu23H1v&7,G4w'ܽ<4xzqm2[ }VWYaxzg7B*pbrY2eN{ͩaEgM{ ߸']b2(:CsBSQ\?nffZ?ͽG}i+'+oߓcnD\&h)?y!L 8 KWAL;JmgհE%yd($&8F\%oe~@VSWI])\;Wff`ګltL<;ӒyadjG;#BZM)L5v"_9H)J&[I\NS 7 .95,: ,{wȫbhyOIY۵#~J0~Sѷ^yZCGEORfqZH\N;t8@̀%3a<[Nv3AwV/ɢ4CHdRu|}Z, ]+ӡ]2{]&vT$l_?F!;hf۬d"pvOϟ鬒46X90pؾI:UJnK*Y,!0,.VT,1Mas?\ZHs*y!" kbcwH+_PeMzRߘ߻۱<ݨbgE6Ҟ>MUhPAv?=rC,ҪeN-,e{2C=_ 7!X -,"Oɟ?)xoh,v}z¡G|{l%`LNE>gTgOlEd;(wT(w =A2Pͭ,ol4ۯsZF{6)/Z;sŀ)-*-9]E?\vYZ]gs6'dd)SkWL4P^A8J mv{B8'hܚܚShQp-=zS3(\>"h4flY;0@s1%E],37-}v`}`]l`+R`{#`'ޢ -sؖޖ%_爷|<ϩ{ BBN:g Xz^J>S5_B׸h %:b;ݾ].qT64Xv ^B?T4M5TO@ӛLdF*:Z5#Fإ>`oVۧYfgs;םx]=BO9O^ k'q M Ȧ?n>} -V{)^جVBЅs%=Fx6vyi"BZNW6}=rUt"R;RI()@,ݜӄr}&k7 1՟\gujeh5`/(<] ^DοΡ~O/*(.̱-tέ)LvuQ?+n:FiGYb.p]Z#]?CW}7g~x53Wh;Wop=òUvuzU?GFzW3ukp4K5Wd:kl[`.AdF~>?h5F:}Lѩ=aq4e5?1;ΟBG -8>F҆SZȻsgU2X{:j6 *<V7L3YLF31Seӝ\]♩B{_+6Y/Vo=o0tϟbY?p`D J&"~9ckyb-\l(9i5c׋V̿f%v--}MFr4jUW+=7feG僃b#Z1TO,oZ)]SChNCJ ͻmqS=lLZm"s_b -ǫθ_a%xby&vbYW2hZ9]|eV) X.( -[YنT \͋xc&h[EՓQ-'i۳ZRo}Uj.DtXKKw%ٙ8w.6YuN8[/d.p򷩧[fhPcq8YW Nᡚ 0 ʴ\bUWuN RQP(U"uTs]|C'|:"ky`u8)O8e-pJ$91oift#@6RMr>3l?3e:<3Vl96zm#_9(Zp<{d+EyEj?:[a>D,S.`Ro4JR=c`ϐVCN9\yd+f!ı3cL)ՑPΰKmr+H6 Jz!ɝ̑MM)}2{b'cb$nR}qjײ~?/~ 95n 1RcΘ/9^3]}^tqCԦzASv*0cM!Nɔ8ؙ`%_w.T'f_O2hS2I=CPTv+;U'H t l͢0UqELHIBt(AUMoH3\{#&/Yy 舋h1#aDGL[DQ쏷mkS1hFN#4-q*D* zhҶ%[E8!c9 -[6P.xOi8bwb - `TG557(M'֦d4rLĻE{d.ǗT(\k׫Racuڎkhݢf8&1%xbs%ĔQ0AZ1t9 PS -%SŅv,W-fɽȥsz鿑]⹴hFx!;K -_Đּsٸ;:V.sMV:ݠ_&+SUB Pՠdz٠8ej꺰Ʉ;]? >Ϡq] -|LzO٘dG5[lF.is@S=&fwTSh֣9Cj;Ov&c*2t&BGcL ;s/vsggώUVkc'4s1ޓE.+gyºP&dj $JrM6E0Z!/X/w;+=ꦶpľR0Z 9݃=_ ʽ fa?S=}H VvhשYJ?-=Pi3WZg'haS%w@֮E|Ult35]4P$ T5O N ^ MҪ' $4kE@f: Aj}z_0v^蕢ӠK6Ux7^^.쓄TiFkoY0<"y=c! 2 x[ 핌NdkW"Qu/9<tǓacD~ɷ7USt|ja ϯ~ןP?z!Z Q.l :w<8|aL]cv3/loykF0ouqeHԴgǾNI4FvBY?:?:޿cܜ™ߨ8HGe3qvmmvj>vvREDwNsU6X - . -qa&nV'Z9!vøMrvO%|{NWox!F_qsy""\RxLP(q !­ qŽţwÐ-OWW2LR7d^읰Zj۰{,t_Zå8ܮIkB7Z3N\p3XEK=#z'Rߊ1cHcj{Эdw= DҹGQ#eZdϨ]GHy {& >_o ORF`"c -{k55zMvg_|sw % jV3t --h՛f) y]exf}z{=PY.N0CԚ0KB\|vѕ|V:ӭ#kcݪdn3A^ycos6 Q'nmKEԹ +g"P&巧j~ߦ%T,SNqyuW&3ŠFN[Kf-To~ZU+lT=Go:q4,ҿ9Nd8$ QSO`Wˊe6k\kfu=d76 M46bECNGɤZV+!eYcyN.v=k`qO\ֹt:򋪂鋳'[X5 <w[7{\ ߘJgY+CNjQЄ?Xݯ63H6{Ayֺ+woi2g֟`\-kn>oԟE SR1רzԢ hTTmYɮEcF55st|c~V+%6}b1vIٙDtC"ks!9"=1._q>l<7K͉,X4vǮN^X4 0ڄUGjLyW1՞(g}'r!^$AE =:z->dC&8bhv֦BuDMWh\k:/]g]V֩$8{n(4q[#TQwV@B[1CFD.J뉥$gjwSK")N :-ގRw 5").t_]D|I{-'/;;#;hoă2EG<JUV@|{ ֚ng(u%mFGN_lrpK͏vu#rRdATfgƖZh/&|\mz[+ra -srb]SPWgA)AVH~,TeR[3i+r7H'hGAb&wy>жNAqT{x5a cܶ%u>[lWBwr9ndLlL:1+i{\M*;Y8nG$_Kj8 hJF CHMq6%_@:>Gd$>LDGh;`_[=A|sDUUK,MX_p -W U0o)B*CصڴAjqaZĨj_āU8g1ㆣOrU$oăhunx} 0%ϻL:t3hPU4VInqEb"qKQDbђbq~qԦc*yEú4^%ܲMxM`w;զ=~nkcXW~!)gۖ;)Z)""SHPjVrH{#hJ[X?fߪ'9:]^e~ӭ_#r߀d9l|56[ HZRX%X:$TUDzt' -4!p+?&DΫyZ %C`9`Ln -3 d#zOJ¡Y6m;~xjO.ꃋAUI~D-vb5Gg[Ϸg'O>|i -S8j+}K}\rae/$ȾI6j7nи#˪>tPH}To*ɟ j_|DV++0Е!yl|+ ;d5bX˟qN5N0qvɫz,:Uuk_$gI &Ŝszs{ym*FdrM)tv@ [ӀXK9@ S@L'(A5,w3X;js#@7@-PT'T&bDCK]6ޏ[LA; sx@W aJ J`t΢;&ɧHL;֋Q/b34Qn/1^ ɀ~j>^3#FwF7b6fhʡ&[^ $2 Qwh{5إcKK,b 51`g/s1Wx 0$##) x\~4쾉h eϵ $.ShTNFx H TnX"Vޠ|i0Yc#Q4ԽAn"j,P;ŸN$"&o -+uήk  E@qE'm9|%&_Z{UcD{G\ڡ[?Mfm_&D;P50X{kkh]!ڋ?#h9s tb:g1&i"&oO@ސd:;*?4W||{ qȯO9=/7<4wW;h^\V7K7n&˕ -Hd$71 'UShG~;߭9s]ej)e ۵AdbaX7Ngs`;F&8ҠV+}c EDUZ-c>~shj=dnT'|~wmcĮ^adtXֲF}'g'_I%?*U 7l~q3'ެ;f駩w_{¾j2]˙.)5dQU]lUV[ry4e #>C},݆cIM/Ydd`8G饊ȕP_0QZJ1ŝڙetfZלPnIy*>י)E>gٍg̟y$>EPJM{{6~i.,?= -.TW4cd61=mf4JdUAܼ.r魃0M%1uWK\@{0n`,n~מE[|HAiJYt~v=[a'13MoA~n?׹l}n90RH1cJb>=}m -o\C\}r@*_JZhڋ|1rߢ_Ymf}2Ev}_w>KsI4a7[F.(Tf+f9ӊUJ&S`q+PǒɸYJK4̟<^ rf -]mX)uo=A,;9m47RF ^mf́TæMZ甩TlEa [w]V|߬!9 1Nb,Ԣݎ*a|~R/и9,nLtw׳9pJ&R2U)[+~堰5{  +Tn|(Vnsg;8o&uoÜMhOF[Y9L-=!=ʤOe'|TYĜ4\@HnA_7n'x6P;^m#~"rpkHȦ ,HȽzܼպT D5Y')|uHU/iBi$r( λWsz137|Њ,g6ݠC҄8 9^72$4Ģ r!qWF/3t{&^(w{qZ֐fZy[m\N }_G"anFںi:yNG<`]*$|j#SL!5Y z~oD핌s_¿w#'R!ӎ bWH=. -eKc];_ wc%ܶawZMçIݽ&gb.Kh;ϥ6%q:V ")}JbܜbQUpw@A@r)9`Zw3q`PN\hйF#Ji[m ͂9XjGs&%be.hY S 4Y]gi+٧xeg]h< 5:=[~:7 -!O.U}Dwkoxu^({a)#tj/7v>%Y`ͥښg ^-{֩"bY~S\m`N!ٜi:^9CH d7A~H'V$;Srl\?YRl+7E-k|xe615mFUioP\#&|+,_o0jX4K$ZO=TPhX c&?qc?US$r}7ip..9 *j*ӅЙlFA* mjsZ3 Q?I4oI#2;* -endstream endobj 305 0 obj <>stream -ܲCwKDCe7ZQOn<\1K5i^NhE}>?o;f<5I<5CI5nj(/ -z9n"c6q[U/+FT[T%[Ux-MvHo?"=M-l2uh*k6i֐ѩگƤsm2{>@9~#½0mZUYeg{5-:)R,=p( -9^pu3zl=U]V|B:WfM3w Oz ۠T=[w>Y KqqRMoQ|SXM"F$Vܙwu(3Fw̾vyQwV֡r\Yʸ\/\?ҭݕTpFzp=]w_=ÂaZaQw.T5ba@i>,R\ٜʐkNe F{ywqR]yF}ڞ3cb專ls#s3օR>^lF?|X#lFT|uZ3 F,z{Wn -6. e@+u7^@kRR!V]kYpRW/Dehd?z^\K&F\5;puЦN ʨĶS꣢0[S˨|||B qL?|%<=F[GVsdJDVTvgر6d6.49#y}\= -+Z2l0RKvgGZa,꘭ͅ{|iYl=R8RvFi'jyG|=2Y@|GVk5Kb#/o25o|wԹnu&2PN?ZڏF_ -3\[:+e&783ݕ:ڲ v(&+SϤ￀`9˹dJo~v*3OhMԡC=R7@:rD!h8w8f@(z님ZFw.*)hIuT|V3o;H܍ kn9):C -G lUߋl5wjiudZ[v"v ʱTw\%fJI)zԩN&W[=<qoN7c>3dR -f`) ϭtwwfíΌzn7V),mxАP3=>}QC՟uہn6rkjT3no~lƸQkZpKw'@\2- O0тgϠV˕SmȈ#&x46L-L򺑡m¡gB9}~k %_knGi -wf_mAvesa+}.v:~{jhn])v-78pL:KLfKMhnPGu|lNirDٟiλfI4*dCi1('u3{E8VґP$$f0Q=i ZV@U0o]51<,쳁VjUސcp}hsԨC[eJ^L:J&}k=jY\Ig9MNо=`m=Fe}(@ICV;r E{5uA2°>>&yZ./i"ptda!W>I @vz)VmXw'\ /xFUy+!|gc}~V֫#G+cGG2)n#&]JڀCwxtU -*d!?6.(>+Q9+&Պѝi\%#W3]c;, F5AUUؐx" -EDM >h@h(gTull6v1B+ػ[w d `C(o~UoW.NyZmfK4H̃@wc&:]ijSp/RiX`( 1FjZыBD +xՖ*)7~p#wQ 8 '?4 zP7C18d3GNlפne"eӀ_3Sd'"Hj D/ŘuADQ+@[<A@SŏXfYrd|_3a73kmY.i K4@ )Fr%͐ G1S@# u(1֡ H[xRj!FD~a.W=8xg(,gЫ5ƳL4.mXF;ެSl;>h1^JPzꥭbLo:HCF2r PPPcT3P0QY@T#ԄMM4 \#f.Xc_b{!*loxX#F6QŨbLc H`1>u(ͨ^O1DRWh&ݾ*d=zU$'Y/OQYCγ:n-:w~ ~<v1cpƘp&V"`/` )Ƙv.(ٴәvnzlRI/ ,H~\ 8:{~/$bBƨFh `m8x|=߁@* iL|W~L,<چB(7bgD!` 6_vOD'gMt$o8%OpHboX0eEb7 rp)떪1'rﯵ7 Hܯmj ->uPL 3z@3zܫ4Z6D&X{O$!ɾ-\P".}B;Ry97וțWs/[Xrx@gp:v4LjKGej&&BK[+PF"Kc@Bl6gꝡns\a{YQ|=tpwv<`yC ^ƺ -*2EćD"&IPÏ*]ȟR\ VTi4qRf>ăh{:6εR\o ] -fxmxsqB!yGFO7j3yMG&¨JBP~aRy?FYd)\yy/L.d?$f%!!:,6wDÓ6'`nԤɍh=3b]em}pAȎ-XVeS;4E;=#`ߨߪa_6IM"&\޳,PL'4{h[a a?Y'PUw]:vJu\$+7nDhmlb-9 iRօÆ1AAvAn9ʄm\](+ZWYS%/M!n urnz{UԭSJ*UC4D[[50 z*lL?lzT~W݄S)oC-Az;Σ¿)YZxygCnaH&d#b*}7hDr zZ965,rj%s_wwe9mPPl靻Ŏq6tqr @i8ۭ"rq^glWA۬uc6VCR62`!?z< M -u_vm}nͷ'P)Uђ(gEgZNjX>6~>EzmW_nF8nfm=GcLNEy JbL XnMs{@~;sD a>.N㼈l/.?K[)TU,mn9͟ǚx-xwM`9.!tz޺MBtj_LxPGٙGx˻6\v 8mrYԥY-J>N;yFb}SyaP>._=N4JCnjGCBC[v;mq٪3 UW_vYolө]jRsT'm㣆TRnc8AWEvF7z%?,kivFnjn:S|=Xg)[o߻ÃH:R"}o9FEuEݛ8 e[vѕ\l,EkJ^z?4 VXg4{Uw%Zi -;Tr˚/N]nHHDL/[uÙ~3)j teO{ɝ^|qAb ~~?W-6gy]A'c3mH Q-stHo5楬Օ2E-|μ3RMW3)k -c$ -Ɯ=_܀T -$WzuvSl|Xf;̾s*c:qz+Uo5m|&W&׫^w,EVeyo\TKmQG2 g\7F(< ?ӡ,BV"+eΣMv9 ؊N.YSzՙI3IthpԍT{S79ף3%1:,'k@#ެn#A#%]k~,j/?F^_C@WS2m ._Sn(c뾃lS MեànCD-4Ǝ! H@p:1a&un+ fEN0bɣkeۣ9#`6~>>ar:91J),Zhq[ PgG /ﬓixқRi'14>Kn[^*Έ #t=rrE#C@j}-DknLv4—{i!(X*gqH|E8ZC+GM/)}m̵>]1F<߅-9dO^ )wstx%^mΡaZ{V6 Em4zǁ9ofLKxUPVO cLc Gi*^ -~}C$ƟͭI&}#ݴ/nZf~uOfRLaH>ҁ+evx7p8; -N닍:a )uXHRDR.p X9^JPOB~=ߥLLN7d'ⷘǸ|r 1z!WqpەP_ް1}&6@t %%"n.=Ĵ"1zHƽh<}A/z=OdjxM)-`,XOk- blE -@˹@-&Ptb<;- -kE<믖7Cp<\OHLD -`d 4/ v]2I[Fe-CtqvJ6rJKП4[\ޥ{5'n:rO!ݾ|vL#'N14 (1&!Ïbk'G3bHظ۫2Qk&*Ws.Vc<X @%~7W̊q|]>u9w[ꕎ:oˏ9ΏVtk9 FVhqv4YmEUCɂ(3Sbi@\66s.d@V oz$DS" ^ 8ѡlG8;D?Q?ߺ{?Qd7a*kAdӠ(cosӶt9'LRnJj$m}?q!C(ʰ1}@UPR -щ_!5@џ%ҫn $1':NlLjeM^͔[ղ${0cA;UomƕFw [8M]z:e=3 -1>m@f/M -^1Ct6r?Kwx+heYqT r9();2+%PҶ]fHпv_7]k-Q}Sw#~f~iICfW@M-@ZPMjZm@PkuMV9C Ξ'!{,X5$Pm.l"럊z:MKx+^GeE~g]M䅝x$U~IDyY:B('x9sn\_)LecC@O{x`Kf{ -y5t1N=38XO?_?K6ƾ))詣sLn5).e~ [wX~+YR!lw pY8lE>خh}֪,_- ہ-TM/pAby.o܉[Q]h}y>2 +>͎C0Be8+EFo -3³c݁VOѦ=Q姤jNY-B< -Xf*etE0ۈ6zoB`4?'ي;1-9}&pi*("}]s>R8vthNaz -=1=lif@z?c^Nm&~˩2z~?;Mաӣr;ꙇ^e5o1lV[TݐA݂^JyxE5LPf3ly0rIT4^)MԇIGþ6 V 8-!@=)2(QK/Ieuug*{f{=3s~T q> Oju>z.J>BDCֶsBs[=,SZU)Us]oꍡ)ys{u qrSsJ0tH޴x5Kd$Fzd K  W1}L$uKVL>ˮkk;a:[*{VB -$GU-%=ddF -A@'rM-JSK%|"c]3QwDzg;^GzPJJxhQqm;`(MNڤj)c2CɄ|GY9nyd T} IV5] т},GN|xv xvߵyjFJv;X3)iעr~-Yh}[HSV3L=.r)|ِV2h6)A MT1L"~%i -C*Ys`­/܉I`\ӧ%0'N3-2c1Ɯzs:7꩐Ie+h,Ξ0S ZB%4|;Si, -i} K|~Jq܆$tN,&[5V:в ƽR.pOA&DŹEHҕҴ-'.gPAӊiR}m5ՅQQ] a2}tus+Q+[b9b(S2z%ۅV7gnݢQrAL<1޶RDj4Dw+óT߬\%2'J)]!cX*G焚Mcд\3\#))'•/,;Ve+Fk9QAu8ŔB޳$fkDzd9g~$W ssD$"άWT4\l]B )XZ=37$t -lNcrDwNHUOέ7v_R=XPB29$VN]w:i_ت`Np6G+onkYGhʱj>z^:Lw_04fD&cWߚݢzlSN<IXc퉎6wkҲaG |޿\>zx,_BmaΔ1!&e= }T1%!ڡU/ -^y6+ĹZ+])܋shDS\,y Ow!]q8RcLeÝ^V#|(Df;`=f7`s&<=vrw; 6E4bS+:ܴh8WswXzюwb5bޣM)%<즙j#Q2WI:q((D~i9^e>|  {0Fd*#^nxUOFy9TֶDKS8fe9\9&7‡m >w6U6žB ;4BbItɗ[̚%V=@"@+ȤRdL),`@74ً4T8;R;Fk˳}iĠ^xn5z -gZ䀂DnrQ{d=8U=eq@e PQPPej Fލ,r;dkthU3\-px&&J `LVV o9&`"V?4?- #Lom@/o7<d t):j{M˴Gf_j#„Mj}+KEXF~}Vr5!؂ 'I)'3T|`Y S{)Cq꒜]3JYIΉm&V䞫gd|x X8*˽livqE`?{ϙ:#[!Fn5Qy="6`Fw1f0Uwng>:kP?ZQ0?y_?A 5h`C !S~f H$L9laiW]V}?ܶГT/ZmjVV]ٮU|n3rn;ym)~d?n 3S 'o7JYZpkbUJ:3k*[B[ȔӭJU)zaTo٩{kWVn^{-U/b*Kt9yscx6'{O,YXWj I\VQu>O)"Uzv\ɄS~NTMSǦSfa^HXWn*珩R ejCɪ806F9I35]s2Uۨ5zyYR-÷5ֿ*3F{^#TsɬeQPȺ6Q'e15q:uyyM2!/. xnt5x5b ”/أ|>yn͈) |cX^ aOiH hP9Iq>IM Ws24"dį5)RɜW 'gM75) j/Jh"=' W;5భOh}~j: ER`Y xhmTss g?&s$|JOt|䜬N,ºńbGYdǡ#gՉVCX-CPlv!gNJIZ[;MiJI:dh%a2΂m:"jEƳ9 .;YYcbg4/'=DWX#,lE&{+Fo*Β._H&v,"?o'W0C-Q<^.k~Q,uug[6.wؽBL-ǑL5ẋh%ch_&I&ZQ=W -꧳L0(1(uR7i#УwʒlTDWjݧL ح'rO'Z "1>>II][$VHf\ǎCThr-Lʸ E%}֗Ӕvaғ']kG JE/ ϔDMKhi1Q*|.h!8&t X?$i >}r+L%xF29̘2Ё`2p7r'M@[߄MUzJ|1r[Yg{ޡzpG'T#hd7h2:n$AoFYXUAoa%Y-@NpoJ&@P6 ^Qi\:̀v╵`^/4NJFզ%JB š)l3P>?<ݠշiHPB]IJ7ha2{p"W6yBcD;t -Xv@.@{-r<8 U-zpw Ah!] Sw}=.SɊA)/iܓ2;/evߦ `ɫJ V @~UB$`-NL @'`_' -V=,ud^RrB,x$P}DO–&$>%xe~x HP{>t$;RFf -@2!Hz$Go F/Q{KW90TxX"ľb>ӷ/e7s -@9$C@9&@rWN8K㘆~mWP=f3Y6Hfɹ!u֙6;9$[=0 tuݐ3 }zBIu~uA%85>r\ʣ>7?R/JEÜW|זJN6`ɞ|g5p`/M-ϭXsVuFR]| zun;ȳzfVGn8L{El963\j_<vBjlng &Z}+fbvg:Hۦ::T%|_C霋dL,䐋 e |?䜫e졙gF!9wr.T+o8u[K:*RwVlrވ%#HzJ#냹L77 zkolt8Ѕr򼗭aZ{K;Vw^={MYHalb }IԾX5Fj㇡\k;52} ZlAn͡R!^){WΧ{)ԱɛjbU4ut#)=Ox/!z=v"ϵJFL1)J=b`S.l>zY,:nkդ9RZ *rq_Pw9Vg"KĪzю5؊¸3T2^t"6Cתj'53@Տ@sr9mɤV5.QAiVٖ0QI :uPgoR/s9nlBfr^ZI)FrFT3*Isᓦ3rbXHQKs-d. WVK4 -|ۖrT^$SiⰃdE+g8܀Ddh%Ü\+Iݭw9U+ lͺV YfٜpGm5 ymb mBa܃UlcJ#. -CNnԫ T qxfDː\aҍ -LzY"Ip\4DjULXvHXe'NӨuBw{RpG^-pQN^JQ$0_Z)<ф܀3SWwA1谽\S@EcJO"2L &Ag0ǩ]`by\uq[ Za2HNG}R\lGqiV#\tgT2,¬[pb5?`B}o-[H5~Ȇ:%R> ` -[\o,O2Ps}x l-G㕫#U!fqjN"g5m3 rXOdEfͯꚭ}8 Z${Z3j '},ͼlэGSDT} Q1\ܯtmenJ1t-C' ŹDG2ׄzR[);t mȪݔf-"m>X%\WkGȾZ"8sFT؂`] HOv\$LM0U(DI=w\1R.lcZWGY;zI%45q(^$wbG7Tof r1>rUA*p}``PC7~" 1e/XiY>ܦv#W`̃8k+q12fl|4J]k(όM.y^}f -O(lBo2ܨPnuP"{ LJxao|<<|zچ'sag~@h >#ܱ?6a)th-Ft2,LmOI1W= :'"3M1MvshCH$r {G;7`~HY=hs0Q@z@ zF} bH2\"]P'!*r5l@3qUE{Ass -KT/8樲 `qD!(&4r:OՉ @q⁃TxJ,/$*A -5R"JK7C(ZLh1?56VX:;dVG̎ɓ3QB[6w,!wD.+A0~ z =-RT@q̓e -X̓Wd;B:EzkGM{C,&j0mGam`!Hf}"! := `f4KU r[i]`s&USTT|u6W+cOvL:S͸em3jQTB5ϞKLi'TȁBy"و?A0t5,:`ȞCylà 0P3{Nzz\z]|\zXPYkJ\4TK%֒ŲE,rn]$R2#3SL, Sl:.NUC}[6C X0lƛ{l<=krăw\bb\*O65,%LP֜?]e}b-=]8-ﯕ|MRVzxaH^4 kYp\\/fevs]@9;7BB|p?|?JbX"[AXWi+l_1@1gY k([)|a --5C'Qrvnev^_$~ω%u+ga B!Z l`4B!!]ih;AYBZ +'{̯hr؛tt|3=*"<Ȗ_[]Wvcid>cV}`t'RI*hLZT/.s\QVi˹d_k+_]͆q\׈Y(YS7.lUbyT6ߞ-zwKw443)ջ>鮷Y <1>ycyվݿZq>ՊļVq>utrog?P,\+n^1%- "&1U|՘ff>cOlƋ+*8 %Cj'1&^Tv.\*c%қ(yx6roR|u24ḼJZg3sfn@f,+Iy:>,7D-n3k\NKMKpg<=rGy{[ko\>ICNf~ğWJ ⺛j'77PݩZA ?OI}sY_=J&|\_V3UTl{rv>ř&iZ;<4ԬT/uQ1祉*ݪkǵiumS|2*n|gz~ZhCu*?s.t[jQ?xr zZ@H\z&Un+w*~ۗPƮ{r@o76L!Tu\XUQ3!2ʗ\q -kwkV@.ՊļZH{"W_u?sno1[o1[o1[o1[o1-5slÜRq'+'cfw! [^/pxH~O ɀG:o:^mQ 1hZ*Oxh?B?s:o-Lar?~xձB)n#^=(nLCR'.8n :汗.cl[[`VD'*C1Y[+f~coߕ)xwУ]}Yl`f"lُVM\7vCH)S3cɁ[H(a_FoM_y MWPWù/IW/7v )E< gj@O<{ؚoB57A-ULs;7i ߖ“*Q{1Lȅ?.71IYu{p\"r?[YTT=y6=WQom}A9~j7xAj.' -׽xyd^bdL;@˚?D~/Q^_V4._\CAR{ӭv=2N/5ݹxc+Sn1El쟷Houw -\n1?8韒9fMQf!w K?p2Lį  ˴Sّ7Ѵr3Wv,x^3n2,|OHW_vNZtX/_?R+~^P?w}!+zt -ûSƳBAnլ˹&2WwW"7l9S M*g.y=- ?uF;qa,g,<بuHwtB]]0[>g"y^__u1A72Meqs=[Nr_B!WX>p>{DL5M6ϒbz9<53Aw(J5佖O~խaߥ:.%ߨjoP717VRDNb1_vd [͠bb:2mMNE!tb؍N̠%6w7wxniodjߵ&S$>ıDg0v2 Qb?Az`?p % -mZtoDUz+c>AhިR}uU}͔_mTvZFnzGѬ7'aSm"s92H4)Dhjo?'޵ԋDzl 9իZ FN  Īst 3!#û/.8'2 5RwSI~x7V]0 +~̷{2U)wݏKN~ɜ4# -.{jKWx 6v1ZϷNkѸᗽU ,3 OK?~7Ey_.pSH@=='ogEv[]m91? gL[Ąoo娖?V -mx1>rVaA PlvV"q5'߆ ̼(&Yk+"X_T˜c\N:L ͌@tJs1,ph-{ONzq]ҕg{ g4ɎW7&g1ڇ%ݠ=|~}95D_ ~[NpV/wC54,V*}瑢*BCIJ=3wlЊ~M@x=0jd(wwf\ɏ^ͭZ n7~h&#'RHx_zSkjjJ?>< qi WW_L ڒ*Rγ8X_nD)JQzaa!w_fB^7*Ɔ!߿֗W7ۭJmK!, %Rm1' Hg4KK ppG -Bbr}B.c7~^ }9J5+уQ#&(ɄD2Z0#iWEF_Vg\Ÿ?rzЏs~A-Zn^GFwSr 3lY -3{)&jU-/IFWQy4 j= J6ܵkYLX Mb|EHIQ4ti>uj_g42c-N0Xc?$*A룔@ {RKƼsQ.uJWt6doM6h↏%Ei:"U9z_Fb(_tVk[иL*}M0b$o;I,m_KkKVe,ԇ0k毭[6onтk _[?TdX?. 4[t[4*=!LWԂ"5$QapOiyCz@ocٍGe(^h{ʛ3mlp].6Num恽:{2Ԯv;kP>^%:W$qN/t_%?nlZ_%.y:>FxE{UIJԾh!=B{Si :II0w83,kUuT,z}C#L\_aBbLB` -W9WD}MBnЍ$ LcM%z{W5\ (w$o@9C]}O]-~UZQu/oY(q҇qe`"6߽v7ĥU#e%\BJxLKRBvY˱K"G] ˜٨̖!)xgpN%C^?2%TcW'_W4c=Z^&^1ENw~-8K#ڹӲ/fz~U>kvN>Ʋ^՚ewU{5dI%p0*e~OY/TT[ 5lho}kJM -A{ -&ڗ)2u-/t)C57%-~|֕\;7߃9⾡>r~q炜kFѣco4y)CY\?⩅^X ~HM\|F?VfՖC_rISr -]+aEALە/c$ϒ"z=ޯ&+-uU2:%- ^oo;t-$۵hݖ\% .;ʶjNIEU;T('uo4^4FGvY Zq33 BK_vsPJigCץ/ٕ"nFkP֚}SnƣUǽN[P|w0Dd捫FhBKb/XomQDKsH-(fM)j#xvx׻csZYCvabkD#ݡ4mғزG?6tL7wԧY֥K|~VJg@B\p+ږiOMC v^ոɵhĢIқq;m3qUFm g}ň(^-(P·ϭM=/tHkHbS?(zP$R aR8/mvt}ר]lMaS%u?5Co4uh?<7Ī( kjיQy~կɳS9buϵo#+Z7vc7 ЄݢǺױTڐH@rϢȵVͽs'$ Cgsxh+K+[j̍zqWqhF7OW[ٚ#.9gǻ㠯v!.qZ MN[`н?f]m?kuB1D[ٮVh˵4V2q-6Z/}'dDW<£Sޗ]mWXNZaԟF}mJ.VOo4h,u81X9N.r)OE%#>H!>?ti_]UQqJ3DJ#4dr+jwgYt3{i5?cnFpjQe"*:.9?X'$wf=)vz'9>`n{}o5:ο`,Z],K`.w]Y-%n;>cwΧl>z|<ƧOrק񏽱]Nwyt49Gt^ԏ3>D nC@>$8?cA-OpbOky~D@@i>`l.w_ JqM<8[xh8b ~o?4?X7*E$ Wq|X4-b6k|>.o~b⤸q}W0654*ߝNH6{ᤀkv6>:[A w ob?,'h=9h3.a$GslfiH_=?96j -x!ȘWN;b: 9]$+c?1_n/##\nӇ& 6@y Ey?\.=MB[廈U19fG^! Oy3َJX !"s xIRnr 2T`*7U*]O7(WYmm3 +> Xۦ-j,1Ĥ#[$@O7x=}l !)*n}ƀV3z>oXQPq6ɸ5]/;pn{'1s8?~"Kye\'dNYӑ0b=0,sʺ mOUfgi L+ z߫]|{\7f qw/jk~ۅ%$|霊 qyЌ^;ǵ?E`9/ۂNvt򵅾;|YΤt7..Y!3jyg? -zfxMwg"8W -@`/( X-z]913RVH-9dGͷkʑ*AXmGI5h#.:#§=2Eөc'ef-c'M4PP.rWRZb -O6 -Wa=IOɟ~ٵZb]8m5g2Զ?k} I.D[xg5rGGƜICzhP#E副>%=]G.9 `DߢN|&*nhc5fKu=ߏCe_{j {4 jZ)us5aOb70hnxv4pZz -WFf欀}M1iu=@4n`& 6Qg9LOV*OOXR# -!ۘ9NYd+Dj&cw]ЀVӅ>Vs'ͥ'd8]4VO {75qQ fp==i1V'b~G^uSQPb^V,4v\&K.j");6Ú@%I qs3lp%kyp4Yo &\_HEM.̡L8s4ݓ]4P?c|MMlrHA[0_2&$չꛓޘvW 4%燃C'ErұaG<Hdd35&+ E2y1*A(l]Wn ->YNzMnXn$:2ad3snth庹 ֯O {> gXmKڗ!IX3X61V`%nЌ>SA6/5].BY)1 @Vzoⶫ3@Ꝟwj[#/ ѺGWJ~8OtEL?੄*Io4 s\ +nj5KY dx[k4VD2S&d>ˈ|Tz1_0P=6'vO9SA#Щ)¨$t€6#Ő0mKTS2D_ݵQOCuC@łV&İO&A(a{K>X@#t?̼@M`wʨOp4P )5f-H:-h !`ŰA5>AK $Rj {Gr0D!2hѰ3_œ! F0K^,p4D*>EBh\WAf;'4,xBu}bEaeҜ& -x6.0bEȹh$ƊVЅ"!v԰qI% 0d Fʐχw' -^]Mme^#&dLˌX h*%7LYҒhpќD 2P/n/n,O0c?ZbXug~/z3%8h! X,{h+̩f;smV-X -B724(he3y}z`{'-1JC^Hf>4]󤬖3:hy5bSv25/>GȺgl+%edV׆GB?V L՘3WM+ -5Wci~m‚;Tq-l򮅼_Lky<<\T5&u7ABݓ$]%- -G9XLXl޿kY#:YYpk> -24 pA8e5F( Gx >m$pOTJ 򐃾ICx/,h=gZ+(MgAΝX$;Y'eYOZ +87ON4U ]~WDH>`YcP|@wٸt -E5m@}pV1G 'wVbM@D*4 !ÙC[PEg4Ӿ -` `ԏD T#\ku`q.q`13XY- uxښ-g/˘ M2v+#1]rn.cNO2 Mtu s7]T -pq0F$svI[uf?~VΪ6AG ZeD/$H. rAO70Tkzpt;47[ٙ$[&l{ݤkMbLݫX=9kƋe_Ѥq/ݍд'YUkPcwN'>c6/\N{Z;[jP&X4"_<2=6nyw -_HZXP9-;{Q>LLM=,5r͟i–$MRfG/VT o~iJcJ$F.Βe>(k$:91-}!H[5 -$|>hl8R)|a 2-Pu;Dqޕ̎Wh]6Pڒ+)h9;d; o'dۀ/##^\`PO3lE[x4!??4d\{'3W:EI[GkwIhj3tidRŦYŜx#e8NPBzaGKMX֎4Z!NuQ>7u>.ܒE8 /"9?0i|*}Q-OV'bVr7H֑x5ڳ }&5c*"Y?Ӹ|?[|ǝiIJO |&PnW|p hf,OV 4-Gp TJX nGŵ}VADqVЈvijXoZxU7fGg3ƱI"m0KNg^*Ld 09ۤǝ8pCqQ ĩ-rJ fzAS˪.sp{UĮ-{ Yb -e{`Y\F̖i1р@Ns0{].Cq6+;]6$}ʟBpm,/0#G?0Y878w>Ǽ !C/;nGƶ:@N@m/@|IIux_ 91!Ub8A -,ن| T-ɜjq@5"4^ƐH]k\fh |Ӓ?Qzlb˲L)Чg[8>% _8P=r>Q=t/ ;0e/;7+ -qȒlWm\$w2a&AdάqqQOtbިupА b}O40cg<pqll((C, q6[Ǔ>u~DGy2̳RS.]سN6ts/w)5nZW:18XzՔ4MbZ|*a˰Qg1Ip;v?%Trj*v?KfNØAA3x$EfLFu2a4KJ"8LJr[P"'',Bs5wzb~"<0Ѓ#R?Ł ^e4O'<%̡[e\*_hT Wf89Z%ULVG(ܗ?B ire]3Ġb,ތ?G?'5so1 i$}굓i[QM1pBwBnTPfXfuhH4pXDF#tĽ/P'.PBmS ! x$$]2-{&f -j jwu_w݇Se4-78~VGzqA47 fi*K]pSBdвõ|\#RY*\dASYhacQ'UVH(OY 84Yhw {3u᳋vd(½vS̳y ,W&Jvى*S-&'NK~>ckؗU}}ЇIa[MMfLI^HZ8c1fכ~o;oaOJ,C?a=B9չֶRX&54r -nY -kFػXQŰJH'z9SgPۤ8X6Fb"z4p̭TbX1JJ`uk˵XL +x5݆(ikTbX?c7 8g+Гj;>XSk9Cń`uX )A]`VrQX߁"[jىc GGwz8w! ^9McuvzEǪ&7wGNbnĪ+i)s,]tX/jha+{zG}z蠱vVV>W$k7>RkΚjկ8Űbb.[L &ҺTǚw6 Vtx$μ:ņsbl(|=(&vZ -Rhh[ -kkaqiP}DDMt%9VHa]b]Kh #;QMM+Qa'$֕I``A)dV4{9IdTX*_b$T` -%6i+IwV`2a -ٿ; b˕\Kb`cM}1)bwL;?s;,jZ.sg ٭- -k[Xu=Wd#(XVE$NSkNMkN%2_lysmr_v6>uLVɧph{(pYw|Kgڕ}Pfz+a_ևk0MU/N}zM4t^H^k|2OSqa$d!.Z.ݹ paͯęC-mY+iyNOEuүWӁ{m5KT~8,ٴl~v줟~9uPuΜp]§bxuy:9^ME` ^ASeUz{ [Z -q^X4zr'\+jɈVZU3.G'}l304zДƾ M`") #UvPPJd#qZuXk/zz+P@&[ŰB<<Ŋ\! n X;,V:;B?H+.Xk+r*#wΚK䲋`to`u𰺾oi\Đ}ijrlĊ|1FĆ <ֺB߀k9  ֪ ?M1Ljd(SȮ#TSldD+7`I`nKĆp¾t;A#X! K-) OjJ0>=6Uy hT?$ 0jeU%t@Yǂd3{nUrU@b9;'75-~Ơ_ / z ˗$ad 1X04$?N'ĂyniǍ+q1` џq;ɺb#th /QV0p>eFVy#K/sMKZE/9hUKsZwxL_%MW y͝_$l=2@"J ->&J 3~I)D3ұx4d:͗BMGkKA;_ z | RDϋ qDW=2Z"Yiq1:DD}3i}pH\N!z䱻JNa..)P~WDMrX6 y8sڗE&8䍱zR-PF4y%Т԰_ul0Jcu[dd%}:S,fiA9n&9WޓB4ss{Ag*H[^&.\-=LziֻS,^jie)C$V҅ -ߴX6wCa @@f hKFhgIkj6fcn2L?N=c9ScJ= qvHA[|y~ezyhtή(NԡR&|p (0Зh n$;2/Pa;#=:oƒ:c)́buVżq"K4!y@栾:݃A*ep1FLH-Wn=- -hYĽ5 ;#tDRو2Zs߶@vVH$  z9_C/ОW,v&Z⛹PpR~SWdh nCJ2!4 -CB 1!/p@w6DRD`P۫ -]tP` hƻ*?w NM~) APXE5x;o/H~tQ -my N)&/;J.&*/qwq!KUE y0%EӚP -:oJkRn"YȑiXP_&Lik4rr9$  *3elݒW'"`|x($gAa@GIO?[Ec)G~d%n$h^Fc\j+Sf /NmMF0Qsm%}!KeeAъۆ+vjugƞO2f (:יPSMn@M В*a/J&Gƙ$5,+S{{?‹)8Į6l|A;`c V\tZ,7';.,z OK6kQ)^H|-@r>Z7hr>Z>/)瓯{*]|O r+Z>)|O:rkZt9|- -r>Z7^e|'Z>};̲|8|t^h/dK#usqA'屢kOZq0@,DP N --Ǧ TOeSJGP}eEiRR,/#Dn?lwt҅lnL ӛFKT{o1gb'-ѹJTQ`~Sر 7_VwcpJKިUɲ R`^PvwsۇQv'(ۭ@;IŎA—\u ^kbLJwJhRX>3 -^N_nmԳ1@/RLIW 1jKo[F9Ph d7} \Z[ʧ;}˼WM svVM2R!4Y X`hRMh =" ^| - -kw큨M:Wxc8N!,7'POLt;N 蚗qoJܐh -UQ@Y/(zeQh -e(ʻ?PQEyp4<G8ů i2dEBw>Ls EG!P"ybAHNL-M=.y0с  WWB`W2JOy@WTmeO1@eRQYGU-$ ^;2tīC;w}*)85:;4< Uo4'Uvו+QI ׭T -L",^ew9+!h_#W.H!խV7@2[~G4ִeԔ -o&wc`A/plUXUѾ sߥ =Dw᱀DylGRMohe ->c1PG3 -A,}[^qb]S2Ee=)Rx(*B[|C1\'֧7\4lT˴r߬'~ lz7GxٿR޾]A9簢>In_O8Ǎ#VOO<@Ta}1 ĪD{Aa;/*su¾Wb>'.Pү(E_Swa&ݩ-컞1,~uak -nd =R'f1JUE]닞9K>gu mlU_V'BP,tq_['>i}>1rP[/-#O̼[}D>"}ڍKmU(5}7=Fi1}zy?1.常Ҥ?H*a O܋{[a $$enݼWiUpTWJJu[~f: ]&Xu+[I(o{E8'O]'6;ބej>\$ZGĻOnO:ɽv>ʍu/{SV?tF0ZoD]pD -ҟbƢ{k7g?zM+QK]lk)ʽYHg6G`"ƍj4G\j%`$%yYT.'i72b ãL -RnzЖH7n1My2վk]خxCU>Î($9«$lem6 dvs]/*Ozw^x\ -N%%Ǖ[nJc/|@7ɔP(F^q =c\7JIof^$[&i8x&5LP^$wLZwe {e/nR^$Wb\<n[)O&v/u{K -nؾYvm\)me -ip }qU3g_LzEU,J[ HfSD{Mmʲ#+ddh-LM "vG-޽h/Jjd~ &q0x - ? ṋWV'.WYw#wR!S,`Xo+Md:k*.ͬT,h׌40>nu|%lt|>]r8]o!+]V $cowӱHWl+ܦ^V5H>a -U`pR/8bcٿqJ~)]3VIsi*K$>{5򺵛^ &(&(>|a3V%˓&2#lCYygx)!]Ə3f'C)Oz^j Y; v>!}x{*TEOIڠT/DJ;wՖRӸ}qi|g8Bh-p[ ]A_|~'nU1LGvJ6?IAb6O_D7JKPw$*G*J#es桒Dou,SRx7Rr$Qi= q(G|9]AIzDI?^tSt=/27 -! -b\VȆrȴW^VHs1 +=e> P=Q.< -cdo&\*MPqj @=}e_q̅jąY퐟ąUtR[RIw_x(2`m{/En;pC0E.pmr+vj'/<>}mv,(+y.X7.<WI^x(+˴䪋K2VɬLDiٓQX8ukLiFm®%[UxUiZ -\ӭ"FcPo=Nޏ*ӮVQZXp57z,w`/~?-*V{XםbE V ]Xmc kXb}N"$/XdkcìuLwlp݇N=Q/lL~`h(֫;1٭ۃ~T{je}L]>3LY=3 òo/-U %ڧ2Mc~Qz!rQPAch$kLu,zҚ]pf)WCv+SMUHR?sinV ¡=^1(mO͡mt,-*uu9'-vR. #7`YoF8Sԋ+|50'-gҐfhȡゖ -4Vʵ ->ɮd7a+1Q@[W 5aQMƼi7 ѧ#˱aLE鼑U4 -|`>(+Dy6̙g,><_  ̞pSЍ zPD,k&@O3ӟ3xPWG_Q)InhGEqQT:V%;<ς22krh}s؋^7Ú>5 f ݅DKAkoaMvh &X`}p }X57MFz2;n8q=Ԥ_h5v2t4'=}(ق ;r6O -Y#)o ֲq4s"LhkNaO&X+f.M1Nfq#{|`\$d)j(TԐ?TqOmӣ)<|O3mG$MpӴzCܡ=X.mv4˂oJj8KS8JSGӳQY8^LOZc@?c -/[ah8Ye'"ݠb'c*_leGU}4PZ`־llTbi6-E9|h<{=FfVR̜,Pbm4$WzK-0=Lb͸=7vZΠG LW A)UAm*lnrPkh0 ?9@vҦ爥I%\cwuszVCmCaMDfq,p{q)hct<=Ѽ͘}9<=~#툙Ti?C7N;ۭQlԦ|bx@&y×C.2 -C.TA,p8Do'!>+0_',aC Fͻ^r\ -;t.qCAcꔑ#LЗ2f0`UxyO81rd@BzcJ%2UxW[3]WJ(Ԃ\bdrH鸁v&^#EcF)G;h `xT#g4re<P9ySǍ)~ c2eJ#c}D`qa 2 @rL:\J$C\\FfURY|rybo*|?dSp} ^R+}#TkRA ]>#L;Q4:bntv@Z^< Քt6 SqӍe2L\`.qd9(A\5(~3( ^cXhw+x 7}<  ˆ؛! =J6)'dPsaRH`.lRPl'hQ -hor<^ANi%Sf4@ٟFMV&8 nc lBiL+եӏ4 ?;WdL&Q4pJ1huv)H0 -2-,i 6qRclg-`X@^ {"98=gO޼5$:ETl({ѮތhGQ7N9=q+cvϨ^JaD?$HLU>'Gϳ[eCS:yx$ -!@KΣŻ߿C&ǽ.USxw8^q -PhY)GR"!""g_Zn`1DJ/Voc2# <c;Lpy8Uoہu,ʉx.ܒ ʣE;..F̨6KDD -?:ekH7/cP7C5&& `gq佪7a.C+ Oki!ތjmP8N.m0"=<@ -E] ӾԐ C}=KKs*E1C oCh?2f1jL$|h3wxO6+h3![,j0T]>!j]UIvnڪ=Fs{8;0騸eK̙=m<׶XU5ǞJH;| ރхN;TEƞ ơùWb"ъ@a) jqG#MaHЁܑ^qc!BoS4f1bO˞ҊqƹDR@euي08C@Hup4@+\ZpnD`PEψ]a7f;#!M jpaHĿ^`XJXVe sΈ -h`ئr +4tyNHqړkģF,:MJxK&<{*Y+ⴓ?\D5(f dRYO3] -.O3{i@Æ +of~TPgn28Nqs|]k4&Nvjpi&( ;]vUFG -A`S:mГ$1=7 T摀` ->'jF ehRѝ ' '?N^8W~ #G]Tږ'(މc{:K9"CJD 5jT_lF+[@mJ= -L4yn %¨QBJ4ZOP R0 T .8Y=n -SDMWjets0͎R-*aԧiӯuH3kPcF-)cTm:J΁}VY' X?*Kwx6Þ`[Z8. K.x?,)6DyTI:tZS{u1O]`~88ҙdPC,:uH_/O,˯%n0&"C0z2%dn9glԶy\ 7ag͒ǰe_vPWn5=IQ$<) ?)*&e F8zQ-$%utᒊ-5_Npw ˺쏰ʻWH,h@(:t;tJx{㘲A+pn.H'SnB:T*7d{SJP~ j" -b Wfs]zʡ<ɯS,$m@9.jk٬6Ț2<3NQDs+ ni̵az9wV8y>ƑMCn!}F2䂎WB }x>lTűjp9Z 6TEҍ!eEu 1j#?^ī,yla.N ƧNod -,M`0|Bآr Yə i<tS?Ki3w -m}hÙ)fv`y~o0byh-G4$kFvYM̍[(oY*(rxo2Ep|Ԟt@ '~A6/lĻCg,y`l}ǭ,u)!Wcp߹OC'sxƆGl_Nv<|&-M#h_Q`1a90X&LAIh/^<(őʃ= ^jLs@"f@f(o:VSQ1]^O5#~ZBm~vTD]U^@hvd` -.g \@%pnJp\^n%^HvtჀ` I󓀢>5؍4SPSn4Pib3_3"8-X疛32qpdE7;#Jv5+=7.`h֭>d)2g*U]rwF4naJu,U30assNT%⠀Yf8A}RԳ}Br@M3pCwNVGHQ"L U/,Ƈ롥@$' -֍Tn/FJV;µ@?`IjduB/AR2\ d%R -}hBg7 NbԪ,{v%k;& N J@DdL4azٟ_>lIG{֝{=J;֮jg!W!rX[H/MDc#$[JFx*V{*\PK:r1/R!COTNl=Qh])~nzRntE@/3@ +W[4&ǽ[+xJP?ʌkPH1G:GRgrD%~J Z\D?OKv8-웜.Orh1[:> vS+u=}} - ^U+ jUӸq\Tv|+\洓J Z( -jh`a>m<ػ@-l!b7 ~UyתO -X##x3Ģyz[L/zBE5el/&A&..s~X#q&i>ZHR7,o9sBᅓXN֞f>=?;F6QN̷m+r**TMq$d#z/i6Bѫ:P:1JgUd]$|3h*}CMi\N=I%ޘWճN1|U~=U-9ß"w7 b't_l"%}Ay4y"+xs"}sEPʌ%/&TH>H%! jソfu -"ǿvӮ6N:ɋ׻zONle歞[mFdVoW~OGjjmDC/YpS9(|[α,\eaOE_%n@Z%%N@~1 -.v@vEjoTIS<N43*c*+a]XRB4Å??)ъ73qsx4>͑t?F" 'cq3b.>xnpDBF!mgFMI)>LXLWZNZ\$"NB*Պ[ZL=;sQe]Vnsuo`l؇^Y"Cz?}B \5gO䐝=098[MuO6@- F]Z3PV'FfNҰŸ́ʉx,j&2MzG2ssN[#yent}ĽWOqЦNa2ѠU|Myۇ?NqmDU~c tL⽽$vg&`_=lWZsO[v HQAJ|ptjH -L;j/ƛz*- :ZQSj[f*U41JgF/L8hWD-Oe@AJ?/(I!yi-Ly*b&xng}=)!ʝY=Z~;oCv,u*춌$jQdp u*ڄU_&my"aɉv:ORom7hIҜC.ywr*_Oz״bM)ͼz#3iRϩ{Zw1H/{{(Op0\/ED_ vCإzYߜ ^#z0_.O^r}.v#Rĵoӳʗ6(w5Ҧ(6?-k4Axw3mrIq]Ӳa~=iFCb ǃ-w1,O-^P<ͧo7͊ r{4>wTO_ҽ-y: q))e]ㆨQ@/K HMd@fRj^a4it\١q;^{7k;OM^ 0Ddf}%)a-穸`:޷nxCIiPV0P7y/㓧 /<#;POWDVT Oμ5t]~ pK%z5eeinZȳ5P5Vuf#౵naM=XԢ!\73ov%n5h'U֌sQh僾B!4l"7mppuJlZ| {Tbg1LfH\_E&os*jDߪP7y#ǚ>mY;inREn}YT+aԼXd9{t {1r^ MzvQS)~oۿ)xi1?o_F`nѻ< /E]8Ϗfpt=?.Q*#0L4?ya?RLʦ4N 8G2ǁP"G`wj$3z>OCn~#p9я@beMa5!ro3Uan?Y{ry,rJ)6^ -)}`M%oѠ ًvjy;Đˢf79]Eo'I!g eI;: Ul,ScE28{@t!dz$(eVKՔܡn{0Sa(?(P Gz|>FHH4c ~O^=RE~y݇Aw^S])?@{T PًԨ#BB,Skr_F s2r%¹7Qk8wM{v!v)sk!fk&bh -lGwjJ} ; ->:;?Vﯬȓgb4ުnԷsY]m`>]Y'EkD)JMGֹ0u]hOZ]]CX͉NӽD^'4*EDi֛Ĥ;-Gbm:c}&GXsE/&t5zISoHY=(qGAAH-w!F^hD-DDK~?T^9" RX֞D 2(9W,P%#Wݕ)i`]TT_ \o E}|Z]$G W9Hv|_G2IlY*|W nSEMO, -9jze[A6w:6\-LUEh2mM XXSGl< -G{݇eiKƜ )y -a+tPN s d"+gzBRg2'xեJu?w|n}A!@ !~,55^>iqh{Q RPiJd~TRA,4(%hONۡZj,MW_D5!WodRd\UQ;oVjqs@3X_ּK- -baߋ`NeNlT$\:b%.&Vl|QTqH,rp?*(ň`|2AUUWBAc?eHGFBfR_h>/6NgՂ -]UV=)Ï/ RID1~ƌJV@vDqD6Qj3ke^؈BьgE-'SލBR;i2߇>~rW+-jf vEˏJW&&9.%+ ^q@D`DO6b11imQ3;Q8O3ɽgoQtS}ἾtHb#qWٵ_hn}& /nrJމd3/@ߥ)l~tJd} SJbx]1SNx(ZO.ZZi(O6>%qrЍX! "ؽ:@wPB9Q-swv"Y(AjEd-Ag^F +Q2̀5c0M1;x.l}9g\mxd+}./?|c;D -Db_*j.Zhp}NO.^%oю)F:kZ,*AH|hA*Sg-eY\Pv] 4I>|bwn}%PB"/lA)J1]>pb5{Cډ[R)B.wc"zn^VEe ʟKrDƀ8t]UK͞!B IF,P ؜Q|p;5r$EhD5($'tM" 0d# []/llDHEXd?5<6k-ZҲ`"˫W9mF\DԳQM;i0R[ 8N%wݠLR8v47Pq#=lH(Uspһv8h\ y -/S"{ uvePHj&M ^B}uҘfㅌ,դ(#P>*@壼t*H 9'UB&&(utPJO8(SoTFҢ6W`P"58Y -#nq7W jŠmӓ9)Pi ʴk^As4ZNjNky-뿶vZm9oGeZi+>Lͺ%+G -d7o+h_ICyc磿cA=080(,QKQl|`qd˽E8(EBta8MpmAntT1)6JͳjB.N~sAjH z)=}뾍Ȣ8^Y QۘѩC/uO~_ _8-}qCmV]`8nu"2]c/' ]緯@ƻP\}K *%vh%V2倞d*6A(^G+TNB= o0y**@fWTɉ~kY#=0 -/4G:E? |`= ل&sS3j"(H3wq&=rPƣ\._p,xi0sga{%uS4. 'd -o7Y$-ʩ!)ceLbO),DCyAs:O$ޒD ݉nr#fϞ.>DI$z~vz;c\yCgaFkqׂstO\M}yY_v8[jՔUe)loLΛdy;sj.9ɐ{Ig\Ws]襽[$8) OZףTUu5R6?U(%~rwhP ޝ1@|x$C/8erHfs#48`,yhcNCreGFK qIr βjUK/DYДT]^g3w,r\Pj[2/ -Clt6S3bvOC^'6e-KVbK %gp%y xgm\ jUfPFyu -=T/%ONKQk5̌Za?hh?g0 VL߶Yj=`~Dni(=S'C2 HM3VK- *gfmHznrC-wu -7q\4|:Ѱ\LCC!b;ubݾy--Lz.+b/s'bYΝ-*okܠb]Ds'b Ν=n5 MMwfn} =~=pS" J -bnr% Q]mnߦq]iXrnn7l\FzO\1Fl̀ *ufF{5,Ql̀L>}PqHd~š^Z|MQ&T.RiKk ϳE^kUOI[{ \G2v:$$y2D{W$ChL -p*{Y@ {;QSTSiEJ^فzbk'ަ]q*7Ή\ܾ:u(qNUϻy*2G'VzbW29V9HArޢС24ތs M׉\Á. yElG=(oGw,WPx?};kiA*{ 2bU|%{~.I s2(8ڀ]ϊv -"tww4J;~j"gJ݄XHjLA\]/f$lx>=l>&|[w+i=l N<=;;'Գȑ蜋a4&[3۷diQɆXMXe"(|Ys"j~XBR'=3J*צONv8CBҭEKzi@]eϷf%3%!T5)=) ~6.vW;Z_ǿvӮ97n4hoL BJ3Џ y;d|Tll"BrW)~_B5ˊ*^2+EJf%f\43($9xqu%%$ݶ],욚 U^8K8\!y`~j^cl5Ͻ:@5Hj&K8 5l@mDj~J]</zu<;M^A*:kO'4*N("}㔭61Gov \ˏUE4*rKdS YdU2w8_Y3PIQ#u4S`dFom@O -x|1[=[ : +\ E×K&hr"L8kCbrr Ly) >X(? b)v4bNFfTo;g>:;$#]g%/.(g-u@Iܛz:lyL(xyqʢD7"[޸[;vsoF}Eћ[ [㢈R]5R_`GI~2{v{C3dP"Gnc4oGzw1PUJ5h)]`j[&EА,gk> i'ZxT.f,&1=a ^݄ϐIJLizB1]k RgѯCF5JҮ Ji{%7i^z -=W=}@ZE‘ϝQQj#MX sD?SIF‘}3\}qr[Ou $cQ#HQhхrsHrr5z]2د/ĻmmPyyaD\k~m>_> k_c6//. -^exc[~+wviJٯ&&XeN8/}@ _'_ -> 4NGեE%EݣVRm`s"W.UK_E^J>*Dai:X-F?rEB(_DK841Hy-g E ,T!LQH"Uaϓ* -REH0=eu7cS%"<6oǑ?jFk;HT3 "4Voltqeg+9;_/~R/0(@:ETm)I:"`jf򏯘.@:)e *vEhW;3zTrX-KHueSō -GJ-iB)1T]!,LbkZkg8xP'`pFeѠ˰k +E"M}5W.kr,ZKQ.~2JpT k~%sJY咽_=F~`Ӌs'7y9;6=š-$7:Mff=X#͈ -s3fDK]G9ع!8#!pCЮC=,'$D>zxꄇ@M):+w-#~ӞP -_c%Ṿ !GIpxxp{=acp?&1@i1H9 Fr𢿈}]Ơ(l &97ͧ8uF6> ڞ56z/{1q"8#ytGn_Y<\ގ]1j|._#=11m#=GziF0c7ݲȑe?YKf_ҷ> ~?m9Fdģ6E%^~c O|5:Yf2:.;>zg/&g}o'_:|rzE{URد_b-@د/_~}}z%sW˓BcE%){TFCZ7؊oc6R%sF4'p\(س-j8kFJC&KoGJ~a\ܦ/rXCW%WEGD_ܛ%מ; Eu\ն GQbT˱tE-,MTٶc:2 MwJnhf(/dB4ux|y9o9Wu\JK d9n;;TWps횦nںi ȴ㚮6IjlP Gn]Td:\Նb+%2\˱USl!ȡKwّϘ *=:ţvDSK|RJ)qhWN=;A%wUUveC}*L^>\8ȉMo^>y`=dc3xxaiSZh>]~uS\ՋqPyb>$|pqwk2?dP\]+OX k*6(媮+);VJ 4يa.cnk*Kxq|g1ei>,bx Q͒ ؓ̒I-L0!zr ]w?%h 2-}(IsSF wLE% 8`ZHnfJ)&P5^ NVT]5l 5͔:8NUagHWͭ{hk|5uZ+ijI{s,_7/3Sl>FI=kޗYS_Ys92uP5\?xyi fubpCvSGLfH=:2 PjL@>Knu ꢪ $$[>IO@Z uʫ$]5,HɺjCR6lؖGu+Ii^̆K"jjR]1MOZ ޲ [WL`Z45˅>M%A<8@3N-egzdu04MwTMV%Kiz%?.(ћ;QykHb[xg>IW{u@x\h שA'?CUV`])i]Űlf[QrMuDž Y5]u@2s4 $i&uM@d]]IPd 6 k IC_-WeJxt=q@ǜZNtvӴ#5e :nqwCS۳()d| ՑAS(ٌG٪F@Su - ׅ@` -5!3dZaAA 꺦Y}ty2TCq`f_+b;ؑf:rV qPmB -aP |88xdY}%tr!u8}It7he7?p  X-Ǡs >zx*o6ʜE>"Э*w:Ɓ^@.qMH45{^y\ !)LZɄQ݀HIDutߊ@` mA04- D-᯶XoJA24Ҭ+M_gȡx~)ؾC1%K\jcx&!7*a\1N%rޚ3I#upjWrqm*ީfh\\ދ.YZ`&NWysJ  -̴?ԝ@n"oY%6VG# h2,|a1 >%)0&54ͪ#ԡXPIT5zɇf  lJ8Y$O "3rҁhjp< q6]In6y>stream -%AI12_CompressedDataxms$7&]fyL7 on2IV[2IsckeT%qEֲXݣ< ^H2YU)DfF p}ݫ/ngOwwǛ/߽G_| ێw/{{u{덵[}jOw|+~%xgo/woس|򧋛/n/~5u 9Gۙm-7x3w7n~z6όMp muֹ[Cp<ޏ!GkߺЅ7llPlח7_ݾ|7?_l~!_l?/y~{s{_l{jɗW/ןǟ}{{pn7$ϔ/_]_r__oL/wWׯ~ X!XF(Ë/_o/A7?bܜb+ݾ.tϾ~wݟȿ~q t hй`FOM7%ѡmpM #'Cpq4s8~2уz8xuNt=UV/[`_}]{+[kO[ o)懿|{^vf?[<3-(7cƱێ>`F7g!_/ru_o~{scwwm,]7ͻ˻?\}9&k zn\f7ݏG-^|I14Ë=ﺹG_\/&_2gLyoƒf#?gww7X֏W/L|z%e& co^[-?$Ѝ #?IqOa1i-EݷztV|&޽~Hz -?yu㏗w6חqwo/n^|GJiαO|j=wzZH_}ޟ\޼xk= ˫Kr4ziz-`Hm=e/|9s~hW遯|wWo>5ie@Ha-}("bEzȅL20Jw]tܤަoKn[^]x}n՟w3?e2~.w⻷ 'As~ כHOg'>]~˧Pc$W'[N$Ԩ#飓_3kԼ|rH ND=vZZghtZª_׫\/UW:?v1+=D.:좷_ߋp.7_pg_$/_WW/DAC7?՛_=o)oӗ g_]^̪1~?O?a λ]4 x@/׷o i닛ieRRM?&,GoX|uԫ.LN?s4cZ<؆~۟6^O7޴NGϯˮ޾^ko=nU|uG"PqzI۾mz&|hi;_M,2{odry~rޛp7sʝMzh,ֳgK4m7[~sG5`"h|d_F ^4->`6x#m/ovՖrf˯l2ހrM2~ٿ5/_t???Nͩ=Oݩ?Ni<OwgϺ3sf3wφpƳywnygܟϟ:ukkkq\sqY\W9;f=v>a'AaAƀ=9`gzOwcZX}gvǮco>Yh-? -yGiyY$>B6؍ݮN3s4og` 0;7niJcrgAUcAlÂ9Xl l>SKR˗װBuC<τL;!0|\NX#E!\$E$sdk䒡r r|E|k?]mxOM7:8zG%XÍKp3лtŸ [6ye{YaFߏ? %7ٸ ֖>|WK[z6pb6 -9//~vI7Moö vxFY~1[ߛo;xc\æ7߄qyÏ0?t77/_m~m צ)-1)A./'W/S@re^!@;H[ vAr0ltdKO$TBGtb-6yWhqNY:o]hPWf2=x&26I*" P8ϤIV \ -$ɤA+)7-߰`Gݞ8p;S[튿u{n;rk[j}˖=N8tQbVo`ѵGWK++4qE\eWAOaP]z,vq]q8 -WPW )nuioXlv2Rr,IGJ3ʳ$ќAV˒\( - ((㒔K -t˜K2o/"r/>J$LT!a"q$E2R6&x*@}Lr2JJK"1<1fDqR}D&Yz&k/e5:KDCB]IBƂwy,k}7e_tYg*.T:N4h*ьrx!jb^l%{Dl1b9[HD16cI|DO,}uv3/' H/Xlx&hp;bLG00`0`Eab^c20h<W.c|̈́|tN~c -5N';U ;ɌU\v\q2 J6!&[!9#Cil0 b4Mט;14Rϲ1U A2ʫ<9gΘ^9cـYLK3CfmDrZ'?!j+%\*>sl?GM?c3 sVMdiU|ӛ)/hB܆>)Y9c!hݎKYL[1zc&h\I!o!_Gt$?Gښe+݈H^ z4gOEWq]vM-+.]UjKi+#ԒIX6=1-n:qSxqQ{]LjvaZb`) -Γ88`ӯ.|e -^_A]y -w]M⼮#1MPyT9(ڦŅAA{G󏬖[am x0 T,M* tr헡\vL0%|z -݊,~b8v7OS#U1;X8y;(rz_Jc~b@1Z|޲/ɐ C8S\t'3:}e-7sr9' '"E:9O# W\xS' +|^<҃(qat+ cc1:ycbPOQ8TuWqbKIiO#;]kOt}9j\}+i|Tc*A֢B-/=?H[ɝU5on P~3 Ccm{?S븙–) S2%ֱB3SxftIl5K0nkSx|=&Nј V;ebaWbѮO-6euPt|Qs >u.ND$R BCI&`EG|TkcV?f>V8x7dX7N@ ږpmj W,&ηTPX M9O1qt|e|n&8?˵d9 -$3.mWC玦/sKI\uu'>BO#8>BO"< -2Rp!Oɍ}_h[Mdn o ןNmC=N6cmO.O.O.O.O.O.s|?\\J\J\JG훿)G{/-?nq%v'^+7Xqΰ!V\b[l7,αI;G|*&8ç|23;͊3y^;bnrg+"͖(kf.~:W(әqa٥d"++i>{6Mw O]X{Vd_R"/dW? !N}Yh{mtOyz_IN|))BI$]pg}prjfl Yk I3<-B/bncIE'<ϒ)ivncSSzvf!y%1_ +j 1_,+#7w~˜OgvFzڧ9HC- tnv[炜Q= }Sl&&+0Y:=zJ#E9ؾ|rc'мBžCQ]]گPq8 \+#l2KR2uɡ~q2yMgFQ(n2{5 ^5%QPxB4NV |t0OPn9:Î|Q.ν'ɑ1 *͍Hrs0@rQ -0%1srmVm)n$7%M$JvHx3+Z9"*9Re;]\K!Z&Y)Z\- ҵ%R{e 6 8:c?t)u54I#Ccr4>_"]Ĕ,bW&.u֜&Li"k/R Mi"*M2QDI"Qt" 레竤U∸H1 7S o/l/jҼӹTI[2Z&h4ȮT"P̵$KH)dO6FFe2deؘM*Ԓ|ň49Ul8EMGfL&QrPphR #hi>Z&Vp IAKR -3hpv^0, -LbId% SrZ/2kvh9u\k9]a]B0Q?tM->-kaD-u^sX{8%l;./`-swuC!ɹ:8`E/Lb^&p])kuPM :>w(~<.PȪ:m`~=9cU m-P¸j-: Vvصg 1'59E)Qaj:H-l{Ug1'iK2,prliYߖuhbi栱)콂 *I#`?Gi@琩 ha;RDu=,m6JD,VXygzQf%Hz&NwsYdeQNAc{d9r#??~ qNxB x揻I޶IޮR -@(K:4u a惊L5j@Bx=),5 0)_JRD~4"L.s20!9rN8)OK81j~ޢH{ }rx4>)O ݺ\JJ$7ЭOzaJUbN f>vR?]uFѧSDN}:EQu}:E7Pq[t)cO)O>"t)O?9Empfx <8v*ys`Q}(v6#Nh,  8(nBֵ'6i9a`3j3LL3m%\2U].eV jBf%d02gv'ڒQ5E, x -N)m_w SU\t _DDEI5hgb>QJYf -SfOY_{v+:_IE+*h~TH6cʠ6kO5΋ g:Fp/^G̜f}W,i4 EbPWɒ*~360~*Cȁb͒h::؉=aM{0A[H@z/3bC0niRX莄t$~z =CN~T;?4lZTl4=,M$U-Q-lM|[37u!?,fy6FUh6uZSTxZ !/_EceLC%KhqA*jѐD w[H@YKk٤/E嚒^>Қ@Y~gjz/X@Ohqi1{PoCiA!3}ąjGBG(a0J} WYR`*mZװISBUىa:x/t_`H> @N,AN5Ѧ$S92Mhx5룄Fѹ~F/%?#C?̇«vHpV\-םO-~joʅT2hv.gfWX:v: -̎6^U~s8f['Z͇&HM΋tnF<|]9&'@y/yxgʍ"g 1)y.%<c>C.<-F2Ký5lgйK}R38w3)wh7bK朡9e gUIKҖLyBs?Z=!dxT: 0iRxx'/~{͏Ϟ-I~|קᄒnx~{}u%7BucܰeqƏ֌@}gq ΁q?5yK[w~5o{c6o+m]~ 9ݟ]y$,Nכ/v_qk⻫\SUNRTتYg8yqcbbq xmq`t:; wn>w~pdhm9M 0ؐ|&w ]> >7cа;h#24Z~ҁ/Ei( Fvb0 ?v-  F y[߃ -7ܿc-`1I6cX`ln-gڄmGNe em؂;%<:Ls p[hmmX:p!b?fK3HR/ /zWat7 y^Bי@;n39-dv,h15!PqL}$SGqKWà-Š,v)1]4:3TV1܁9DD1*/b"ؼz/MFH4DQΠah#` E zɥ` -F.楼 -PTHAC2C`vZoʉ 違^\0X KF%3Qa;Z@=tn7s3kP(I&Pׁa0=B0<0E;f`0v`V#&vA3h.;@R1ĉt yuxw8GGGdLɴx@8tcwX8;lKQ(4 1La|p[, ˍ |68&1)L ـ] c&,$ b\u@NkX"& w  "A~q|C7ZZGy,E>Ȓ1)^- y,\FcJCCfL;fo$cu -vZg@e{ t -&E6@4x,> E#l?%lM zA gel(8fu`GP[#@<"{ e-XxF0.:!D(&I3lӐ@1"@N@I$X~XY<QMLсi@kt9:Lҥc$qtBO" ug:<H~H0Pd@ŷw@R<7׿޽teQul W_}9@g0|fW3ۏ@Dej-5.,}(0gS ,(BZ! 6 @X?l}E4`=FRБ̺ʷt1qm{f`!|,x`2<>bA#3 -`k7HIT^_Ls{}Ϸa77C1+HCl(H@@`d;_%أc/Ďa *PhXNkF+ؙ.ʑ݆r -a PC8U7֗sWb]2+ LV)F߀׏ԈH{2Kh*0w6:ؼ\Q9‚u  G)/ % D ̖_HR6Z5THNNnaI4y(Ρ- <= #j3KgٲO0$Kf*w#{0' '3d>"WATБ -`a|A:9gK7.Xp 7p^6:n6ohɲQq[%48Jw{h.4?N,Mf)wx:!-뎉..Oc$/gK d'<%%0}@~ip}1]ZH# -e8@r%]s;HMG -y9FG1tǹ4@[issF/=32<`!JGԢAߦcbDUj-ЏxG_Hfq?!_v@Hä{ZXA8Vܤ){PO3 ր@=~"-[UAr13/_ELtw;!Ú5l ,z&=Χwxȼ3# Ck%粳j+. 4Ct2@aU-aC&ecr0m/)=hܯ8=6<Zr&@af ɋDkKAH@xf-SC?I?0>J9M*XX=(h/+T-`^э _!0A,=g gF\ %d/-Ks}gfsg;fI B: z2(HUEFOzz-V'nFldq8Ic'&9?7r~H[ɋI'' R2HW, wMJ0 -T ѐfn,9P:p3/::nގ?ФE2+.Ɍ@ψL)!-{O iW -`P%`{ٺA q=-9 +g퇵hFŅ (JpbIBѯ ;YJB,At&9 ,H#k -NtU -cV5R[nhyQ2NJ5B,dq(V:eQVhs`N,]¥w/am{nÀG GqL}\J4; +HT";bm@B$WqD JyBhy/J lx?Ɵ6 N4d< -`a׃`bC˫Xb !M;]-AlN /芤bLELQpH`1\2gq< ˉ] 0>Jg;jrrë~2U:}u-!{$hc -I^W?K7lOFou}jR&{dPKBw}T \/+Q7YA`GMh=;峥QiKS':44hw*n/M#Ʊ##6jrvgG~8o'O -MtzV@sC8=Wxbp<@ B\*NF?#@=ځ<0CGkT^Ca'y5:!4q g$8+Q"*F,9ˬ)&thG4DoRC5!pXz* 8X|]!3Ea39JQ(OP 08Z& -9ZQ'Of -rhU&}:*QR>Fp8-A[c6n0tQՍ Qhae1Ri -mB9IY짵ZFPF A&;MUF$32paNhd Nmba'0̌VF/dBb6lÞLrot@J[(ZG?ELх2 Q"KOg4+N⦇dĤD޷l040x-o4`"S>2b"Js"]z&)!R,=W'vL24taP(u(]-}/ej9cIcG8F2FyAV0CCA5Q)2`nȔjĈ2Zkjw!x覡T."@1N *v$o'.aT2!ћbD'.F b `x 0CDw:Alq<7X7m!sD嚊jՏb嬆P_g))^䊯kh( -C -hE IJ_uǻP`iy0wGr#7  -MB[i, -4C`Rٱc}G=^A= ֵ!YBO,|:d; e% EL(n\LUCjx8^?&* crjۜ։P,e4\ȓ$L/25(buG5iu}Lcvib %4{HH@NbAE vHG{7 ө;غTKizѿK$3$Cc'5zZ<;%x7q!W"gS#a%n02Րkʶ6>`X̶_ďPEYRCiMm4y(}lM(^8 {6Wy 0ID%۔" -!@I:@]| Y9ǦgpMM1ޥxt;2^}{$ + -qXP(IfPa̢ X_\qqdAeRyNv'.yFgPF (ؼB< ɠK+Dۃɹ(#胑crB[RgSRvq xrR`G'%`.9C0w=я}b&. d\#S/*tCMaNy/X#J]C0QFǎ9LYf#TV2̭)<-8o {!hr5$s°g rżi7K#e6y4N# ֦X m@N2NFd}H4a#fcBn _K]';9hpdN[+UOABDUc|QΝfMy_:nS (SF2zN gW维C74`Df<,[IU+ <0a=Ϣ@nI46cV @ m9[rؠC*614!<@jUTİ<{ASugbI.LAzi?n<ŭH~3+ H;L'\,cRkdX'Tl)fk%jzԻjf <`jspn"T:b -0!v3DF^i{"k<$bh4'WK6Ini -e yospp$' :7:6? 4l :^H (i+Jns/oē2IvH7^T fg` Y#"F6䤌)YoFE]._DdQ.~P + ,!0B?<1ud(g\8OP2"bWQ5|ZJF -bh0>э+7 bt\)Їdh9[\}'r0/@8+0:z;d(j"(YNT־2:!/W' s“ F891zi9IG\>Wu91NUGpDȫ0(Ys"s&#=s7oetS,XsB69NOS UpPS`{rx@yN"99ҷ|$lM?6$ -96Y=Jr\c0e ' Yf[D걒H3 n4SFS2N_'Be{Ic`j=A<,DEa4nQw`)"i,i42w9f>4SZڧ iu ub[6 KN[&Cs!RMޑRUa0 r^< /B<<$fufR`AGOHAe1uxxN$P]$,&%DsN9lQ9r>A>ȢnL=5Jf#Hg%kWDneMP M#҂<YCiwgK^kRBvNͮ0U(Csvm_FC9Qb[RZgVmR#&. eU O^Bd♒gJ*y$GM .ܤSgv Z/r]wRC7x4L<\o;"LE:*e)E)RWE,H|HÄϥwR9L;[e\k:kW56fOqÇJ@eJ{sUD#3^ɴ)+ ;JqfDrU :"&%a #a5fs!fezm)E W]sMRi0sxVM9u 1jW88Cq:N[<4Y1اu.l̇`\tGF)L/X+v (XڍsAQ4q'*gL\ zXNkDg:BU4SS7zߩ"8^.L(ZZN$Ƶ%!$WMAӁ'J%1ϵҰ vI? :1{tNSrح݌L!}H'g"= \rCIlJA2ÌA%!C[)p`)oAvkkhW;A!2<1Jcãf`Y@y'{INg^U<*Χ:*1{jL -L*|D ʀNe_*'~,ʾN_r*2uj3`!E *fP[.ەSURP6RAZۥVՀ&ຎYBVYYu\\enPfqՎ2;cRɩzkG¡JW M#)IMEQ}ioۣ`'һ3jb"[K+v}N5?NPk2`T[y/[*TYdihSij-)Cʟ͓_07!W+\(y(J7Uo2 -%(PE +q qJ*nB:BAhD*Cw+u:2QǪh$Gh=|փʷUhM9Ց>Z7cjEnҺru@鮃tCu\),uH6^!i uH6p"SGխ :9OفTО%X J*V[l_:Fi;S1 NGlTHf1 NeRc@:T4U쩲զ)UEl UZYx\eVʞBhJ* -Urn%\ZUuЯ@Gz>2QP <%[j5sQ7^,nS4J[0g9(aQ)g$X:-vG6vԾ}陝|{I0f S{eplMPP^;L5SUue蠗< g6N:Kɐitw/݇SG5J==͒jT/PP+t*X]\|-R;?!o 8E,Nx;ߨZF\yVēӈS0 hӪ! GX[ 9@.TԪJPu ԼEr!)\]ccpX6]Z -= DƋ"`o"dQq ݰ:x<&eL cULSJd J.xcU фبA8C 6](z7[NJ=[ cYB}[P((u+r<n?òxa.5ѠTBeM깘^t`fbU) Qa8SA0Fz?HedvZIèS 69RQ1YS(l)9~Q'JTvDY<ֵJ8&JX1 -*IƐ+X:H:?,to#i@П.460x5?631*!j -Rb]yBqo#C5(aI{3:C;K8 C% 1;&҄Wf\L C5-xemc{M^ -kbaƩd*l!}ʭu{ }0EJn:.v+7p=6/`Ah7xd9[#43/~~a^)_NگqUz+,d[DPD]TPcUAmRAm˺"O"ŔE-](7=U3=pf ra=JQIrmQRHnj(Ԡvn{*XAT&a5-r0}m-4n701s< iP/`-ItUSVvCčdLdt#z|F6PKn#*F\\:Pf30Bv%3yJ v+6XEH^unj3Lo#yԡ$0n<}O^CCs{ }]י ;6> 7GzimvX6uD儡6V12i'}F@q=99 Z^f3cD/1USUd:B3::^fRjUrkMu~lMWDۚ>ݚz4Ӈ۩wK * -5)T{} -S"i۴X"Zk?$,f; i.<\HRVh (zpTKVjPxYR)`F{>ei^]I1p Յ& Ln3 cCoX^TM SN~apUɓ`R=,˫<3kBM#XP0Á ܧWBMКFNyNU@x8F&&gc.ozCYf^P$;-婎"_/XӁMm doPÏMGų>4(+'B?q~{on/xsfGf?DV\R{k"M i`eTF -XC - (ᾑAu;hm,@_O-c 6r -Yi.1@M}ṙNAK+Z"fMJI}:(i\==a=#h-VR,$ʨa-i~&YD'%&H< 6m/Ť%n6Lb|1вޞ # ب^QD yn2pAIS *g,Ds [`hIFcG+Fal$àȘ^:G łEb Ϯ3$J2w -EF3 ɢ-:.} Ƿ}8'xDl$#,CyFrߞhSDŽ/F,'¸jb#l1UqC6¹T~~:D/<Žz*QYPaH"x M❜lX#g4صg 1rp0R3DֆAe[P -))P]̩19 m() @yc֐f1G͡cf2l@% Q,0O7K& gXVouze:<5W3)VB1-wd30$`#k!ƥ1,kxA(blQn  X vA0{: -Sds}/g!oJ1YDSL繅)G Xgg>xB ^( \v3LL Un\C[w0DR]q5m<TF. k5hz}B/r1 O=3` -!' - ARU-2:úzױyk!q, d ۇ}҄Q&ВzA)djy$V(:Ib|`2IIz})ėP_ -|5fyWYAZ%u9Wr:+dM曽ыE!LV}ӧ~JJt/DF..eMѷ#eE۱oe[.KL&A}}ힰ*zrv7P}Qw4og5B_OzY(Y5&1ߴv5'+X [FnҘ>yc>LF=kD f{ސ7u^d\AKӘYm -@gڻpL-jA'QjH7y<bL0T0䙨LidAS/5h#rc5I2H{$1F=0X-QdȤH9P֢Nz#}Y+z<6CWSF.Ê$ǶF;6b )00ܠ`+-*hśVZe+9{(g2w0&m -ʤjC` L{.e/"ٜ+Sg8v&+&γ47̤l M " d1ɶ"}KW]dkTOO?h 3O:H'6z&jIR?يlB -xuh7TVdћ̆!web[!h"GedfK$R 0Bb#E@/C4HmG VjϳʇAhztfҕ3@>Eۃ`T~'!,`>$r^98ĵ3*wӎO$-dt),d -ބa&C.JF'LY-*c6s`?BhGzb'Pa#t2U0\LH YvO:#52!)O}i19 -gfcYsw:&@5;0_^%TWIk[@QNcϔ3S0&u -qm.zg& ;yʄ5б-,tC)%>dvr* m%SD5HEѤ0lM.F|W;GfsYH\RUVc-8Kc*AVg$ph*Zv,PPpʭ8a#rwbR{N#o31x!uo4jX> X}xV%$RCeplI#XJ\Bd"r>b8iII$R#8XLeQ^U#NqÂv]4Dd5E8*0tc}GccHB\9a~3dVX;ISO$.Mu -[T yJzm!oRjk -5߬\e`Ya1_ណU1\FڸxR`X;mrfE&wAi$* xqh]@Aemf۔h)I7 'N:(۱ "PXd AC]/{kKr](㚙~˲[ l0 -a]v( -ߘ,ɴ,u+1oca2s2f#kڽ]y:AM#+Lyt3 -'z-)!_iqEcO۫Q́ YPЫ^\S4V̽C.=T5Y~}_DT]8\bѥ{ͥ H -%bn=B٨&vssI)[҅fWȧ2nZ;KaAĚZmtb(sks6`0^Pޫ|cM -eBs wp2VH=%o_a usݪSSnhSk\k=Z{Fw- t. W4n,\&݆LPSE;(Týˇۙk Ϡ$Q2a= "7.֫ 7r aI$ɫH {D}&cU@^ꄝs|o < ? [p -' -h `F+X![E >AnEŭݓ ~΅ .R408h^S\{ +<ր Kf38[`W`8"_C@0! Xuts!P#_69D32z>C _0b/Mq|\_g>fчFD#3` ] !cZƊ9z3B,4yo[$$BIH֕eV1dh g 7G6#1E~(O_tӾz_9wAv|+YF6oQWB(%Ex3sa;<\ ~'s=۹d<#͵38Y00f8C" SY$蜚g"bG L'[lGpИ fNJ۔XN?Deoxl;VV0x%"^1 g1 \dI[!7w~p1Pգ'×33E'_³GfdM&1,mhS<4*;j̖lelaI7bǸl}Wx_Z~Y|{Ӧ|56@H}>zOIg3KnWPyFzi-~?͵ǥ?/7۴>7]-oa!o X j߀QlX20i‹ 7?9RM…Jx&:aJnD7T._~+Gi-Qvl쏕yMƇ].̛8AzSکDM?lt'HQ YYDtYp%_=Ȟ6?K U,Z\MgŋvJJ1@WF@ޫy|ې%~$s \2r'v)RW{(ВG=#lztbҞ**#A6P,^뀘-#9E`D,!n[moMěI:HJDIݞy7'1!ΒEO3N]ZٓmRѿ -K6c}7GKn7͛@>jzIjoQn7+|>0G̘SڜjB.jxћgAV, t&-bϫP&FQ(K)ةثݦ!^ٙNj?X9 m%\Ftܾ~`]M|bOmb7RwTƊcGࢳ -6׷l76F n6XFo -dthUiƅ~ -͌e 8EUM_N%Ȫ7C Ukdc H{6%VZg( :t<H WKE2<>&DO0R1σ\J#1'h,&$‚ -rqR7K1A9-}i5 ~ 貋OZeS{俞_ -OrieWhzUXzk<vIyg&xyMT){VsWS2Y gz7垦l -)l}]#wXE > #yӉ/t޽_&l 4L/&[I0 iVe!WxE6Kl( {2cHvDԺ7$y |a!4ti~: *㜽%ۘ`F%1 PhZ b3pv6 M}pX%ؕâwl9މE6dY_zbY4wEԸ, -O-y "!{!%\hX.+P@ ƄyAؘCKё#ѰX4_s - -jk=,oHG;i;n+|>3/5E0j{4P~ -3|^>2vG]hhzB?4hf)x?0b%O [F%V0' ֜<3lw-3J2e$r7Nv,L^ԛw&6>%'x>^/lfAVک6(b1iuBW&MOh6 m[]5۪;+Ɖʨ򚽳7B4^s/ϓFca9'R ujD)0j*ngV h]_2 -kcV@Z.mh!k3u1x /gσ-m?˃>uX1 FF`8Hh #^Fv"Yv Qcsf&m^;J/YB=T~)욏 ]51h뒒l(=[:Sim|J6Bm3qŌ@Iή]CiVOsa;%*d:M["mnFBZS1D]6'_}ySɥ7oFI]ְ*W.x57lw꯷̮^fuPpd,1}4,4jA[; *snC"vd@rvl%y¥#9.>ˎ{"q1ȳ -1dP UKCd;"iEK؏z[VӔYS:Uj/,"Пk_ݐF?; sDp3(r$ 5a}7SHki=82߳KG}VsP#T}yf€gK\.lDbj W a<)}>|{f=sRZ*v/M7ٶi3 -/R!Qy=5\lG\>H`sppw8wr&+zR,?*[/*%jKZ8>ҷ [_-zk9 h$L&N +|Z'D7rR©mSW"'N}7CU2/zx֪:wSGEFyF|Cb&Aq|*a롭 ]yQ@BeO6{0w\ګ׌lƖ}3ˮw\lꍒ̀ZE'ývɻgʊ]3(bٻ4K޽t(-{Չ);y8b0p[{T`:ܵa4hVi =\тٞ»gb -Twa$tfpC,|uZp#V:D^sZBHoe]f ug`SGGsYkrZkyZbY 7|)nvu>}jͨsAEXnNz0 Z-rMȹ;|Sd_1\ov -d/lJ  0sYՁ.<=xW/< Gաf \T6mlzN"D3ony<gd2lՑ_P4.9ׅg{_ї)b˜,ȭ=˺Wgu=" ey.?  /ȩ'D mcݿH۫yTO(j\fIAc[7$u2y$f27sV=ѤSW6ȩ'؊jl_{Lu&=!P JK=fkL :x.5wN1p-m4heeA)Q .A2t nQG;SH}M+r逑$;Kzst':@6=-µ$)g Pܒ$G]']ϨN doL|*&PBT<ņA+>"xzɆh 2`萨-P`X<.`6afnIh)fl\J<ڔrJܗB'ڽt"f!o`{pGU}=Gm.EkU+Ս'8X -IЉwm?˙_ 5E6>}[6,ӕLIً{Ζ˯yۜv6B.C{IG/3%Է ?Oײ QU3*+᩾,E3\1זM@6:7)#S*W1=B.h xG^`T6#T1ˌk}I:":@5%ޢowf*myݶr:&p`XKgm|&tI8%bZu0l$/ҟKmz|8b HP2ݸy $dE&K"m0I !o(t*,mma=28tékNG|QFX#vФZ厪[ =)5m= --l"lRں`ZZf,M$GEAd\ >yOm >)oBa_&q{pP{ dx;2z䞻mPA;?Qwv|qD.iG0a9D"ǕZ wڡ66,7,.h f`y%>Bs@@%} en~$ϟJ~}ޥC{zJk~+49m+^Q*/>cUAx\خH/ H Ķ_Q C\yV&epvmL"g{É1?wApY{5f6+OWC?w6rdRaSзnPSBE@ EP!D.w]g,yժoyg բ$m(\ԛfU'K'_uII s?8AE./\_~<@쵆0cW&_%S 9*_MGcjZ:@(Է3Pr eQap)6 -mEImh^('ۋ]/g);UE}yŮWTp-N%peGwLG\C%y}qgw޷)[BADA(T | #'e&%15wV_7 Eu_Er*Ռ(.Ă(Ӝ`jQB6>0\8 pX`jd'#ۦm3F׈؏?ftz:щi.ౕZ{cN@ctĦbF]Ǫ;dWaGmF fҒKJ$!˅JslqS|#U39>, dP.+64AY< °+4+!!=zJ":2r;gWZ|ɈU؝N"=@Ϣu ov%)6RI8:Vv_ TvAm^>>XU2|ūݪ~JS$&Q/9/;>$4A$U n{*pTv{1ō -97)Eg[YOǗ96yMVunvՉ-oWC-ŋbBo/eC**`p[7Ԝb,e9wL$(47^IT`pk*1 ѝU^sA! `A72FI-/DbC̆i8&WWY"ӎti -4r˺@ҨaR 6jOOȠk*Y3NiRf(0J%gBA-Pq.f/AmAo@UjRoCޖ[hn zJM։q60&AN4*D7~@mV֧gN?+gӈPͦ؊S3~ExNJ ]b>ٲ$Ҝw81>B{ɵL/"uhL7@ -2x秙U?e tcSw~TO%GbL_g?oj-Na4/@):7!zYiI0'-J{h,ؓ鰼i!<^n%c"K{rmOa:iZkvn+hɈ)+pc]#ʼn8EDV#}a NjHW,;:bG;Eu"ډ!1& -ia:;̩?I":dW;'yM!NfsRM1UԩDש ߓ)_"p&T nU8̔7b(*y,;ePA^Fk\|.-r%z1zR$_,(Es|g.­D5?ݟvaqۂM ZmxP8F9"bne{g_w 7;+/q k*wQ/& goFDĹ;C+^,W b@rX ;Iocn]R$pyj9s7{nQP*A'DGl,#d.OJgBN;t8?_Q8E("hxD> QiKilU!?_]>6f:$0G $pM5yd G̗Twt_LX5 >3UDV1N`pi%;7HMe~34Nڇ(.yNd\qX/,$%~9˚=)<&S=D`'o}<Bh)fMjO9>> ]f*#Kh&,(LPl4}]=YdJIU"Z+}≺os -(5(`Tt+]k -ltmk -WkۜYN5B!;#ZSlq[tt~`ә|d4%zs4# -zV`h6{ap؃8 G[~GϪRq`'QYDImՍRj7aMo}3V;o.Cy3<*ܦ[[|~𓿜Gt<&8`βÜnC">_.lH=-VY뎵< 4y/$wӅk4wHilnJW.zAjܱc2ݲ'3[嬹k!ਠ y|WXf8h.]|f:B}{ p4JzG.Dwa& ]Ddz|]iMݽ5\Bs71Ix۶-GyĸԬ˖ŲKC9V&E63]` [=T6{ riV<3Im2ʼ(ʼOz``0-']^7fYdd;Y,ddg;@fY^{UbjmUkWWEy7T6o7fi1Tù&o u ۾s%ygyiQdAWG-GyK5*g5*g4*v1hTxiTs84*F0T#D*/#)F,Rl`\ Ra0T.maTmaTla\(R9(R9[VQrQrQri ~l l ?^?9vwI5J YgEB]"Z,f᝹;KARPX!G2/e,q,~J}b{?٭a ц=L! U8Wh UYjw}}ܪƽlA- >iن$Ksmn< b{.Uˠ&mW/ ߀09GpEYAbpʢG92+ 7֙;N($I"s!`0n5K=,B -BV$b-&5:n%*>]SIʍ&0 )7qj=HnH%Jn.KcM70M\ se"m(fh96 ҁf온248a*$xT}5ƱvyC!-ߙ# GECT9@zmYtci¢q: mȤ@B S% Jhؠ.$i6 KTz? s䝢e~1q1~ITdN߸ ӋLNz'_as@C' ’1ŷ$KYa׌!(<_+s6Зu,&( -{sT|/6?Q59Wy`97_3{ͭ&<7>+T*3&m~hzԼECU&鵸! R/S3k)Ra[щZ ؼwsms@ D0qj}S{SMD˽~iv&†fع֟%lm4̑c6ffȒ\UWpͶ$F $_%;zDt D'ФjWjdd5g1%u|_ 9g0 2yԢ9CߧC͂05pV͖nX%SSU[Y}>+;LYO4Mگ&L8h)ԩQx:$B^ۉTu6@Hq%T7r%p*7r/=FRېro!B 59ڑv~ mF͵$6A,#Llr_I/eK0>~ǃe -2x;d`3oK#?8Nӷ?o2x7_\ͦ%!kY \J4Q hj%C2vR2KeSmi[zĠgfB)DW*E4^J$jUԀ0{!̺&yJr͞Gg祥*0Jw: G2ntvM㧀"|Ͳc( -]Ӹ-סT䐉rvϏnaF7e*Vip)GEO3^K&1eU-HANk6[$rB[^Jє#Ep{H+ ;{вe˝<\*BaV5 -5QPp -ؙ @@z5Rt(߇:;T]uI$@MhkHi]&N234NξQ&"ƑJBT8Vob3O0 ܂sC,>F\*HtlxRIQ[,-#xC[9w&2yD@΄LD'O;߂A[` :H7¶y74ThOUW*t6YDdh<3J>d+i+9I zQ:.a)˫RTj2Oxu&5H}U b1cG@b#O.G -#˭с$Yҵv5]A>ըm݀h>͡zUZpr|HveZPu8 {^S; 4v:7\>Cf@3n5idp- -hr֪Hoԭ{P=7>Z>2ܣv_qIx 6 ZV-Ok N -`h^ I8apSK]Wgq3=9fm.P]EXP4jqyz@D鞔Gu:Bs{qI}4G2l{{/u4n3ZD5$ئmqo4A^kuu4%Ւ'tA'>vS<}MZ&%q6(d7Ij'EGsy~Xa!&}k `w RDAqk3ch;-ݦ{'v|Z3 -Y"wTIxaOC t/A.+>6nN%и2M L+L fZ?^m004%,ķn/"HGCK,4'w:Fv7@)A d0h Ā4D狠-:Il\g1Um,jzxF[nԓWalA!8R4C]癜Xf-vgU:!:N[H0`g=GG:|ODWvFEUx"3q@"𦢀icK؃t*n9dU!ޖG.FIa /63@+^hqUCC!˥a+# J2L[a7JQZ)6XmoC{s.<_ݙH@)770 x@+Ft06g+@!)s#FvONУJ AAygqWJ2\ addr7"+yg!I@,਻RCDZPٕP*F6PUJ0ve $D\WEr9ˡOhd`'C/vԪPjЇߙ88Qh@9HAte2ߥd[ -sz#Rz]6='+ob+Uv WX̌i*Viܾ6hU>9լA?1 S>Wŕ -O]+&߮+-+D ooan@% I0\0&ڷ:9%[и`U=mw*Ti.٬ -\L UOrmRA-b+AJ?)T%T!@szjT' ZfˆSaezʅNu{bekw :L$/V\ōnǕ;_0w7FRj}DC@/“q DMbmlc{p#k|N1 З04 8@{'0E˚Ik'-`pR; f~DnEu7Z KvyͶv,.Zc"!~!x\u4D[31Fl3E7*c 93`:xƘzgk<ь]ffHoLX̰/'3P9a9drf:#4 sB)cNjשorh{H u1C2\y˹`윛F4t1 džfϽ0B8q3ȡ!$$C+ɕ(Dwhe r졫f''BкډB "$Mŋڴ}b07vj"?dFfrq&Vś,t3f~ϵDYT0b5V7Aޤ9I^KVrJ! s O_c/+Wv*q.ܲpx~4KEK=%տs}~sI6~?&\K0T|~*^ax5?n:ԓ,$v7`Gޮ% ;B܄p%-˴ \SBٯt͓zET3w$ jh#ms `=o-^"9w֥-n|1fDcAI߇_>S&k6gw,6R?5#|ߜkET^#~qp`Wy,rEk|R#vpml.^4HCKqʡ8x}^AXz=y Hq&tGRIIP퉫ovj=~>Xݼ_?>r+^,fcS߯b" 9>ɾFz/~qq߯B8lW_hb<H|b.b_D5aEӄn}g=/l/D@htVh%Lb$Ç: oҹ8QtQ2O ΄r - )SI^t$BD(Lү*g'm0FHJezB͹9#gv'xnkX"XVEiLnۄwNfIzDlH_*m!Ir*Y[ )B`X/m{e`Fzi9352Ax4&ybo( Os &f 7>Y+ M*UMX y@[멡5|]B(%'RbqSA/&fӘϓ;s jq)ƵYHZH[V5-kY7Rt# {fijEBDj۵ #n8')4h6pt~șHmgoKX20WDL Nڝ~u#I%RQ#zzh!A+TS @km`V6z^@涌mOZTHK<֥ -{_<Ѽ{ 6~k/q6/F@W F,̋` +X0Mee# -DX!K<6a=z^iOɌPjǛkC(?}۽5rxZj28`"GÃhA<4~B3e ɀe6+C )a쑔YC|B:NPL{FD]WdFk˶\5> @WE8pJlWJpCD=3HE=$8Ẅ́j+JOڻ!4,|5s8fvm{9G$ڄ71[l.\{/Lz+*U$T|rgzUixiM_7Ҽu lTEݫ>"KK X`;ա]F?$鯚i,9+'|U6lge*|NC#9&G맅# "-"L 'qTۡ}KS}ԢAxsT!@dCgC+m22@.DO3WI2{%ڑqT7p -<'M'F$lr@tLo^eG. ܣ(Sj7~qؐtۓ&sSQwOG)pSӖѴuO\%`ϟymZQ'mv(؏&\DĝW-lzeTD$UMZT6@N6%X|7`We7_b+e2sByW(%3/}^#ۜGKċ{/NʿaS*ݶsxRhtwb -o^#[l Z -]\24E2f (_t1V>ij9qPj{9LRoF/|6wU+<&-z6{~#>ԮnǖT#ГT7[iV *lLxgkq&5C?Gs:O17e^nxogQSԴbIѝb4D4wګ%“+ tION$XPxf%qxCINe([|PmkraTc0.,uPY]e:n(M^uY} }A ?2RSc@HK]mᕡ]R7ΛD+X?)&DGD®EN|N'7o[:Ex[q!;6{^^i(Kvp#7}ojK\A#T'j@buxtϓ_۾[%U~/8ur>xyxOW^^gÔjj:LѸC^&۟ο7۟۟aGgNYК/-~ï?/~oofqշo~ǿcI>H ~|=y?~~ow7÷~s/~1u_ٯ7G~?' yW͉z#3~SOR雿ky?_g<?b~_g?ïW!8)2od^5S йm>"ߟ_q!asyv?o_͝{O/n_8l}_[? YnD؛^Fa{<=nvhᾸpzKpW-QNu3tuJVk4 -O07F ʜVPdrp!%D #dޱ",LɁGBu?&`šN2nQoдOtVw@I; ~$RHՑ1CA'rdQi]JPnrEO1tB&Ze kT+F(R]KgRc~H0 PIn݉A8$fW}hMm+}j.5W:s@!ǵ5,^]ikgݔf͏*j_O۪Q2/Ȉ+LW[\-GT@"Vێ^`J?K^*MX^s -*i];ZyD0 CZ۞$*GޯeR0Rݚt۠`&Pz-0UL -]ED!Gf߅8Z!OnOCA9@GǁҰ$LLv|CT E…&0alMr`!yW1̻f} Y)h SS?nw1lѼsr|ʓ9@[50gĮREHU]Fx{ 9]swP aZ06 &X 50hDEС6ѕSGp`Y4J̦R1I,skx6ӮkҁD9v+8yԈ|už`N4*vVgM|WPuKS $5΀\f&Zo߂vRl9W/+A2D9{=ձ >՞0 -eV.@`屛/ ν ~*bxͽ%ItXjUֺ'ggޓ L8v(wpqMmƾ"z*D_ /66ڊ!T%iϙx~dGYڸ 8 ^mc׆`j# idQiw#&1XFH -7s$t GF_ZC?SRJL(8a+aN3`]8D,6%$QhWس>ImaR'E7D"j4fٺk 4YM` afM(wej 0=x=sցR 5u)uJD!.lu[ /wO>Y,jL>9b!:4'cHi{7 j+d8R.΃CxxÁ|A X@1>|Q''|3f/y!kLp+kblj:eC$f.osXReߩB) Yѭ%Lhv)tl~!ߟ,8̜vZ"88 !8NZ!},80Η~ _"V9CD}58o(w -옣{}3zU]@ lRbmt:[g ŧD|(GD -orzp4hhH^)%lD7z88t0,ʪj)t~beAzPz{)cB&2'"H1=-\PRDLOD]0}/|2Q31ur$T^O -!Mideee'X=xHzсr-y ҹΥb2 -!;V0I嚏Va(f G62g+#) nU<扙`IaaAQ|r&)y$`ہuY\dJ[ CM<(c`$>h̹>9`;|M.ġrmSYH]2D4ү(<.=}j2 f -A0kv](G-`?%}%M4cvtLd`,M(H Aâ:2Ϗ"|wdZRӥlI=O򫢜J\0z8U1hsPW̃J9Q-q/IsO goUůt(gXӸS~'$`8`sqrУn<=^0͘RD-%,y$+٫Z"l 癀=Tz^G~^"E@OLsEլ`P}Z +p0H3Hm/'(풄gP@~PVNwQ@wLtUNA8uon8 -ө ^nOidTR`=e#|dy!inNd0_W692A_k<ĐY%ls#p]h@)v#^5[Oh}"]Q FTW=}#~4TCViqˎx_Z0VÃwag#q3QnKzɘi~ng(Ԃj ʅ8,@_{_` -,|`#q9r6҄wKKxK+0|84cOVÉYg`aLZ^nd<ثC(Ћ"8u/yӎE3"3G<Y x"Ҩouꑡ ޡloOw[ڦa~3>;_Escއ -+FS+J7{ %W~W&WA7t"F@Q"Y^"TmIWD'!WTaq(VPQŶc`F17~aT\L$ahV;BAGkfI6 rŝ:€1'ӤCL]5*e:.I)q oxa> @mBXQ` 0t 8S+&ś:bUHA ?M/<N6 |LPaĨWmg@:D&-IJ{q9uzCa !i,egјO9AEG= ZOF*ænqTX.s)at# ) +ca!ނo¤D]r#hS *WR&@݇R`ylة!!݇5ksu3p,G {KQQE4*,egHcw-?7xoEar8\MKOYAC) ⰿnH}'nN@hq ڄȶ%LlvAx޻ .4 D|`ff}TWUU$IGv҅Dh˱mlsoB#f=yX ۺXEk0d^3(F؊ -nTk kfӡLT(+[,H/G GL*^\$yC<݋Յڴ ~+ly{vȩU@(UB 7Sс)ΒH)y$'&:Ǥ4*ܾyJpW?^9 V5RBEB+АF4Bqe7!(uK_BFxEx9j<~@2Y2ik< -6Jx quH~ݏK6(uW&|Bx{B02 6 w~ƒڰPhN(Bc1ۍ%0=[ ĉUͣ_lyY&F;MLgر /)mCǖl3+DPRoel(ň@ (,R]7210 GAlTa`RŅmڠ|>)l4,x^uv6 XeZEL -"n'nMÄbSJ$!e Rt\|q0Ĝ+Do\1%pIZXfA'P!,GHP\wNUqS"*~XѮJ?JWX&.Ʀڿ4@@?sbh -a[Et:YN" #P'$:0\q;: q҃Lxav^7 ^Œ!Zf`:0B}jC#l 2cGh --vS0ȹ1?ۮ;r*R3Lh0ac|a!dCuX#oo~_0֮Z=2wV$f; JgXQxހe 8U6+Ǚtcf]25 J!dAdz~dݪ$ZPU`a̔U -KU6X -*okd`gF^6}4 _r?$_ <9LqpemYUp)q* Md8ls!Ɣ- -Y;4/ q2RE\~A*PZ ]ĐtQ011-8ZX wQ4S(/fgE8_8݅$p -"7䙱D\,xr ЁSR~VUi9"_p]j.CNP>vVA -%[XEe&&E 7"GrLq.5$5o"C32G7_Qbj-OkЎJ%FHåkk6H-uLoXJJJ Kmqi㎽/$"{i.?_ϯ˿O7t~W8ec*/hK#& -0O`??~$S{ 4;L*b#4@ /Z; 7Y*ĥ9EBcraWu౺dvV@Mj!٠y E\<Ǎ - fkJ԰DxTԉ႖Y®lpp" w=d\|,c4hC4|iަ -'ϩQ(OrxC:5eUݑ{9S7`5%@ty}Dۙ/t`y)K>lwƲ%$/G(7 ,R^^XdGu;UOr)^4'sŁң~冶Qo'ĐiF!Or?R2? -,A JIVåDcxEF'E)~!t.Vsd -Lp1 ^HD7krPI [2޻TF !FZc k -=2zͷ{4٭3#x\Ґu_WZ5sofo nR+D9>YR)r(Xx۬r\ZjMf 2<TɈ@ފ!l.1AvLzu/j,2i@y5.36 nGnWe$}_L};5!J-F4d5w+^g͍&^z$K5nÂd:Fy dQYwɡ^&ǔ} - y"I!2jɡsuucg{szW]#4:l,/^PK軥R$נ̰B6AdpeC(EBZs(1%,/Q(V1,/.E(Tl:RZ 5?;0\R` ae.'d bSnHrR#}),B8M(A xA֐VrO+22ip˶{)+3{j+*D(LqozY1j7^.4\5} Rޒ|K8 -nY,1;Dp%tRsbG77ȡl6GIPTw$W1MZ%Ar2Fے `cvB#'30Q$:*@eP+>H7":ḠmɯIMm0Ƨj -ְ Z,~J̒(>ؾݜPt3#Ӹ5o #t(߆rW0KfBЅ7AMvBqLC BݞI$m&PK,'lpOfQ}k-A$[BEHqaA@zn! W .f)9hV`y=QpL,)!_c.T=DR)큛تu!ЦNB4yh YNbzG{[Z%Ah(^1psLAP젦Nf]8"Q0o`z_Wk;ua]'0Y]Q-ȹk/7 -q M X;;=W)ZԐncb) -E϶%Pebq76R<ayH1áك-QfoƒdK 0K^^ :8ZdɃ.FG8ô{OiBr3'IDq|ͽ8|O w.2f]vIAzTC -s%v}įMnaQez3CKw B;iEڷ34JF7t7cPeC{T qf0b|FX@n[zہsC+L=2w0=l/Ke,v=J[NH誘6^T"D-) -n qhQDH/v 6#V~XdlFP)h–I_ f:n͑oK;OlHaBz"9!;wbRk; "*ިT3HP7}p<V:po%qXf82XwQ3d%X(*#UiHz 2wzC~z-HGoCaO~sPnz׫ҪXRԬoDn-F>Ŧc@Ҟ!-o2s--Dk)b@& -&GG0TiQS|֝Zn+0Vf ǒ; ;Y -~8i.& U}SS Zna>ذI& +=j;l%SAoo*9b;(d{ 5{b(aAK2c =P)B5ƹ0 c ץ>?!bJy+rֽ ONR6\pOyL-7|I#J)- -Kg\սrE!&&3uii\L\yuW'9rgB7(kHkVg*8eI5ajh=ͣH@z+p~aʼѣ5(7tzH߮造d&v3fQ.{9L"TD(W 8sz6x fE2*M9Pu+,>k=an0=鑂+}E̟O_ :рyPIth=ja#qD0#9ƓcP(`C7Yub; +<3 Ѓ @;4yہϞؖC}lr~6k-J8^7ˠYHKx|ʮ"xW< ɳ1K6t@UFd'x qQlS٤@̈́Gw-&ԀR؂ dΟ+0*VgdP]\z,gdX!%E?S~HoQ%Haj6]}y+grVKDVki40$^FbX$4:\ ]8q7PpȪh7΢ܣǹ$#`z,y_Cg^$]:1- - = ~%1f^ *Ʉ#l 9"Ho|)Y*ҝėEN|\cȃOqu@{ЂDWK5d@gw,}%q!d2Mm}P) rG%I;oI -5}G=j &>$#OY,D%ܗ_2Ы\[,{ȔhXfJ8Lu?ǛF- -CyJ1(PT즹0ك=XLb >b6#njS ێ#XWzp=ʗXB1Jk*JQ趗.3@_yCi'<҅JF |(|Lk߽^.5><}eYuհs>$~W&B?BY Ԑ ɚaR -S -y<[w5sy]G~< h~K7Dy3@foC,j1:b!F-!eīauIH {LգZPZBُx^ G`:Ku| $0ӢY61ϩ%L'C]Ɛ۩D@գ$L -[6 -3L.%JM0ɼKQ/{\)bȜ⪨Oe@]G~(S^=3~B.i+ RXޠ"%.`C&Q^ Ado/⑋ALWW"?3B ('.Xp6U(fHʽ!vCƔF74F -a]P|]?YR(/KX!$= -ڪ雱IFq*d_}XʂċP3ʿ]C ]CَB,C?WS2LIٖA*'Xa¾ ->-$@|-1BϿE J=ٯ4ƨRj80,loXup=_̆WX͠cHO,K`Aw'vP RF}=I G -t7OMGTϋӌK"97QV ?rJg h-p.툂*|7Ԍu^$z?ns??W[N*R -endstream endobj 307 0 obj <>stream -: -(X y]y *R[@Qzu?.gȈ V5 걞 V3۷AP+0fyPaR.ɐ#*zsa\fR~Q LcS-Ȣc:*]N,=Rj -ik@T A #r騔#]Doן)HWF " e/ 4arB (l-IhlI,%:r 3AtW2'a@rmlM>='yi2=NJM8+L$ -_=IC 2C DpJK !A&mNjdMIz,(M>]nI.迸gU 1 AtXDN\CJAmJ@ 02b%abȣ*c5cr:X:_gBf(T!}J~ .a4#x"frb >stream -sOMwdY^QUs`mKr$z1ᡫ۝94Ejk?i7Pz",*x3h}5<ߨ~U#lzwםJD2tA^Qq<vR;ٱ /r+Bovgr8DʣV^Gwm<ь0n/?pec{Dt"jw o^aWկxy -Bg4c( L†zhp%JG 7i0~ [j\r.52ڗ(y+ &H - |;.$ĦccOC1z}A_F: -#:qZ~4eD ^…P!WP%sq00:KJo"#qc^N#Tk3"4ӫOA~¹lxh5-yLɎߨ.i瘌S8ܣ.Aj_-HA4O^hDM) \>>OQ?{ke3< 7ܘ ~)/=s4<`Dׇ=Vz K Ԙ!VʹxNv¬蜤7UѶwKhKZXyRҗ}\'-^ADV+6Pڡ:<'QI>?ɔ=\<^<'o3+}ŷ - EЙ E0̄`K*Vtabt~N&Oo"rsifPM% 30VMjJэ*x ˝xGFn㦕ѕO*UoZ57} -HSa%q#0x3o'b -Wd 1߄`1k N)m\Atv֙$k,P~d>=ʣJ$[#HwÆz& -_ܨjoAڋ876sTR8b -'-1QV>YcCк9A'Zfl`AkʘeѰ)y"n60qЋz=57T|v5x-]BfRK8KcdJ[y1@5s\ Ti82G7?횷iu -&S/V̗ G7 MaRg$!^ub䦌[* qh]A,Gw^CT}DP5,HJ.Z%6sZ\FHm>к75ePG$t^CEr%B$Vg.px63希O>xr*)j *4tUɍ7ꌁ|90 ij[]t8'ȊW\ŊCkl_AS9A=B;gI=~qW(+,K@H49R`r@ϿCm.3VF HKy,Ǻ nǨ<4vKnKؠ>f̏&i ---PDC^Kىdn} -53#?PУգhS5m:^q/}ܔl -feRvZA&)9Sn:*/i޵{Օ#k !!.8D6k؉{E%=kpÈaDf34߈!PY)0ݠG7gH=xp‘)їQQ>=!ɗl{M7*n\jQMZ]\7'k<@Ser0O{]³91#$Z `XN>?z;N= nMfWu5nv@4(j{:7@ӵ((SO+=GL^0*'n'zΟwáiЯm4E1)pTyN[51-/8svhӅQP9: 77Q8=} %٫p Y qqALUPLF},~蕎z<'uo~FpJ:Ud`ci _TNbC?^y EِۤIo'pHC`.{/3FKXve РY~о춇2:%tcc揩'2Bu- rDT2aA QW-}, -}8 L׏JQQJ|=tUr^LXP5ĴY $RؽPFj|xV$Ly[+FZ.@zˏ=E `Am -|a dJEUECnā` y[ DHc",@S:1z(=!֌M+d1јQg5zEaiR_oJ"@8P X@QyױhPzjV^j>N55E"UL+0n/ {B=t(Ý+|!V?ɀ6,`eBUIF^)z@d_l~\юE`KP\Bׄ&+1Ӫ[ +>ؓB<+IfAABp.ŧlAxݪi9Ss8/3*WCG_ɬ=}f{rM-97'w&z,SQc}(ݔS!0 e8}߳Hk$ٞnSjg`cvdIUbߙ'ۼyrh"[QWg!bRGv/G yUjex灨*-p9}vy|(S5&As7CyR^C_$[)׻qj*Az53p@nʱ?E,i/TLBt35%LgnOQ>zPro#Gj2nr ]>gԼfK5 {UИojט8fϰnj w{J0zc<:S/yIا =덠RHRd=8 :IZgsY D%t$ݛ&RXKH'q4i<)fI"O`?E2̻(9:TENa;1\[x&Fפ4m};04_39}6?t9ePţa#>5,5$,d [#IcӷLՂ_]d/oeՔ3H~3>$ -ߤ2O`(Lӭi (i,XkkaH>Bˎ!{ uMj==6dn:Vr^0RbdnY!ZDa"F`W F{X5>vC=LBёA*_;PbQ9YSMp{mBR8(jkM%yGl[`DKRh9D {i]&6(hz5x>waNj@&΀'>CW`wꈚo>L9U쁅JOu]0%nw1%X\ꕮDncelS4WhzUe<>kM !I$i*@sUNÊȴ0E@$P_L%[ה`o\wÉBZ^LR~g;Q~:}81 ]_ QPgJFQլ{ ([##RhjR sܺ`"-h֎!HP [k-J `AE\yiUkDp pW?W -r$~>e6p^ Z)QX=$d<hSiv` -{DvR a9 oznl" h]!IoD~f+@ 4O9^U_<_K+JHG$hJ<51h5ݭi%W.i$n9)*"ǿ5C9}`|,o&YJYafZՐ O4{"G~IC٬0Klɪ L>C kG_vy ʐ2zʁ43[ Vx_ڱ(%NZ+A.Auܓ, eJW?ql( %E ji{7ċ~tw+Ho5_)po&RQzCѺwGi˘ ?DnzCe*B+Y ý%]Q?#{GXC&6ow_GO_?_7/_woSO?~B[hqcgŏ׹ׄ}p(U`Ҟ&zw+ *XEe;^ƅ-DBM->슻)#5)m_ю.B\f*v&q H}^aހ|٣]؁w#ch$EG 3cȌ[ u*GzLZyGhcq[hTΠp˂#;LY7b[B0bKM/:!0()|QLrCv"]~TAzCC%7}&r\'.͎ O 3ҵd @Qt2Bؐ^hG/|"OAüD ~(GA5jW:S%(Jfus.΁m6nǏn0WB>>~6ۍT7,+-I=4OC~ޟ{lS'zDtrw',V>GҼVYT ;] C{Js ;+Vgіw= )vWX b~[Oq3yt hMa& -I͘s)z 5@Z<)qRU0Q00aQ,>y"UttST]؋ܔP[[tC >{,w cq޻McAfEuZ%z""BG#q caF_\E*q4hI _-:DmE&ԯj%eOcEU<Ŵƍ8rUW>/z^SQUx }Z#Fl]ICbjwVcW:u5"Y^e:tR"ߤ>5vT,nЫXܐquP1:z}y[HGL9,s:ɉV{ J "{-Bg#:.|os6 ^ֻpcUʜ"{3p4f]UEx9*%*B>5XadR ѱ^)?)_A6\6>wIռֱ7$!5ZT{=:i>{Pv=g4C>c+'"?Ĭоg6V^-ACo,M 3-9e{80wN.=Ts*rpBxX zT_wbցJR =SLvD5v4z|5vWvfy^X.zG#!rprVddws-*)^YIg߼0__ZT -Ӵ=HǞ vW҇bo%rsTH&{{C4ݸ33Ѐ L^wF< Wy6rQ@$|ԕU."ȧBM5fA -9t8ogS[}0C[Ӧ;X)Li8QWkt* ceϓ;s߶5!{qp -AW>(aPo!5^FC:NDW+ /)NӀ ULw{/J-gHZ5 BQ^mp$6ФJQl!pF[`е 챢rF]Ϟ=d UV~2x&hPh}Jx?E,MًĎ(Tk̦<bx!mS|?nIZB!nZNΞ{1l0Fu! A}*/ ۗMmmA&ԔW:BH5{UH|אm(`(\paL>[k!Iɞ:u7]^Ux+ǠDFL}SJsms{ {0Yu#w/C)hL:B"6(4`o ׫ KWyJ>ZJߞ` a>k,;ؾ>C؋G`'%N/"j -8 cH#6P#`xHMW/ÁF3g"|Ю "$X72%{J" KS Cn^^zgɲ ,YLcP~=NŇ'i ASavlAp6[!O@bQ7j08uzS ۫wSVo'laIU2.'X T8H gv d}lgx~4 |_8@3U17y*m \I4q`t4(0bMH) Z\xqJ6ݺD3/,pR){rAEKż9%D@W=qՄ/ Nx=C YZYf KD2nGiu"q<;̜qL[>÷chttSd+@}gK=A~# CE{e}m-*/;0+_l;$MkӍ%⌽J׼/:S(A:'l޿8џ}ڴƓ{N.PۖU#,:l55ruǤ'vg>QaQx $蠇YĵR`7C¹ML.EkDXˠ=%Gx'auڷcڡ8Xu^6QDOXR I.%"k,랭X$ٶl_/[|1<{7jB$r/@?|EodSUeCV%,Ҥ|Y5A_6T}]eL-yZ0'^"gC#?Q!͑l,8ͩ\BVS*S-S!C*̠8KbtSDTR8VSs ֝cXJyI,ҷSaD8R?=[Y@#z- ۅc~B̖=ᵪ|B09%w -hz a{IO! t>բ^!w!u\:wdb5/?h|X"nT!$#=F%{ʑ!8Ja&';pT=^sx_JUvXzh7+050p#Qoq75! R;V+R)0 šϩBa.{evW𝴟=DMp\3@K$n ]'H{b<f'!B3 &=!ZkO8cuk=<C6 XW*,zʉ7UV2Qj%$G} DΤh^<Sʮ\ vTNjC7vTMĐ'Їz:u{!ie*{Q}$5I."_V9ygaFz?QNc'vc#%ň NH䂟L룐(ɦGOJK2~DB[c%﫬Y 2C 5aAw8=i Jd3o(!GLNS%Mf RjdiGЌ?~˦!G [zHUp,0@cД2"k,)Vyve ud<2q*hfy]~{u%eo,7Џ(tShLWssN\}f:c?><#OMDWf:׹)~`!605{HĘC. -PXCϱM+M[DjU]}Lztc8Uq*S)OJۨP)߯ji!;TWߚf%Lx-9~iNL;`YD(+ /#C2&LANG9LY({* AA(x&:~.=߃Wd50V! -\h^Jwd}?VNţT$þ (`g  cR1Hxs4P -g,pM9`! aPu)nmzgJ$DuY1~K$r $6dD D裈M/9dI kq)!0 -YhtǁJ= yF_|}]@ԍN${ֹ |ferV&9?nS;brCj@:LT v n=NgPqW7)/MsVOȨ]),I)'QCub^ۃ-#3Uhp Xj^q^5f Ê#,@@VlmHށd_O|>W;9JI=t;fC.AR9_xlZW|m -1N ІFm`0A}ן!d!+3A  b!&|ljԢL8W^[E?plA0vTUe@1p{osӓtGzQgPQ#}Laȉs|[p^!B5=5o}H!{eh$ɽ =`r=|v\nX D6H}c B =EI1Z{TYˬPe[UxswZBeacLv <+t4|%!9MR -\ pa 3 x/: !\j`?ءn6=B(YGE)Fy*W'=RpD`]ny1 %=/{gRNݢPu&CbNj!Wn+rҢǥ?(b`/J%Ydz u5u-*g"~HX րX -S=5:0ePÐE(p*; bBt19Zb"zgQC("{q'T]i05F8 Xuh)*I\EY(XIŪA{0,Q!HۯuɪݺV b/b+wJ%iBh:~TXJs5rmKX (ё;ן9+OH C Cp*O`% -3Z^QԜVHԞ$pyի!gRk2'8`(DW.pSUTثs\PdQ(>@2Q6)R0#KǴa5 -Dk{(5 -&ap JUxgtUk`/}s#0Q"TޣDtݍD6/; t>9Qk8r>=0!>3` WhإD4wY/hyKeZm--RS!_=]`v5<(RgR[0\_ڷAlgE(M)]AH._r=Ct-] 8RP졢_§f@7VD`#%Fjޗy/Οpu9; 1`>*ИܛH؋d1 N# -8H@[!\e-4 9(y*5ھ)PҊ>M `1eD\B8 #a{Wr^ -!ݘg\ 'P=4IA90 -pX(I(P-z:pӻi/;5ExHKbCfj+f(0Bh ]-lI]e"^5zZU ƐYe31*Ǹ0I:W#U3=),i:?/;sTh`;]Fiqs93"[IN(1յp=mBEaoF?dK҄:rve4WXT!KB 9^ZZfth7 nXE y|]\ |y̴8A 䕢P>ىM+&C i8EޛIɊ|Dd= Qj - SS%gWBl5@HI5Į ط$!@f -@y O=Dv^k"ݰWeC5݊詭$aiPpxx"l 0X8y)^Kv/ -dnYO>Pr(PJA9="0*SFFǰ --{[2͔BZ~`;BMD@_hvEm#:l.-RD$oٵUӶ IS{W ,`&K`;M~ TZK7;cX:x-ji} wQAXTj\.&%fذ29¡eYa$:e -.1Zܑ"rq?vngC4:uzy};67..t[zPta0Dx;C5 nx#._gĞS?˝KOnwEd?tM) -D:] -K4K0"n䭘 -Bl)n $ |=p

2f pkajK{*,ʂdS'6M7 CVqXs{W xK3l'0N -GHtQ᷽‹~bRi2J%1/Q"5P/K.CƜG4Kwl"G(1b,d+RpL BR#r&*'DT9ZJ8Ƭ_Nju^Gj/ड़q<༴kZL?uj|YU$񤴈u^ecv㑻_1Q s >hj2Ԣ{ګԎQCP~SX-`b*a?9; 3NDZYۛqnC^(^`uԿ! %]w@ LtC!>yݮ/O=02yn+$LT#*D57!&8ȚB|H!MxE@'XWX)8cڦ}ImŒׂ3린q>:y-xT{P1UxEj1}SXv a@eiVK|b龗j1RXA>ĎdjD Mki0$eY` Bzq'xRhPH)"o}dd<^jJ_Vwai^Լ]5X^ܻWq)4ʒFGsEFg:#$+\z^ _g ThF)ꮳ@ҁޙq^RIxK]/n&#O=gWRXTKdlXR.mA]]:@zG!XB~` WTަ0rGN-el~]=1' &Q8=ߊC`laK2 Rgʕ=)p0֬dvhh~_آCE:7- -lH9OlIw*X. `5+=/L@ e$J5DYWz0+J{RKÝRҞ02zd? - |AA/LU=A$!Rk-i1PxVpl^|F7Aj\5P4 -Ti;X~0A7@*;EMdƶ aAIo&{0Ö -ՀƟtLY>WFJn0TuG{:(zBV)i~<7yaBW n>WWфy@ {vTX!N/̊{,lG)8b nyב5bj 6m Y(a_7 K=I=Wϩ%h=!Tgȑ&Q7%z[VWZbkt n9%K?Je -bjgW --Z~x-'1=2ܻg` Y8J)(w؏?@YA+ob:[ h,U0@?ծ\X`zsmT{LȲvCBC&)э1M74*w" (0v!plnڑN*JbcJ/zu -&~Ȍ  ~>\Uo)XR_® y|i8MQͥrʡAkG+}||NАǡ: TMY~ &nZ]VNR,"qM$܉K^&$tSM*hQu b<jD $YٿzRt -"T'0gC%~ ze#M6x母ē lWTpeʁ<):g7j%?[0@_oi}gEp`S>W-Ga]G|)Goy~tuR.-1o Ima+@8~eD'_k?ϗ;r6z-f#Ǜ@Ea|ġlM$ClMU[СEEkJ1SqEߘo -$8L6k͖0u(8݀U דGmǴ% -Fdr@(;Rk,!gh+v8,gFXE*`n-25F6-V,[IM4Gt-+(fը2jY{A?WZ[4t`lt``b:礷?օ4=MTWwb[+hR'-gH@KTܣpx!>>#"29V^!Er T^%C+K:`R11v 2}lSY*TWLRlC(zTp5lK^Ϧiس /^`{'5 B{k.YCK{۱ -p"#;DSZnkH[xm|YTf ^i|p#鴏3F᷃㽵a[+,)ω cfTnM+y 'FU*;5U%hɦ-輊Ӷ5y *Z1%B}Fh KGԞUfE4Ztɠ$N=({0%p6A>?460Y-(6} -@/$eZ,gFX#EO7?RtUn=C4 T$O&vkTbsS(S, .CuꃤjVtqJ,Z@$m .  d 8%̽t02j(/ ˤ轄WP U8o? Ƭg<A[-qH*BE)<h9%( ȄkDo;vF .* -Jf餇wD+ akbd ׸lMtnpSJt]8E)]e&ɱ?O%W1$L׼y<alEOM"} Z>i墦|OHڭriWT|dzy ڦ*|]0Ln +`*Oܬ݀ JqFO9_Նua -01|~Ʌ*AS"I,MݍK䜽l˩$v8@Rԃ>ň Ξa_ݧP@onU͜oH^96ݲbJ'E2k|y*̖_J=T e-,1"4(z@A!j-c1_6<=rĖyBé!ہ;tܽnI=Y2 ->;Kk2ad"]hG7$ңe'e$T,ln{)5'ЗG~ -] CeiB`\Kz)udB@յ(5s/* .[8^G7P:Rv?vQA3;(f(NHJИϙf&A ct3rrxc$7 `m)IRk8Cę ,{"02{g#FXP*,gH7+xُD -}{PbOc߼zZ-+^?aK_ x`u Wvsy lMuC# - SǤC~3_BtE$/ !~ϳZ#&[Zu=:t҅ψ`'PQȕ4G84@DŽ5SMܓ^ -=${3( iJpu5,(IR}+])0DI>Hl>ihf»'/Ⱥ! $tO@/{}o 1jXG;N_=.Tmh Z[e( -Wt9>x38}\TUۓ]5tKh2ľHާ)J0"ӑҟ#;@m%w(%*uxx `$ -'ݢ@RU8ȩh #(Qn+ЎQX^4A'ccNu9Pm 3c~ǐE1GxV̮y ܌*PUWKkUHJ-Ikb _ -:r>!g0$Gc`V(7źH lG D6bzj,o?d5ڤp9aF=XV &ɇBHVTT9gSAW[9W4J'DL{̶̃"WG!]L}v2{bؕ׈Bs/Z7;'i=Lσ洛6)d$* jqAl/ -Wǧ`ӎB -('t C=b9P"9gh#5U)a*WQ8m"YG{>|zUfd3cGM5Qu<%zW $8tѵfeU>kDxRZ&FVtS 9lsS5PY{FMh>fq1"P'؏&wd@ R5 %*:SU}Oݨ -\E8PvKrt0CDPuU5tEBQJPb>j{J2XO -"'44&Le;hofw4!OB}v+r{("&mę“dhOԂ.( -cL$"x.8hاBrzLM^sDܪ'{8S?h$۟裗[\)FPSL<(JɵE7l - +\_Rc=fyZuA=ou&dK=n)%,Z3A orNQ%Ne5*⹔\lC!H P<hL96h.@֤43 L!GnwX@Z48IY; ~zMM#iP3 ӽ7B;r&ɩ'ڼyp{BSAhe;,Uy,&Wx{ XZoZ7yͬ)'rA>zd~tۋHtTSD9\BXPk>)iK:ΞL/ϐx)˦)TY䋤.Cm+IS㑸d<'fw^ə`aݕpP吙C)2@Ѩ=Y̏g^e^e4],غJ΀NSҘ`}Tסe#"+r?)l}WO p΁GW223M'3 B/n;K(Dff"n/G0 ; 9D_:s)#l -J\~=ŚBMsPN!X$ݛ-]E';222u`OFOD2x"-T{nFzaR SZ% ۭj)@2q=ÊR;CjUD\Z8;Elec({>r9eQ;'."@&~ _Wt Qs$uUl|D.5jH"c4ƟjD* ou2y<yJ*g`:{5lV$DhBZp@`EByߏ/q:}_y\Se"q'߷NPj\3UG!ѝ]]w _!΍oc<(BYĎc @u:8;X3h `CR( s P@Iġ,iڮXT2{o8=>>Df3y=@xF(\\XKb-0|=;pCB7PJA*ЇH&GӅ`$ ~#{yO 袩?#6{J D[ HhP7 )92z!Q}'?|Ư9zSS! `HW"z΃ _~Ȅ3f-5~Ϳ?ǟ[;) in3'ND"W`isGV/vD|9zEqk̽ޯе~ -lNExЮhPor Y3NvlB9l -烺H AKϦܠJvЭëLHøA{\V(VA -x٦z8ͨ[=$pXc#B{wduX,&,1zu alyyļ 1C:LZq"̡1Vg+p ׿6 y|Yy4=I% :#DߴgA/uP r\6~hkCL!A*D򹇎EbI 䭁Y$|1<&9Dj_C0P!sCӍ!7)16 Pw c=tx}"feҞi$:@SѫT)aMQ3?[0M]ҡ軱;M =S:U|{qlPnar}ew0PE+&SuPI[Y:bW_'aҴ -QB_޲%LOu@* -B[ڼRgnCXOHsn3NK>C%7,K7kGvh:Vm!WrLh0'@5Y_q @&B?"I_SQ]W9; xC|:(R']Uϻ/, :g|98lj&_ҸwA3,yhpo9Μ a]kL+ @:vEr "7-)8E-r ,Z`_T72.r=xwŵ on)n^GWL`>UAV ߷:f!}P~{."nfI>ÁК 8PI% 9D: -$]aC +*P5:h 7Zq 7>ڬłp>-l1w0;^_vN= wy_M5U>~qpew,4 0ڽfJFWrBu{2@$ 0PEY~eԕ"/4r@KS_5Ei'vOC,/ի A[Wp3u+lL -EIi@sʗjt(v EPdNcbD((o%ȄQ14qSBB:ʡ "@ZWYqx"q>P.ve7JNI? -yS!ZPP}e&fCHĈ^_oXWQRMxi CƇ[^tR/qwpLpNC=,J/u`}{px.Z݃Z_:⏬rUdCN}cjPΡ;ymwʫBRț^V z -r\~q8t\UyJ5w /{f@Y8P4S{*%0Bhf`Ov71|{cxҰcT"4&l^he1ӊ祠[eY) Uv4-9atwaSՂ}9@&3߷+Y25[! '{Eͣz,p2. (Ωܓչ@#K bh#=ޑ2O;櫕{|zc6TYh=5iw&3\Q"q= WP!_K@= 箽E!=+Dol3%&}:3FO lZU1coTp -3zi80Wܭ:2BQ04j`z%"U*;P*#4a ŨJ^Y'4DNcuDY2!5 Thp7ƴOլ3Q冧r+ĹVu Ż]+:ȼ>R'Wzv0VqRD{&,'0L. =hRvdx:v #aÔ'K;d%/KVD)veݐTnsA@#anT`knl0[ak ;,Ekӂ!b7 ᰧ,ٰĘݰ5LF4ȁY@b8DN@V2q䵐'>~k2cPbT?Suvex |F|}ݥs@kX#WCᗓ{+;UY;Vk'Q4G] -u!YOJ^# ?g3G*&BYgrVecߟG>&"l'N/%}6E o(>#*>B!ڎ3 w;7pk8jgؽ ^/cAėF>EJ=Zf9,c\dW[^{*dL`=^IO+ -M{m8epty/[ q!83:q!`%(pA;t.ZU}q;G dSUҹu@Yp9gEVWI4uU6=L  lf\m%DA5}iݪj{f8T88,SoΛl8^%Q+R)XJw&jlU,|QHA#د@h Ѭ[q?ʕ@9d. '靫> qY<2<_/w7 wѮeQg]y@V]UW'rU]nܽ7`$?{gJŋEoJCh0"3@e㣇zno=Sɉ&$rG?"͵/^1!GQ=հ7EҜJ1,z(9f2ws>GVd_ruݤ{E0 4!VD}V®C&Kϙܬ!e-Olc- YfG!IySx[aO&X(HƉ| xywA8-̑ qa)b -Z"'ZܴN8~sW9TqP/-r{1-(>"V8@EyIyH#s>z!O9DZu<2Rz4u!!aMxJl -:l,@>bRѪIАrZ@L`o<ځQ`{=@-UOZQіNq.ߘylyGzO-Q-ʉ#aW9)GíF=ȝn-=R|_ӪnN\DdQG{XɽvWFoS:1A!3rDZ!&= uj0u;7_cx9^c&(hb)%K6]"InDݺjd얔D}hNj9< - v-`ɤ yX Md޻! -$P#w{/_DZ [VnQQWD -T5h`=$G~GﯚQ`bP]eRg-Iw/GI EsPBvX}[jZ ^s܇[T )5h}t8[=dv % =ͩt4>{Pyk!W8|ԨqA_Zh/WEmNrJv!g؍p1_K Qa|C|1JHU|cK۩8@-a"?[#QCrc> (cbM=R)M S:E)TPO*K3#ÿ́NWbK`L'9OQW%VIv2vρl(+GZJ;Vi?R&f •t -T,+޵$+uT!/J -$-Юbiv-*[։=m; b;4'$r4h*Py(lx -Z~7H Pڪ!|70dQ/T6iY9Y(Α!0K=(iM?3A%SȦDep -fؒ_ $ RYPZzAa,ƨbvA\D4 $,pV=@WļpWșzd1i'E{;Ds -[aܑoW^iBi& U"Rx)֬j6܂WIv6~o(=%*R J01>ܞ[2VtwPYʞj0@vPE}=4]b hB]SW1>\p޶_0t@*hC5EX G?n$;'M/<:P{= ɯq2_gZ/dr ԐWtZ\LKIUBztXz;+!gb떢3,<-eI -铠x|;.i AD1ԑ"WUI*QXQ$yu\{AxuZw` ],>TɫC Du0IyI_2|ز&o߂־(Uaa=G,APd7 `O8Lvjq}'#ىt:Vޕ@l/J5e_˿}7VBΜK5FbcXkVzLd#tמzǕq=8Ӥ>Z Uk~5䀌Pk»L"ɮͩܨd?!Ȑ[(C -Ƌ^>E[Ƚ{ }Q jf^z㝠72ddo nibȿ\?RM[#fA,'τetiY"ņ#5Cp Ǒ1GH -C=Ӯ)K"Z: S,pp̠~pN yc: -k*{[7n[g )YK?{\Tr8Iٻx"sF衑qt z i@f62DH"e v(Vx5n^GǰJ!X*>`˙_cl!;Cv04{xSm0 ސj >mZlأhjvKftn -!vGLD|ւJIHr31b%s!=ح"iStr{6"$?Szм7yxLx{vlϐq~dBC7P:D,#$PML1 U;}L8ek(NP.i֝Fp"Cn8P(`k^:C,vOxNp։`q+ t ՕY9+y:f%ry֑ -zp9FҜ$ MY+ԏ Έ^/ -;)jT)vIiXDA` -trT3W  ٣tQW(`DVcd!T)CeCWe* gmxƞ902S3j>K |_͛@Vxw" &`Ag.24EJbn45 B]qWim,ז(kNqPKd -8vxCQQ5"M<3+iU - Pb zJ<\Y ];K"3xIwUӈ G,D}3X^!C:Pf{"K>cٵ;EیPBaΕqku9e 0"t{N+aXZ$ [M&(:9 lm=)T) ˞ CAn䊱eL"ZADXHTI@PO&P6~!ĕydc|^f>/֖ ǼfzuGwht'ߤ1„W1nN!!TuL7SPr!Ak(]d6#Ih)Ȭ0!Ҿ.-&K6|p#[EBAMTC2`)(EZN}!Y@}MYkJ6-T'MF/I/tzeҨF_MiU0%+D] I*0ϊH7jtsK#D~Fts Fp8N =K -$@қ.^<$DJݣp#d08׆ zGU6`Bd$~uW؏ vk$Xs=ݣ&28QǸ|MP0K눤O 0 m!ֱAPI ¼BM~^KL@FF#ZW -:\'TT4Z 6#AOގ ewg0 ?a/<2=^ wAޗsl`FXP!4Hi12(gߜjz)fN{I0K*9 |e;~q -γ{tښ=R1?K`5̦ m?L>0%?P󑈡oUC`ZMsPQUu!CjIkeT땷h)DMGCX?CQ}QV]A(-r -K#ϬQ+j$,.#xøhdH v{"_~N[F%uS@ -n{7<%Sr7KĖíV9ɡ3o"BSy$#_^JmhV |BnEW꩜y2uԊX)Yc/!futדS]~!bA4AHB^gF.2g.jk{AH.3-WVC@@)B:-m]mC0QɠY4"Sp}8& 'ddL|Tyi([5"8\<\\ zΜ'fqy TZ0:t{)5HzrOCFEv`ƫl&2eI4@ey\e>Zs,U?NIE ;V8̼C{"bKr0g7V3y -G_ *揌1w#n%)@J -h0 S!/$nJLV/ b2?O_V?Zq`.2G8Qe.s59kYËkjISjo$~>~9[;YTb( -o*Ӟ3 @ZVU\!\/$0 |@a0 lfPs+lɯg$=ly.b~k0euC [(P[j 4%x0@( -mlݧiEk)>ڟTIQ^2oB2Lw0e .&u>0JZ"5Qp Wqb6$AJ-P'dSrYwnKV4js3D@ـ+_kޒx*AVIOxI|YإX!Ԋ lmxl%~RCDw߀O ʨn{$p10E )HAtCIQY9킟+dyU|@!v\n9rT| 7T4Cң2ZnRj{z+PqÄ׆N: 'LnZ=X%O $R0{T14BvD(kDβ-4t8$!RN ae"/8t:_sIk- $DtLS$Bfi4#(~=k'/M -Gٚlje)@MV誅0BC -P:Ɲ0!}ӖFvZvCOvkª!{4ڃT8+O΂9.BT1^f?@@TYlQXG_6S\.|5@]ML#,x2 $=fhBq_XDyũI"mA>J{' *ikOG{yD~{1Drr31S8ww&ezNJE]Yn,Swd Z݊3vd8&ժd -V bAe<L)c>gH+GeVnHam}>w -gZvELm#ѣrQOۮm\Gq_ L:[ n< -ˣ:z ʶlÙ:¤>CՌ@'W0,Z(Qk)hC}to޿Ddu`2󸤊 ::mh" |>M*vt1@J?ѵcU\DuM͏QBn$,j1Aw(NcS^!vgfdlC-Ψ]'fѢЩXiSՃ0h !^Vqy.cn ",`WrԺ aJhG4+ -M0d{]#A~XAk hrl 0 [Y {u}ӣvY97JV)U}(&p?9֥Hn -r B^aܲ||ĨPXT'j~LTm6m͎ڑUwY A,yZ*g͚pݡHQ5֡/w_vd\#hlVT5m27ECA S'BX 3oa.Vx %輡wu#wQ5hG2"t'|4<#SH/ndfR\o {\ u٩֭ zuܵ<-hQ q[~k i,-b+#0A(ah72BF莙b0aqBD: QuךW<ϒJC|Yaoa}K)lK8؃?г{/ޏGkG.Ox⏧9r2n{۷,Cq:)̮\S*#EnpWi"'`.4c fsIX@S ccE=yrxǻtwsqN>,hC51/ I -H7CnU Z&%xw5_E~,KajS necF88Ov<ۺ9z`$=`$0NB ~ȱ5I `/s D0SQxEN#Q&X=?P'͢Kf9Wc2y9sKʇY_ݵq׺d GN[rSXNC{mV*MADM9 -knFqpFJHW@E/~9k/C-bVP%BOkY7BApף(,W{Wט8"Еnjc^s{ Jz~^՘4 14MNѥ!*sYҡ觰=77 ruo&<)%gH"nwT2{Y#t#GMnX֙v "D@:ek3zDbdh@A63^Af'GR~8@ps5Z8:6-pG A~W!rO҃aQk-;Z$M4]ع _γլ:xi' &P1JqN Z#>[Ûi{ZS5$6_`ie"'zlZN1F>gO >Sm 7佛AmmgW3[slÔT!LRh5I5'pƙ 6 I̳BC~[ŗAIs`d?{p|k]WXIDCkz3.}ǹu'>H!cYC3y*R1sa-.l6YKjHͼ<T 4ր&h6' X R|"id`ٴX c Zia$Qq?h̎hqk(UuJΆ1r`^uŞ|4 {VtHNܟZS!͹H7,PYߡd- -#>.g7T(GsfOK}rS3gVO0]kV&ɇ¢_No}~~T~z+QJ2ȝC<[:Bt<^2 $)I6h%"BR8LYVu{( -Cԗø")$,$Fo!vtH\گ1$Bc#J'*>+x -2X$[x-nL)|>G1"u6gF*H[IGp{,:RB J 9z(o č[nM/≩w1 ̰JCINLh{ h qX=| -ah$s.zkφvZC8L$$#l:Y~S -7㉮-K4RaE.Zs]m 8OTCp('4O`m$@"$@|~vb}4P"i&,7䎍(ʑV+ 4=ҊBw+ _ -0y(_"_>cm@QlJ]^4e-LJY qV?NC̀5S -?З[<-tEЦWT P>41q]%XpE<{&0a溘j|PDB_6pȓg(!Re<ɏ #J3wr (jZ-P1UeW;P=6wH?߅X7.3M[%}Vjt!50Z#Ztljs)7JJ#ј+2HRA^Iz`z/+Al K [ӳ?O4??w/W?_ }=?[>WcEM$~D3At ͏m"FIk +գGWMc{'=)@\2+[{m"}]ȶw&Y_Oz^Qo:e*$L>=p!у C֠GdϚd&h=U<pNjLALs%=dLnȾ;q -;܇ (5pm]1<p:@k A%= hlր_0"G v%SdItptcσj+_lݪ2%>}ccxD҆zTVi;пG[ Z>5# '?Q!)lOX< .W/X.N)OγC,.$qcL7qY:Z -?0!=P}=@tDzJ+TBqɍR6t9ڑ5m3yAn W{ܚ8u}2dTdaX՛Gm7=zXO]In1 ПTP<.|(\UechI gbR>8 -ù?yԃfB|x)S$,ks F)ajmѫE2%Bkݍ/^z!gY8_ԞU@ a ]- c{f`˻i;K"jr(mp:dğ {cW{}2"q:rcLDȹ  -H;;,ҭ{Cq-9ro 6>{)Yfc0\ʊ}vD$@kJ.Aۓ13n/'9ہXyE$[x^Ұ NE/&ϩ>]Fmx -wG*hՑGͬɎPFZ|8JSjJPn&'c}oX|t iZ(wnCȄbv_]YvvMAyT(pm Ҋ#w~  {NP(uHRH6-˟!иb#Zo -Bo-*Pne+GyD $Gf +Nw7?|PpTZc\n2b']* ^>.C{!.?{<.l`w%5$=ea^q_N1b碔d &]'S;sC:إ'|@Bw0="28>]%e zՎr.٭ -},aɤJfpIu2jpKp}dĹdtw4-L kj Y.v[fm8> -|HO -Dvv%ź j3Q-ү$Gʀڑ1e8c, -v,wk_!n,li}^a.TdYvr@=Ǎr}o h>Ыޓkj *$Bbs&IdG7j**V8L&"*j#u}x`eo0!I2Hc ;D:Ȱz!thvkY0ȼ5'}ofd(Sz0SYBr;Q`Maᗲ{hNCUDlULY|~h{=@\Z̓tJ:2$Er>ϐw)pNĆ~m"6ZDwPDZoñ4B*;eBi:b'^U[{[ WNX3,#.oz̨DAcV> -S -^2K.\?J;;{\M{b"ѻ'L7!"͵o>f۵]>nHRL`ù!c-ҵBz w-U -̉87KJ^%8P%֙u8Z?7^2V!ՆV8@\ҏxMl𰖹HAMעsY6Nѱ0ю -8² {<>]L<E~{%GOQFZr⦦D$cYՖe$z}{U٭wR{jcCU۷nUզ% `v ˟;|.RӍ8c13P$GSaAA*yׁc(l\HؕIƱS+fdPj{qކF3L2sKLn=1X=>g` flix1 :תj0$\o((( ba䁩y-xjhrCL Ϊ&y Xmh)nURu|SD:!yj{ כ32*nd }ýJ1U낮] A[~dKAи_FI$ - tm -ِvȀ -TŬ:?ҵ[[g:b0Db)Dg-iH:Y'k:SqT8l"G 4 ,`דceVeimU:,ܢ5zI\=Z0ak[TcVe-ftMgtY=س=4iU'-m]j0G - -FCx܆y08 AVR Wz؎rx\{OJ,r)Xu&ڔP"JkUZ9>>'R&?:槲=0Ƭ͠b~N`F15馆 8+Fl=48Q+s"X5}i$}FYh5D/1օ+ mL|BI -*G˗XyJjʢ (H - D - -\=pH -(ň:IAƖQPWMSE"}+ )io -[K+8N_*,4›qZ=,Fn>݄BȬ(i:s -J+olSukJsE gOP68C2 j{OwOa'0-@N@,XlVôǥ) wnY 9kpE|cpP;=y{dj^БB~?鵣f{1 c|ř0[Lk#Q9IYz Ɛiv$T_0G׽{tMe -҉DE[(7~2qiք - - 2?_س[n3IŅC"?ӟ! ,?ғlTyre#}(j0Wl`QTZr,s2F~mp/]qFK Wè[8#4&L~~ЍU^vPE"v1ޡmn>ya봳p4dj\ԔG)mҔ(݃ ]µu*s}Wq jCaD6?b;esȭ&85jYlg3Ct!6@ - -υ=-A~n+YsD+wTg^2Jk;$pogf"%@e@ NPEah2"ތ7Eu#JAFu)_G4DrTzoJof^7%}p֦ᢜ~gmP홰%; !H+0k!RVGYUԦ#_rX@",5lY|)c,Oag1Yط> KER۞Հpgi4,-R(r ViQZw/W%BG;7w4{=_~sb=Q Je<7=vqCiHPP`^p9BIAfYh^s ̙-a`]k\&i=m.BO2ԅﱛ?:᥃l }=|xG.CQ-=F?g @ŕ@L;`W  ytL-bF&B+-"]8CI4 ׊ ^7=R?e\g[HŔHW6),E|a{f oyY(JHвcdvd:xIݛj܅494 ?>5oQ %d2sX|瞩: <5uyt` \c$kiGjNe^:j c̮, )~gp󲃬G[S^\ZU~K0dH'= G fVI<"Kܒ -;D"Ѓd3vUu؀ ΁ȢJR_@BC<väF:\SJR=j ,J5?l M75GkJ@le)cܮЦWo4q%B![Y%"OpP>ŵ?~0u*nw_m),hb3ME޴ZcB1(Woz@8E×/!%x4)'.yǻ=+LT;oz<[8؁Z)su{UZEj5|x_O !Kf6*W #`PIRh$;8feRhW"p pN95G)(#+ձc[M0" N܀ xl0R1jz[*9 NLjàa:3~p(/i$}c??+}|l몉@(_bY>@t@\T=6K -)VK]Q:҂zztqOPkvȝH+ -1gȫKْI~gNVk sq( *S`1rV.MɅ6/I>lxHOkxp$P Jݜ6s*FJz d9jN_NU/C[nA|<SAՂd i \!MS>/\v@Ё 0 -70`Vv'K}"I'4xP{(G"qOH?RmG -k^eL:0%VWǩgƧBE"YGm8ܞ LHJy1ecNW@XeO&{ȡ`dqiؿFIKmZ:I00U -$n1" K?=3s'i⯶ㅘA>!0@ -V_ ~ç C2[U⒅C2KǶ<.K6ӑ3RMBpӘ_ZX &ѻ o4j XcF@*)n O<.0ugt ;LW XgA2rG0L.؄;75ĮF -LC.GdEי.bV51'm{@m"!ߴc1b?~ ݓ -W~x[ueG5>Cm ł:^3l/6-[w0Spd8sUrz*b5~JV!!>Y@3e/(xӼN[uIh -YR5F@r3WrBgnaYg{K\GQ"hs"Ƿ M*Z^$Evw 8=Nѣ:b`dKq&z8KD.5t BPCp+a*aяNApP3Q0+EV 5O?!kS%@2 '" nRh{Y䚠vB".L*uDN #=BJ4k$=N:\שvnd,v!z\)ez'oفu[@0}/D`suD28.vi%@SdΰRn" -DOYivB(@n;+i`OvtyS5;bPɄj3v`KR0BPaXOlDDϤ>T6IqJ^aC݁8 -8x*r KtfՔz)n I=W`݉|+G?*2V0/ YxT"$#V$djI$\I"EMҤ5X6V:󝍲t{4qt NISLl( - _;ǿ5x=|(; -,#,SaTp7Ra|Iz nL!h<:fɆ d:hoTWT0*NnL}ϴ?-KܠO'?Г4x -1@mWL4*9 -~ S}s ̮s4мqS[X*iT>\L 0k Slõ8|SXY]S@ұbHQ;:\랯 4 b=g ^ʯ[?2U -9:Ųᄾ!͜$_eWSOiZun<Vm&$-!9J]=vOPK=)F7IYta:/Bf% -ei u;S¤,Δj׳G,_>c)?3 -WAb(̹QSu[wUz]bWLaUJ}':Wи#wGXgu>eN$X28w -X aAWJ5sy!,r ?]+J)WkاB?"%]a|"C 1)D[ .#2^{ |dLmP9r ;YP-2 T^GG4C:Z]藭`#horin.7"d -agO= Q")^Y꟝EHVͿCfU";0"<k0vr|qB[:IASV!s kBuBs/rv|~L1#$ٷ t o,BIŵV@2i]_/jA\Y6v -YR<,xyWbV{{uyWB3Trr9 -Vϊ{lԯc}h;ssNz)lcDG 5s~:\ofn努6|v -TʈgQ`!"wVc#5O#>)v1La};wV!t|δU/𰔰xvH*X`VQ"~y3OIBn;Gq?H<[W +fr#, -+j*[Í?@˧ۢza$r?\ nu=ӹ;WEGvJ>Puϸnea_b͡t;V(ll -h[d}-l)E/Q -MO6FET,;%4OqUl@zt-87;0agŊNtY@4^:^!F[Nk&y\3 -k L:Ks -M:Z)#rqpȽSo?jx6:ќgD x*RX4ŰIOFR[İmPeByc߮ Et[5R{ЙUX?ژm~-L@a ݔuP r[9+hN/9o;?aHwYsZo~a@Cĉ2tj13'`>3wKh5kzҪ5"MuW$E(W|JΞ'/o>oI_+JkjHd}~jr+vEH5OU³"`ACDL!рş@ r7C و+@hNv*,BꭱF!Tk9 IqjSs^ҺGxp d3e% ؼ-++ڷ=J-…C@=mm15< ~RvFHp3JZ cwqfX[& -aSg] - 5S!`O{ y{eH6 Ci yIM# RjL"޹aU&yfϡ%(Ztů߅ֆJbR}ZِlCA Pyp޻x}Cb52{,=<˅S3 |H`ѱu(_~!L>q6ĀMz\O*;=*j15Fh&47G3v!dJo$wYDwLSۆa -sMs* O^/v Aa8 -`ZF>ۓS"S0ԃ=#z:A6l.4"X2i;FM7b{I47{kמ -ƣU-ݹG$xo)KUd!/5ToxFV;nM0Ns\D(X7ڑ聐=BܧJSLƬU@Ȝ%?_FKD0Fʣ?hۼRA_&\&<Ѷg0`ոBv/V:U?A) \T4Mէ੮Rb+=lxC HO`Eqi^h7O N{꤭E?H0S< )E!sկ:71;CJ@Q-n:Z$ #b]wgaTN]}n ZzXgs4!-\m^ɋ 8X&SΥܖDT,B"iF|I-X"AƬ -gwZM -B#@\"hZ=L@M;e b ^b[ٳt }kNK*؍! h׮Kwm #jLȨ:W5~t>FmGئ!XG -t)'co:^󷈿< t\Oxѓb˘q >8TX΢3|0tc-~;8.C2 ;M?ֆmZdxOգXv;Ed`u$եJi#\HX"#2!@rbQ榼c@q;=# @^47[;@}ڮ˜T \l{zk`]S;鏈ͫ]9I= j$8{tWQ)|M{{\є%,Y:|"k _ -a3c!0.4^92C}t|P6uE [DW,?=Im/IMCkl`IBOqPJH^qEj^֝]1lQuqc>Tܪ5"_KEe)(ߣp37#{\WusZǔ@٤S;W#vjU;gݔx`ǟHj -U7XN; Vl "]Xj*XN1CӭF ^SRo +#jy(R9GR ($_L$mc\3YT\=y"g8(8_2$[ўJ=|ָ*!qNYoWHm2?,mR`(3Ah RpuNR "E@C/C%;9=/kv:I0X(){޳0:s2qHc:WXބ&OvwoM,=&`_ہN+iǑBnuL2{%MY6w0hR"M¶P>̜&suz`kgB_*IT׳#Qjw\",9H=9CT b0-#܌{ð`h+G3嶻g"դ]4}J$chɚv$*k"F  -gfQha@kT%~5;@qaG]edUf4b1b]ɪдdX׹TeIz1{8>aQ5)Tgľ-=p##um(a*h\vUXUGD XΫ{(dYlQdLrU)"oe3b_6ny#wfG}8':_PbrM H5Bs\)-9-KdT.J=}Q^0k@I }h?p* j-{ʌ-K&͖)u=yW'k+㇈}J@Qe@|;ݟ<؞akO{zb1aU-6?|P!T:\bj?5yE\\y lQ1s k!#Xfj-{[QA̖ -t:%иx?`HNhnY2>`ET}!n;_KS_H{:&ˢ湲hRQq>úF|Z, ,F?S"KfS}cN~vӖ?VuxDaݎ^BaQL{WWR%+5wel=ŴN*t'!i-i{ ʉoAU9Y: ~豰~DoT[}:ɮ+!2nF ;e$%) }SW:RPpLhP ,#K Z[nC~mBڴ7n/+yR{S4Ԋl -ݥ<fхq" 99RbpM&F{ BtBS }𒨺lew g!_tb ]m T/AH(k25/ jr"1Y3`@}Dvr!4l S!5B/{(JwFHCyj&"l'Ofdۼ#(sGDJۭ# e A>ޖe!op˕ZuKV:,k:ҹjywt_RJF*Fv)~`w"-t#Q`aE1 m$啽"xuI;`T LW>bϐ~*}<>=G%TE - ұ#S?#pF*[ T;sc/W Vd̋7t{C+g+0r(r3 R u&KTwsc^>^4w?3p``P`-B% -OxqљDs{)5ۦ Ddk%Ǐ"0)j̀V|MpqzX3 cp^l1TSᅛ΍$<9׽ 2!a#aJ Sy|X*T.'Bn¦nωJhN*ܪ>\Mg Z]U|9=O4R? "BQܹwq (j!5f9g6{0C:THkvU䝈|C-ESw~H9'_}>8A}SV.y !\V~W:WkE-h*b"*E=z:z>#wz:^s>* !hS|$@FgOMO 6Z@1VDGH__-~]ϿL,Nm-A][k\{09B}FG7sfߥD_En8cE?a/gCabw -M Wn&"dqxr&NqcC#b\oYl6P]&#1#!A9uu8sՐKGLnzmѕ'_$(WfG/9D$?trl| Gh{ͽT$0b>sLDet#p Aj ;2OGA #tQ_)Rt[)҉rP,&Z3խ0ػJ9azo+R\:wV> !.Ns(46#֐rq#l ]G@d٘D䊯+nsf>)PɁK4ꇺE!# -|S%IQZr(K9Shř׋Uoq\2Fl>d)G`` xG֋tv H鳯y=#d]9ΑĢ#wm ړ3bAyEA@UbARW9 vh1TDq|!քR3_0X֧q"*4Q3d7h\z2OWœ 2gG7LPXv%3BWoW/ƞRDZ-DKX/ "Eg3aGԨqi捇^O햌K&3=䞓xݪ^e9[~ 2L8AVZOG[쟆`E -I+G)I0C -҄d $! ТAp"uL9"3hٞiS?"=>|qV`GH)綳u?' g>U0*O)iUVm1fD QI!YEC;`ٲZJ(+SZb&G÷jn |O~}PaM!hpA'gOZ~??O?ǿwbwݿ߿E \?\ʏQ50Դz-m5"lY翅mBݺ"@wp](fxOQz{" -!bwubgqk7809I0uWxc' -◃̉6bV-1c~NZM\T=5X[u;$&t)E(ڍUcdg=E ;䵔f!N@v}+=ր^髆Mko$# -:[;Ϋ>eo@#)#\p6wb2rDOqm\t%zɉ -b00CU<ʌ0 È"a\E>5b=лי? ݃3e4(iΩjÎp9"H״siA?)F )iҟIaƋl|ٞžAGÊ CCz} >zz I7N$,x, "b6@-3P;3{&>JO( ],wl)?|mm8 u:,jfՑߡ<#hBUdS5ܤhz{zgG= *B=bW1%vqÁ m/9 z;8 mn\›47o^a`A8"Pz0 JP)Z5;6ǿ ŧ-%aad[>E ` \%|a} +]ZA4(2 vPAwgZFޑ9R*7ƮL hn3?\-S} j Ǻ BxU3bԲsW$>z_M$#[}{oLJojϕN0*35h@ 7lDwг -9hDX[!H UF~{Oco#wW/ -r]#:!DWN(] ON̈,|[W;1s6ԕ(zB\iCc"dcgM>4I.Q=ˡ߁=_} ?" -B8n@EÁC[E|X -tg<1@a#(]x ^9e첿?'nqZ˳]@H,QsxZ&CkzF֜ 08J"P5 :J#1U&ޜL)3CGlE{o+Ӂ -kH=RxH 4`'B q]T=Xv|H@}g[U0v>5pѫh #b] JYp:>}y ߂Y? =5BX+XqfK{5cjV'e+Zw}/-T/L;$.ـaDhO`!\vXڡ=)ZA: -V P?̤;Rv}\ -|lMLͮE9+L/ Q(zضމp3?CSqpʹn~n ,ÑM -4 -Wn 4ͨW#T?=%D2^8 z[ RD%EFOgNn=N,/ WwlN9m{xUߵ !3ړÕ/yg:1"~ ح5Jȓ>+b%1Za@m!bU߶k( е~!ml^G o Z|K$ z>̛eO+ė'."rC:?Ee -ka ̫a3"? QKM:Z@/Of`]ȭMw@c -^4ѺD  IPVȪ;"E=jG1+]>BG`cg]& - gw\1L'-t]ݱִ#ꇢR)Rv)v~ -aJD~@ -W坛SFÚIHωZˠ"y32J/&sa:g)g̝6_ќs;sctT6SVFh{ Ɗ$"tuXjMwLU1pkò{&E۰+aP!+AɄy"yaJ[JB"+OU$0ڙ#0e>X*[~i[Q1] Hϒ=fݑNqĖ.>ߣm$;cP'C;Y?c%W\CS>rgrx]zK1bf*IQ0Ee>}on+wuY$ȠψMS:~8:R2LU%aGa -bϯpHYi!T/7#Pұ[ytfl}iciX -endstream endobj 309 0 obj <>stream -m57ߨ-O{am"~*jJVa!7eu*)6,IL`Jbc}}* Y&vg}'HJ!ǘq_VUOn'GO1 G+&S"$~P4Ii0v!VD{Uy\k_Á4> 0?~ Pu~^l"Xs'. _,<Krh[c -XidC-u`7%ZZ6* 9/g~N4k<x"̬/ :w:]4V^S~,n'.Fl|Fcm>J=gJ4f $/lB- #s`7p?sFi - |1VzMWZؐJy {EJ0qSUAhߘ7? T 'Jn[NDPٌqV5ۆfpFQ GďG-E%YV:<~(q Չ$eCh.៶e.1YFn{l`T -Srh:#b-li - 8-V4G&πSR׾>& sY֙z d$qnd_ڟVC q{V"=gGqox'DPRE?.<*v@Q46m Qg$Bʾ3C4,-XZD-8 \K;gwQ -˿QJxڮSAk<~qrpRx VWyuƣsJ^ 2pjצ-0|&uW+VRHuH+ܤ;o>G16O=O{trFaIY A#cKc; ~=W"ӯtY̞@ eflH!/LEmRN@GqJ~HatY0 Hy4:3&Ϲ,dpXVQ>.=#ܥ9 ]2`nIu2A?[w-~b/Z*MĊ ,*= L=12uq.&Z9;C' % bƻ&kw<=уY{l24H+@Ȏt m|ɯTu= `Cj$cXw]uf?E۶ذ,TJEaXTJ˥eX52ϝ0`t@`0ZuyW<ů3mS]TnhM"<0R\y[5l"ec^/|*l+zf;Բw Vʆ6G3!^!yuu>pVЕrd6&+=>.j#$Q7˔ÁV tFT*a tL˟/RO -Lry}WW7<x3AF.; w!NYۗr>&Li7&,VD%B2P]R>Twa6{{x;1¯<ޭDK6ӧ ` 1TI r3>`~V+M/v6k_HBfGbt86[ts #z>#v-HY'.h&"Ì#ZPo9YпUwo9`?˔IzҤN3^5ܜ /8Z2W\ߒVklq GS͍Y?]]u)913Usa5n͉Nxm.YXĈ+y(_x?"Sg\qx)[[]SA}"SfS׉tY jE{Xs(cɕf>cu XKtA]H)քU//.{8".HNo 1,T!(yY5n(J÷*)޲0晉lj >(A0i!ALa -J}`BZ2d=30D ޘ۵Ŕ9l ?"0XjM|D)d& zQ+bC {MZw.;3~ گU-gL^'J?`$x"ض_Nו<``mX j3tŒK`Յ!ʓ }naRM[NE}ED -Hj#9+,]_g#8OdU?J jJMz((Cia^Ȝ ^<8ʁ %(.BQY`n@x\yW_ ot9,mW `=mjL%yW~{T8NE2k5m*>{'_Gp`/y 6tF7 ʁ@3 K|`8\Te_@$7 }3! -EvflG!$qސ>GݽVӫ{lic>ԓiRݼb>3&wWs* +^O߾Ÿ]@O Gn57ٟF*Gr7N =dG(R~޻AL)4IL& I"SQÔ-Ѓ8 K &c全-<g6>Up@уTC3t<nntR`҂J*!Qݐe.[:z",|8Luf >K.j k(Sv>fHE(C"E_`S|뢤u ;AL5.6o# Tb{y F6})MA7Ld -y qSvT1;{JTWPKvTԣA1u{e#"%vu6+@#=i2ǖ*-[/n۝VK&?M݂6`ekGzCJ@h$ |ׯZ0~J.I՝\!"1P:c<X=x]U#ȟ'm  #N0 !<("9z(eSᝑ?'fRewEPa ‡`Q!̯Xh2=бeO[! vnAK~Liz"ߎ^PFV!QXo֧Wi=uv0}l@vaE*_ѷ E|x T&N T'ODϠ;",8T6Wdzu"ZùÆBǵ#mtl" _ؙ*=Jz8יeD4^۪Cm7Z_^ FxAT)M2#)VZM cI~#@H!:Ob{)7*<"q+Zk*,{^UPAŎH|_}}Oy᱐d&lh8Y[o,]q>Do^` )*%<&*zjA["U$Q\c!I: -3V\KūzVw7#;zH!i - (4L!u/R4GYD8@Ɏ0G)&ga[-fs)΂g IAjJW_+Fzx:clv[Ohr3*+=hjvF`3os% -eV6tnRx] "$}}s[طZ1FFv%YWtN8p{JlV}X keok׃|{:NZԞaQFcO 8m)ꊰxWּl94k-J?W|XH/ `<(~J% Yo#1^4=ehT lV]ʉxX_aqA ?] k!fr])[Bt:)XǕJN% MO )n--JG-Moםok``D]( 9ьSaU%<7tcFg8`.ovGkCNC [%2W,t>MahGkxl$,)-xu+==儰>sjfQS~uc:s -0Jċq8P`, ~[> r2TaB7n#eۖ!/hz {#nu㐖c[ -z-m|"U#.t!=~#iqܿePx S(ynp;vP --RV6p|[63맙4r Z\݊Y9;dT={άl#unyQ#~cro=CP[V%cX -,|BM/|"^ 7ޚT!)Vk#Dr%ИJ-)dEBvVb7J@ɦJ~|MZTTB稫r_sjj-lOH 7+ESĔy+BTL2M6a;E)ѓ>-_W|+ƶ|ǧEekJcWueXqk-8;| (vUA ]{:Wk=\mccK׫4$p(c>jkJF S+NBsl遢'8;" -`2Z|evY݈ -A!C#nAkPlDwU ʙM"<|} S[yWtF&>uqqDu~`YӘ gA:՚C (MVͅ;0c!-lA0ZIz.VJz?|"0=A5ͮE|#B<\yioI%G^d*/el{?`EpbS{։IYbxoIO_چ!ф"8de| 4=[0ƗF>D$q>.J\L̎#J mKT1= `yJ]ِgfg'_?)v2~|>h5ST|KU1% -:%/RhY>jq*~ P 9~L#沴U^;'֬ wwIT g 2lm{i<4M]ai잪bHf-@>0Aj!Q(~s0AJG c}!!Xq{-L794g _+ٕL{.jI_jщ)gG:vGsae_rRB[ZY uϰD| 8Ђ| GH0޷I~@% -Na5{Š3r؛{ܝ#pOjf{s^ -S_oÁXܤbp-= -gNy7c{1ţȧ C3Ag*I+OJ'Qah10;Q%NN@뗙52\"!{MfXί Be1/XOly#3vP.2XH2Bx-z)IhE3U2 w/jm] dψ%9<"v)f-YQ$a>TAH}Ds@RbS|| `:Uwl`@.$<?6\m*d5KNwE=mB?D9: ZdA7l6kp'rCpyfAr}<ԎҦ#.*5LP,8;<4xosû48PzeWJ.o?|\0il?Hg]XM p;ԫ\u"ڎx7jaFku}+3:ɭ?#~~b?*[VT^U˼3kB߱|[:M{?&QJ׬U<zѯA)=cl1sqҮ7dF]SW> Ws&Qd 9̧ظ˹1,f&B, D?=tfҭYZH 䵞ܠr"{ndE@SG;\`tu.PV݆jfQ* - 9U*(?ljgˉb(3(qk:7$yOQBv~Z!&xI:Xĩ:hK: w%NWuF$7us -(u oLQV߳oI-&Bw^=8&ܰ#nqۦZ-m=LEZikSESQD ꡁvL"3)(2DnjoNrGi{14э˯6B% #>pr)wdvJ1tX^QkƬ%PxhW/K\)ͮr{wy%m/fՊ6v8}E>CcmC?gՍZL`2Y>Pbj}۰R֠ߘ/wVڋ"v+88UF+:գM>eÞZ`O *ϮxDa8ȩ@E - .SGvh8?=Đs+Y -?_ot(KiyVDh=oypm!#b7ꞺCqRimrI$(61= d .hM'`QϲX\6-Op4k-c"x(_;H,GG{lrlZ0{ajE s,S ;2 8!Ez<[) Zg̲ʆ@pr}m6qF!h -r,(}jyGئҹ)yBA%gD~F(Ѯ6PːS"냳nH@=6=g:p#8eӜIUi7OtCiFNy':fiDusCUIڷψ\ vpB\ aty}$lTw ʫ4schh|XО) -.S=\Wowoc P珈͑nN= F!u=n=|Jv/\`,z߽J:]/i_ꆟaTRĎfBK*=fneGʡ>_658DPos,W@1x$I(:ߊr9bt:@skb嵽72О3 i/C*8&dVeFԺ^`.+˧%[g;\f8L 4EVbȚ[7="Z_L UsVvM3V5|4HVF3Cz"@ѭ5/X?ɑE+O!\`9*</ Æw rvnqv]DZ)7Wel{"q'/|2ۥjsH o3:7WfN%n[" z8A3y <Bɝؾu7,>P~qe\?guP𸬐kߑ9BWG_A+Z%sMb p۝;I tyD̀} -1b|aT+X*p*r S -8`&*v3|3,lÏo\TPQ ec~o84ww{ڔhXixOP& ؑlˏ˄mpַ6 RW2pQ/ְfl':ǁg8]n:SΎ+aeZ?X^_$ qŰ(N;Ϙ7T)L{G0o'BrrVO8» 6g>?/(C΀^{)ێ8wɽƷOEe˵Qwh6%Hؕ cG]%}' -z%L<'p #Lbmqʌqʹo#MF[ -fD4G5ZWpƸ\P#L unr -k]}nljw=*>?ow%iaZ5wNž*_z5ܤ O՛WU`^hlI$6 3FnT]Й*xIwQϯ~xp٧V=۠<M ćDڡ޷U5 -nÁA*(;l OZ%.?W-4fpMpqz\tRŠWYc"A@aR;ǁRձ1_5*1E)h_Lp,$ %H7A8!hH'TS2r|mTH:/W謬E|D@cKxa=yit3}%O ǹO d/E˒= &20V6̒!ߣ;Twc4:?L)xgsd(L#ytJCk~ &}1䍩eKO#D?M0h@z<zO.4b8BiĿopݩC;am_ -kZFO {GʱMKA(bߦdxY#m*ڒIO+oKgR8[x_tmYɃCIjJ;Nb'*v{GS68 }52< : {`[+†sӫh"3.B6d@}ӊ --4a +؅@1팑bQ-]Y~Pl0j,m5>6YAfSTǃI-$1.:#sOQYT> -p.Q> vOO0Fqv~M|X^_#[6S/jI4d/#0x -cN?cw !->™1i۳~m.Ma"]!AnJPa3K\o%+̆6t` ۞v9L;ym@~sA9r -`DDy$LѢ,*#_ڬL"YSDO7jE[aj_3w{._KNPL8XT^ώSt 8{&.NJN5%9MrNEZ]͍eas֜*0_u.nZV<\޲Vc3&-߯Vw -p}̓?#}/$t}sX`*Gh-Ɍ\u@V)=b+'3+lIΩ[ʲE0Q {igc IxzF`ϔǣ_>jԔ GZuJL^rbGJ/RߔT'Ս*t5WUZTOhGuy얏PLM #뀟qT6||zn;A¹j\4ҤYZ9Icw -'==Z3dB~oս&czﯺ)5mOn{VJ^ȳo;1q]@7ˋݳVc"cknM;Z$oϯ3=qŘ N)a3`]lNA) -dAh7 x$ozن%hi0{k."/ْb*v.9n42G#贞j\Ԁ/!|~Eoh17t 4;pHdgVέIZFԊh:)_+-CH!*%`c!0*X&G|&R/lT0F$3]k\Q=g@jS* -lHe"d'RLu+8IQVw@ vcVY|+Pvg֡1F cG1A`i<Y^ڣafUUY= x ҥܪJ/ꯣJ/A'[#5T'={|qX? I }|:Q=HJ@^@ad .Pb'p~`ʏfGw!DQh}GW&KCB{6%SEӯ8o|pJ+f ̵j-D^ ta3`CBڡRϸdtF9*t ZyK#DN8P Aj ˑwrLz8G({/'*9@lTRPXIR ;aշ@_/ia 5zVkrSn{$=!(`jHE & ]Kԃo/DeCtҢ=AL@SQ^ND\v7ٲ::/AIQV~G]4Ptڡʒ{ TS{^ĬL?=u8%Sܰ`C&lS?# -C87S/ڿR o|ſ7/_??/~wϿ/o~ů5*#m]qe & ~XbgqBQ:GU{ -W 'jP2sDW]oP̟xS_hb M$:fJ>2a*4+PO 9y w VDIDtC7T>R(U)rBnѣh%RXLw>D1-$0~c+з00-7\\v2!,l-K&*9Iїvy `Xƈ}e +K=̺ԘA1Ve -LZ+!nHd.2z=^hpL✭Sɦad 毜ԗ>㧣[M}@_vm9J?ړHP bQI tlغhמW0K@pEwq0 -t0pQx;V(* -@{})HHLTR(pӉ+-ƀ9oL2#ȳDU!΂Xm|l@g ױ~tWW>sH{^<' -;U/&ڌ:L^}>aM= À+NT] -&s@[F`ۡpcWiCZq;>"bw<-!~^cJt>aM3To24YK5"(wQ{7)bKQs)x<>;1"* 05qvJ3sإӶW[7Lynpz9BOR6(fWQL#hlOph^$#~DVʍ(և4@^8=1>1.V|v)EqUTK~+5*>Di:@%4@&.w㾒r]Qo<UOZ])CYCwSByIDqLK,Cw0ȁgVI+7`T;{]&b]e庢{O^P3OM{QدJKѓRn2e!Zfʼna`%EY ]'CǸsXd*@و%X*W](Z]?!E3V -Gv -]H9g7ǒûHr6b!;G9wg=ӏqD 5HQ  p2GA SeR0!"URSj~?9ߏb;n5 !<]=:E8IВߓ:.ՄbJ/}DW6l$z>a)V,gSiGjJ ʷ~p,sUUw Ώ=R3l?X%m۳s@-5f8s -%f{ӇC2Դ3Z8Ilu=FUA:w47|_G!AZ?ʥHn~]d9*D (mF݈5/̅#C3bsw`<>|Gn -oVQگu$$#[x SGfE3[$.1r*%\7soJād.?AlgTKꐍ3E0jW -\qhJVO6L-ťhy1`݈&5 HV-"6n.a_xa&j"hѳM.}͐[+[kZPi]s0+u__ٲ>q{wXN:UIy?#G}KQi_GNFWwXb -2kdԨׁf>8QyX Vˈ%4rLwDtB^lל `KK$.>ǥ7b>` FQ7@{Glp_j?%t6dHjv_i5&V/Y:J$ְ-u>Rؔ~l_m$oz0BjXĮ':+ևBuz8f4~(t}~b-#Y_4M`ϵN‰| -[^coQ&$ЪҐ@; !zLmQ ~nemǠL:5 -gw*%\?Kz> UXL{&y/m4lͲ0A&{ zK6&qKJ<=aKc0W'e `M6:38~וoTeb0ZY,>lrE }|Lug{ppP.׸9/k"Q,]ꉧy:\p"QG*v~=GB+lv 'm9*ףYQ&BеI3 U+u/z$)X}k lҨ"S<(:&Te0 1 s$=VTd`Q"p+U!B )ׁ֛8iX7y9:)U'~,hD9*6zK -tUA}=)CI& C!QLZ{ڐdg<3~{!&a!7Dk%- O4+iK_$mWҎ@uN -6N,qG1g[%}P),~{4 ݂7ex ! -sZG駰AKHo #.92 j"/04mx* h7o"_/}XՉZctTJdWs;LDLOcڪ@g0~"s|OIucWWng{.%>Gϰ?+#\@ބĎ}uUQq &nY+a|'odYZ[))^VH>g6,\" KO'r1pg'Nb!yC}G[w\"}Qd-upai+ -ʢsh=]- ;M"1U o āǹ(9oa;7ǥdRq* ?4"!aE1:|t0KOaL]^HGj,6OU^,i]y8\D`$]X:a" -a-}s3n:RQ0O7 -=6U~w#s`R~4,`i@PzT{\Cf.ܻ0EH-Le=◷[R@2-(ȓ+ Þ) ~Tx_}+xbڰ,eMXW! 6Ex -IA@FcEKłK -kW }yRwGCRl^J'bɅitJ׆|?}ftP.&򠏎n!E*ϗz eBr"U)d'6g(ξ -6.T.kG-?}J }yrR K|𲼹_5q#-5{4o@YbX=>6rF,hy~-c&L@hڈ U2~ T81st8l?ϛ0fyW -|B9`? uԕ600euj-)og rʓc0NǺ7D-=03A&dȫ(- -u[u|kĸM5ߏ.{+|Ѧ*i}ރ9vvz>wc̱It@0u.CfzJZ#pү5,:Bs,n}7QD ;[ ]6}+zOÉ - --$(:[|0Lkž`J=B.:%""ōzzmj)06XRQc-Ku6/TV(B=rYaFV@)> `F0M \rɴw'|ύ혣tԐ3iPUvۏhD!FbIQǸ~M+6?uPM".kDS8T, &8d5F:0Mp: 8Jl5Ds)ICus3,$7\DNl0 Hf@Ck)5Յ_@MyѪ\%ℨr'ɉ6Hyr?8Z:i ?<M -\֕0du*GNX˦mH 1v#$Fn"&8#hPW6%U{F/(ME.sa_< ͐[o:Ub[d+.ڶ-*(9 jPc*7/EKkҡQLǣ5 s8R1,nBuAa]Ms EIR&C s|ϭpV|-a@ƆڐMLI tET cj䥗e0W Ӎ jj,K <#pE#"lU',d,џ"wdCf6Fɚ֟Ӻf2!8-@lah*:ޙ7hMϗ'Ȱ']$ -LDX1]o`H -k~d8{=)EF9;1\j`\BvMʩpxI7-PotGR+Cܣy@ǰ -q%aJDf8GZ;aл,܀8ץuyt=&+M]xQ::zdBX`BݲZ&CMC,Õ!LȖ%~+8~EM~T3yk6/SySdsp6ؖ17T"L -瞝Ljf U*-o_lt/JnїSjFW/yF$StRbC'-;ߗu_c@[ RuiI/>\.[)=%hV^qQ,=*BՎ|mJ]:1#(a:CQr77)\@t\ t WhVzB>hwwIFژ"m WrxQjh]AsT=y'-8y[_+ -cGDyH.r~yԍ%BhB$g5;k 'UAY4ձ2ˢBO`QSl/93DH3]f=!y&wcgsiXoljM>:{t-)ZP᪰SBK%6xzZo椧1L,hρ -l -2~rs $2-ddŸ/hXS ;:2N ̀YqUP@=ؓ.#i>]G:p8#kRCz"Syv<}P9"r]yו=-`2wCK"R4,\K\ї -hCN~FmyҪ+Ӯ(=B{<#($[#dI;]R,Z88 %Ԉ(ʹQ 4=DV|ɗz!KLZsqB3U9] 9@[DP22ec}_?Ӓi;"j|b|bg3ZRBKMBk[$,ڎf|ݲ{IwI+xfp&!x"(>Z lV0hO &dNF@ܻWt0-S;ZhfٺvaTbB=}#bl R߸"R`S`oA&%;n}LE!Ͳ- %ǞIugODY2ŲPH0JT@}/#T ނ>uXk:whtRD_.&;zrjC9,+Š$B+g<# $is(<|UN9>.*^+{\EEJ{qA 5cpxhAR-0|)4=r!|FipwٍK@liTr)7<U@8ԃu@ER3A,=őK9ȳ8.@[^'P̴QBmz ;;_q _hw(rXǵ*{R^Ul 5o%)7gJxRNbOZ9o-#W6Y-EcZ8lzHJL+(v;/(,p]UQ7A-gLt=[n6v+}52SZA,FLM;z FY 54lU~{V!SHETuV=R,ל +veɀܻʁeі ~~.C?źJ"n{^L5ʿ |'D`en -3Mpsu'c 4lhgcaD"0ӵ9+KQ30*חN/Z?" :Z0C]Qp8KIp-jiGEqMa#SKcfOZNR-W' djRj?wexMvR˽&:r]:9(^1+VARs0HR]VKP>-Uӳp]73c-^7Tbf%?fgj?HB5h%I>2w{4S:dd~B>WX"W-uї^49f\{עZSbƲF+#nk)ӟJ>:I .SEp=Hk -e:ϐ԰tL?k= -O_ -MPI" G_=kRh}cOVδ؉&"P-.51!x,[g$T0\t}YExSF&4\oSF5Vdk@fU4hSx7WU.u 8U 4XS8HAu\yplw[I@K9 ΔPQX8Wq4!#5^D 8Rem ˣ=Ry!!ڣ[pĻww[Aj.JaƉhU]5銹E1g2R=r$;[§قʲh' iYKTc]OH:=5\2-kR5oEffQ [ɶJv6UMrV#JJ٩XՌ7ץ~gX S=0ٕPFbjJey( -=}QrXHu\D *=S}^*9x F,I%uIgK迺O%c xܜ-lBbas~k\YJEZMd#]z_Zwʸ8s2lRd[ TFRg4( mAmcifkf4x1ӴKwso)LiiADf89-/wC{Q˨TlIף_<oFocf{%4)Ԩ4Lf8]Z,.VdrQ&SI>ͻ@4T TI]xFTk$S6U=вe;z)p[B?Iv.{NhZ{mYW+GA7 mƺVhPہd O?k4ʕ\*=c%D\^hƥd): -ŧ򒊢g>߾OP|vآOI ‫?O4JAa54OIR#1t2qa`í3ky-|͙5 -h4%M2fG>l}%|/NDx ;nk" zP[t_F%jB"Qv:y"~-ǜXz,tVY<=Zb'ֽή#z?SLG<;gL>*uIt(L6^W}W2a_f@V HTZK,-,aO-2v ܼk cUנ\g`8Z9 qv+4vd6w9>kwfXCfK+zcPBGp/b`sBe`bS횮 -;(;/y!$~>[ ?ŧ  A鴏GA~KqoUJ=d;1~,J;XF+PCPH d" }rP0=j<,SSw>,PQW`}ё?݅E%Hմz"nP>0pY |Ya=| [uQIM,R(M9sIwوZ[xP0|`H:`ߦG~ -,6 S TdwJBWw#zk[d !mBWBa6K"֦E s^ +o;x|nCa,kaDю^3 8ڌKB4tJ$"T)vSxF$**j?q0HD(x$nDto>XRpCK-XL¯K.gNǤD~x3}%fYL%F4ȵH0{Xz$"< #x - ge8Nn1e>ypAV:/Ay%N%"~w7Je}SA(gQ0^9)dQ?н{(/h)rAH&34i -I @UFQ4W{p@Fǒܝ(ڰt˝ |P -cT^*x}ߑ8]dr^*ɦ5u3qh'`ؒ} -oocp͗*WC[}яHQ%e)0EξGG -Is)={.8>@<vuܖbiB4tD{ ٳcʾy ;vXT|33󽫎BZT QZ iE={@[|d^ - wHODhK_V+#9$ D\l#` 4N2 L+GK@vr̆$υХ[w 8O]~Q1A?pɼ?kuL%5 {樒J=dT)LkNz̄U5ݘ'p#]GX'T%̨7X=]^/a3Wy]a)3>LaeS¸<K(*nwYwO 1'@B,L9;%h(hM?_ 󺷤*GBQĽXsoj!`X2C|j>Uk 8qsC# -`^)Q <c"ӡT4dD۴m 1W֌[ $}]|W|4y wm>Kg!6-(Q~H%("sIb}ʊzb1܏[+qEDho!A9hC(;\WE>t¹T~+X%FҹȀY@I Ts tJkl,3o㥹O# NMfYF iU-Úr[kf T#uĂtp)մ][\A-}Z(#h+uСJ9I@v[ʤgv;KYz z?)h)spu}bCm3,$$MKZыjχo]MwÖ·^R*~]CUI2^dU.oX}QM5bDgv1^$ ]N@fxQ"w]؇ocYhcR3P+[Cv HĎjngJӕg\~64;8)AЧ -rd+{47AYI~A7ft=5ah%hγWȐYgB-L7Y@Al p_ -0 @Qٔ|0=d;8@EBKY3D"*25gn"@gV;W((Z +ɇҔU6B*܌n 3(RY.&+%k&YnpMB!9 ׳(}1zEX?ٷ<9_>1}EGڦy p9,nh,.a ׆ߦGVMK -X~qQ&I$aj?QyosTUObi=W737C ؐ*BB&cE\~&>%a{LIhĀy!Wgˀ8$`\t8M5j'p"$ذ98:` Ppۮٻn[ Zڐ{!f@FX;TiHMv[ 5Q -->+qW1#}P"KP>؉wrGWa;a2x\F @ĕ UB% ⊭3F1b])aZf̱7Ȩx5I,fRoq%j'j@P;4Fuu6L_R/y%fXӗd -TØyPi̓P%b\3Ԉ\귓Wr}h c~ƤįYq p2PRAM5! ͸eNT.Efl,c tD3g&G؛Lfgڬg,q&$"r;u̿J(UƉК=yNxEQV2bdìh./W7*fzaxJ& 8.!ӘP^ @.%VwB{[Y{$[2"zMpy-fq?JL" *{Hwlf| - -4{vBŊ {"bm*o E8 fovq1v?\AqSdH"?HA#qLd?PD+8<6  EJ5vqx}coϻ3&צ}ψUƄ!:vb u/y"irt`%DVh[slax {$/"@2$"wJ(?9Sdv|!(aY |U؏Evj^="&};lǒqxf~o׮t;My}D0lS%Y-YAvșKE CQ7']\ (`!]fRB4n@PZ!4|عQ7QY[LTͫ"1dWd- 6*; PyLmN`e$R^Y#!U#rH*lI1¯ &twJXf:q  YeQaK8&ݨekԜ3'ќ7OHtH /8S6!DTh_dn"iT z'B@~Ojb 2rnQ杘3a¬DHSݟ;e,tK,T{Xao;4i/K}Qlč6D"vTbydѾ&?< X[e"eDDW@(]RE~|]_CW4Dx?`YSxPO\WSN;$iCiyt"`G|\aez=<հGFN-s8'g "QtI -5i/ujB%iַRbމ,yXfx"^ ]J=CWA{~{CxW8PҢdAѺ>3qWJ!_^뽝Sc?YC&~ Nsq?0PHTqH(RqQ 9 χ$k QǽDkkG`YT {t3'-0:v~'UtXS/#lz"k$ez]呜F=OCWDC\\ѬzTdSK"K',T]! JV`92.w(F\.;2F~Z7Uq.Ey6 rn}8F g~k])Tf $F֑Խ!|.4/Gĥw E~86O@Frs]9 Ssoa- ԋMKJ;.SQ,<=zkUE8{FJ=+vY -Sc$(հ=.d.Xٷ/x4D_JKU:l"]Jt\(WY*V]z#̆klP"+BD\FboR^un!a 7iZb0:$x^M`l[j| 7 -zPGML<|%3 p2],jGk(!āO&XVz -͎P[`۷aٖ3Bq=Qb(o> Yl^_T3~GUjhp-<;ks̞{%gQU߿@H@9_1%COWTo? -H񂲟z y'L{Noyk UT5Ĭ" c:ތKL\l=j({ZlGtйwÉ0q?DƵ򫰪nr&(44'u5 ?ɨVO~?Q .?;Ӯ{6wtBy ;;hV5=ސ%n`b*Աٯ5?+U~=u \-Q2D7db] -{?Bti Y} }GB;#A4siF+D3'wbI~orgg"A>v"W" Bx.bl̡h5G ҍ<0UeZ?OUP?U?D6Ll[1`2~j+$X^MbeG KvBUǯI.Gs|DۂT^]{/ =q^"=60bZ|9"{s3\DhGRCV"`r8?lo -{` heڱq!RvGI2Kz *25$r -ww2U 5+kbyZ6h!-ai}?Q/zÔy$Gr@ia '{#^ ۉP8D;JJ^牷x782e o%wP%miW~#\ɤBNzM+,~zyT);e"'| @MzG.q\^/@shbOwkbe\MǼ0#\ -={0hcE4LGX]$m`1 [|-曽”^Տ,`l -dl:^g_ _4|ve7ӓto0`JdpȲhM̋8nYbZmU ^pe2T{Z5g3{T@Ž<`\{)u8>}Kay/.0%XB|EMcDbۣ,Mx+|CO+pȝE)vn2Q,疸-gq{!KO ["M օ>xd/@'k~9ø>F̟GCS -;MxYN]q;~8EyxN4#Q>Oq9BۇjˡvSxa0W ArgfB5w׌Vޞ GN{- [6R$L?{b[U2:,~xvsRpu(f c*T:Po+I|#cc.NI,΍gK,R{6QBs4`px4E"Cj&o YGZD.47Xb!AyGL 4r-*~Pd ,JE'; Z'!~Ĵ(h ٓTѣ{Z{hFCF°hCw]wbŽe%Ѵ~c~{A0k {T;tyLsqS-ʄWG`/Db |$g(&p<\JnBB5K}i-L19QU{ y6"xݚr%܅U{j2y 5$~ -"a{"AKʘc'c,ſ9Z>Hь3ʉ5:ֹB΀*jqB8<B8v?^R.a]D6ar} q"lLjVlE财9կvX%& ojޓ~Wn!R<90(4RVi|#p ?'8ɔM=id;us[J ;gRMR=n`bϺ1stdcUDn> -]061M{1z<{J\K"<Fuy@ '3p*Dm'vWuzBD$T`“|ml<~K ;;5Q7" -)XR0˳ɧ/{(_l:]Rq ,m@GU?2:Jy>9# HIRcvo\*! -\Hd-Og'II?jςq[yg{bq6`F[%B:1#|albg @Ws)F@.£Gm>]L|o"M~r|C~.тB6㭬:| RC"LY3=@.j|Gi0KQW5EE+ "1D9+@_H9KzQx<T@E ~bYŹbXW %l!YD Eq 7vb?PBXFr!PIXj{bŌl([S~ cJ0;,Ap= l cϘSSX_)Ѕ5n +aƕ%,\yOw q|G-ީEentZlDf AS-JLXd}u=Qo6C%lDpjSњEEfɗB*/pIrJa+jtc 0)/(7 -mNp۱Dg=bD{R->680!(SQ"9xwQ-W RкR 6w((uݬQE3|rǯRbf{ JMj71ķ UNX_" ֊[W;v.J kqRv֭fGy2y[<*MoGUOhשx'Ig^mF\g[`7f5@{G!A Q B:]*نRʸeѶ0 H^; 2Ph ;|uO^~fQL@HUNYqG{~.@Gu[/8?!;O/<˾B*.d"e߁򔫤փHr[A -y* A2O!'}j)z׽npt:~phfy -vaF¼oV<.h@}"f VR>3έ$O08Ȍ<ߢ`SRG&r dqfGH7׽i( 6ᑾxU<;ϙ4(/Z0m-/`ƒeFo/FDXeEʩ:[; Q䭶kٳ38iK9‚#MB'uʝT@ `dA! Ћ>#j΢fmYG)?ΠUNuLQuڐ52g{7 rp*Չ}-:$rg͉PA\ -16G *R'~@pxH:ӵfaVJ ^vE] zLc*D~8Q Q6fc _ Phn68Wlz4Ԡ+b&a!^+s[qf/eݦ܍+W9F7V<*P yxe) w-Gts|Q2N CR}mPBnbPfǖO)TZ#wmx:;%&S"3 Fn CTDo3..pwңr++0ufP83-z{)n'tg#9"6e=EQj|O֚[H~ZUm4J9ʠV+@ٝɦ\j:*)dPjn}ߠWђ+dF?34tJ?Iww$ e jmsW+RQZ#4nCkPn>se0f=ʤNy+{R1)SND0w0!ڬckև,d-$d/ƋC>-BMqQ P(ުz*WK|<rgcC׸!}m^}Oj+e -/|k&zԼE"Z4^~m;%XKt()8F8ur0 "CTqnEݸUTR -RhZT$:ݝ"nA /^Ug\ya!y{0|)Z4M!IOu` W͟T%t]ThD Kƞ*`}|G -xafqÈP:dƟU!%;,l`p[0Rq]^.׭r[o=g޵W2g8AzB2`epg :J<:#;4#µ%[P2af'h9$3S0ꭘi0#ʙgɺ|D _W"hR(kDPt/ۭМ-p,yqVbPp8 $3kӢ2x^*, g!.琇جa4SEcRd|NnO'wfRKFe!6Lɨӡ8B+:<[X PeY7YT5cTʓgU禱+D'C $Ԏg̼f_eO޽TYUhYfvfXPb{9e跐[Oמ>wב: q8>; -=Po$3̜ZP 2ƪƮnѶ\)Ո +ͨ9#'9RC/T9 ӑ-N*G;&66Ө" X'ז,cE%lPQF-)xEZX.H|`'ހ!z#sfV/|]-.n(0S4vNq̬cWuk390~1E5\,PZ9N#5tț'k UkvoI5tBcåk'^ndg 17t +Gjat;h5j(jo8aE"|.!!GyD05PT pE0V(~+-2w8G7TR)V]Dq4GTwY\{2v/)THx' qiH9}i8sb -uri0j+ŪNYSLFXh+̄ec7 -`ަ^ P{ѵ -XGMU2%B aXbڈvLjAi/ ^D SOJea!PM+.vz.FgQ%ݥ)r_pҷA( -a"(!fPH"Fȩʅyp$0]i9Z-TZ9Д3{QݴY3uO/o%+l/A >SgtnDô nm)]dmڷ S&"iӕkB1"9Sue3BM2NB yWL; -E5^Nt"v0hwVyR:5!-A8^!8 -#A9WwIi盒Gp;265`!1s SKɈ#RwGS!VbG?=a7 ]%Arl8|kGl"!Pt:TݵUFDqi6CEz \&[7*n -΁ɉG袮}ߝVIU#3MtXڸ( 8DsYYp>3:' ) -v6Bs}1ޥ-p~*̨;Ԋ`C*v,DxY%&: 83MM86I5Fv{nvpK7>gIVAz Gcݰ&h#jݗ"vug&; SpK~V@L`D(!SvM2/60t;ovO{4#-r.ca0^FD`F~I=X"H6F:qPI9wkS^9SPE*-,%K8ž#bAꓑ;Ko#%c,׀}2e;~um,Zvk@p2- FO;\'G&4ɧ=l&(3#RSTфrm]L{؀g_YLdyV]ǁ6pt]\LFH~0όۛtc=hg8YTy:F['oW^H "A[ Gƴ`譈w2*? BD=l@\g~*ctfwUbI{zF:_7=TnBJ4FPw'\z7[/r3։{f^v ?ŽN:OP~n3~e統 *}rQ%}90 {aʱRO"Ư -VgxW:˪33ss;o՘m IJJxE|o+:#.ITҿ?Ӥ wP+01~{P?7f9/sNukmY}ytzt#0@,;h -MΒ.4Do5w"%#-4! fE`z0(=RG3?Lg_Xu`^/t:36mé=𾐐MZnԪI1՟jQݛ0jg_(:gk7Ũe QۖƖ-LTwZbt}v<.Z>_؍Xpi"P#ӓ5{%JʈV^1:Ւ,۽zIOi:L^ |M" -~0-ykgj&) [W%2oX{ -]}!U51yJe_>~hGt-}?rb.2eg\AFةЎT0 NUzfl{x8nQ_\ai7}]z(h{H} -)d3EWw` -Nfm3ӑ֠>tuynrs= ㇈e)ͦaNڑY(?gAq/owiU{=&{Cj\HM5g,X]vSZ= w}iJQi 9Nh84VqHi/=L+!6Tx'b$B^u\OnݸÝ6E]FlFq&p왥qq5$VTNS;C燏dص?1JO=YCorrfT<{<=}"Q[b.Oq0f`4X-{`6I"w sE()̼ôTP[W.L;Z7Ow0Ģw^G0uS=z("%Bז\U@GF>\?KƢC@Pc 1yfq`rM$XC < T\ E{A>FD,5GF+B?EPf=w3{z5VpOO-2<0m-:ී";GÁS<ۓ#iJì -O w[gʪ;$CV.n??h"[` -X9`32Fni ƽ]gK ]OͫF{ uGOq %:S/&=}_=L -3΂hnq?#yS}Ys 4X@#~I"3X2jyMYdmחi -u;1B<@XH'% xnaF2u腡ӽmSoLyrZŢH7xti*}k*ql)8/u :5PaMRsCD)xx=+O.CQcNgoF(fl$KZSw3w`}VKJHtDSfςl\PPF/O;fMtsqgE3/XP3ސ@?)uI@?wQh@}[Oy?J\!Ҋ=}}q6Afxp> 3>ST Źk {̼.l$SmA0 -v_Xcb<ƀ2SX_clQH#=GM$)ӠPzMCi {'L3u &| `d"9p_a^m0̿SA+bڽm@Pi&x.D 0uF䇟)G)<|z%T5iz/|t'Iݓ,fT+2vC\a{mk{ZH)$C\@2b%_ᇱ] .WO+3Y'8oUY.RX1sh";uВ3PsLKSħ3- LOR䛯~0>YPFi6|ӰB v͐}ǝ:Ec3-F[|YavwTXkٌ8LI9܋Ss'ގ.R#jQ> Ec[y#\ϯ vYv&Z_ svĂl15&N_볝 - -YhB3Ÿ|Q4QY3Ҟ+$C KAbg:M" Bigl?}ge֕ 6r`-6tGDnQ7xv #vtÛ`V" `SogxNiJ|zڶ+=^6ÁF )"hw$ܝ| -ԻlzT^I׊y*&r=:OS! bg5]/e_kբ;υ6&C:s1@yjμSW _\ڃ@ͱ7 *ֱP/a̍-r pEiv%U/@oAtA  ?;BLwvQ"?@pNj~A,^Acf{#`ha|zG"k[Rx`=9m2TD|iU;X#NB:($ -3ĜH!Ͳu$O5Á"&+)o¹@m --,?|{0.Remc1G:/z=6fD!hZRAj:;D*39*|ʬWS<ΘfN;R(Π}(ǥxk" !(RHWb}C|7tQf[zd\Fت -YxGD 6M -ʾSQŗ]`퇈[|~0CQame-m%CtjQ3dQ Y@_Fp3q:\⬢H70HdMu"(3یMÐTZvsG=BZQ!*kh":s[ V6%>#@p)ƺ{a8>|" Dߎ@0~FSŻt(;б)}f*0n˹;axVXaakpvfMsB':".xgPc~ L7~m/!!ұs*AsR\]eWn-y/+TD^'|B'u-4w73Pf[ Lsmak]JŔ+W]$zfLol[)aw YsњQ~ &=ZF P ۠m ,b~.:~7-fgԋzućaGȑoP ds*q쭃},,l[҅-EIM{ y3Zh/ߵ^~J~a0Mw5r,e%N2y6UfpO/ڤM oKބf܏e[_hM˿##/h t_5~Wo/O?ݿ}ʟ?~BkDWL/7]? 3>Y'L,$ rϰX:_v6V^{0"E2 -o9gm9T+ aC0C+9 -2zhnEO#mD+Ot! -u{r?'Ҵ Vu.[kT)EήDX#4se_y E-ySMVȺ(ܟ\nڋ_Ѽo,@ߓ0y_Z¹ @VU J"F][ 'u.sh-ty-mJ^v/Z*HթNu~zG q;x^]}hWG,=$Dn9е 4_V$3eNB`Tr҄RlX[ dԕK`[R90[=6lzۺsUۉ)v:Ͽ{f>͢G@ tL_(r# 7~>e~X$# rBy#<zWpBM(󃜁^A#<% pBsG -75S\'PQs~fT-b /z,^B` ;hl$˱@~TA۷fZ`,=%T6{ғuT]h-Bt33D:]PG - -KH0?#]nw"B6t_nf}u'y5n6GTHb#~ pVm| k"~|?@{2cy&Aقxvb0ļxҦhvBޓrP[UC$mGr$?Fl*x)%~~iDL`0[x kx|ҿ1j &BM}.42961yS<=aeOC_5&SXhA /F6{Ю -ʭzYRϘ|hT+2F(7DH"ScOzhPII1Uh? [j8t pj$,{ksY:iM&HbҵY6P;LړZ>u Z¼V\ՍPM&ƱAW| "gDa(h5`z7rز3⾨Ww92HG;\Ӌt筍r -8 @XC -De0tE&-MΔyvʐQ.%M9ێy) 24ҰF-u<9`ca^wo91W~@*餓ЌNq98כ=m3䡚 "0U -A 3[,#] ܊SJ@\\l%ݏԃmUTE"rDYKy*4'te nui> -Ω:.)ϮRWJK׽Y$qx^\ZU:GPno+e_izUc{\kڭ=itnD ?2pɈR W,t)\ɩ!tEoŗ]0e0S/\ 0[@pUnj@1փ+mFTHo{1eθT(d4E Hf -C?ق<#cۺdڅԆ.>/hSrE#|n!<.!]X ~o+0ZfNۍVީV7Bx9a,\[iQ -̵u ?' 3c[_m:.ߝd&q֚W+n7qۄ(H{]Y֩0=pwj〓 q8Cybô5_@~|svT8G~?v.bSMu^qHq ۿ'=t<{F -arVAStoXgZiT[4Z/rr 'ڠZW'iڭjbQ(ixи2D$tb$a*8-9e7m4:L8|8{Uk?s: (*+O5Zk"3[d5Q[٦@5pKA?b^HOcMF{?ebv=,} 25ܝ/D##1Ӡs æ*x06;=і4IU7t2F߲FT뎮"3?KDc055jaɕd:QS#DP=J.rm HٸvBoқ -@TATPt?b%_h0M 7e~=C%Ac]5p-EǷo9Ud'u@T93Pϡ%ޒ2-;1X느>X|w":cA^X xVUfԧ@Z~ |P\A u3(!C&wLHf:d$s#ݞᾠ[σu ZlhJΫ8`*|Tk90q\l ?*ܚ+$~FOݰB{f|x/A - HX$%%p3Z4,KT"EXDx8TѼPɪǂ=[:+{&'bLX'.G,yH0[p=wJFuF@jd-˩{(.':/gSlؿT?}Cq&C663-'N89c^'MAzTZ*ugZߊtgoC57 ~ô9շ05َv-S1$$Rwi,"ku`x ?!|U_#6c+;\AG{-I ƾGv(VWjvwv'e699N7nPS=ikFή|,Y4p6w!ģuA{LVgacDz|ZcUr} -UpnwG֗J 9rr:1T īQψYMD}EuO[hi)R Gr?!J\3XH:ZA_WLn%](`ElgD^VM *~jjoqiuDry{zV-9c~y~"Ҭ/9 V.PW4="qֱ7l>UGO@g#lzbnuAY v#UÈ׳;xG&1JzȘ4Q1šijc}fWBJrMMAçܮc6,P>£Tv6_Bw*FQ=nX/1`V=,)Ba@q*m 9R&J=detL #**-u,mؚm.:PӥOqEI?G-kIxc:QytQ>)NaGsO5+9[e gAS;a`ѥflf~z?*AS d: {"vĽ(LJ0lW9!mo4qv;y5j0wl*-O7^{*SZ<8Щu]z({gv^H;XJ3_Rq5{A:e5VY9#͝D-mØz $Q by -VGɸÝVLarƣD;Tv; - [D-;7wvnLqopbMengȈg_E/{/|SВ -|P#@XkZo `ZvEi'$$<(*H Z/x 4h_\ /;0.P[_n~tUYݔJ*O*bmFƧ+(ex@ZMdL!+MT!B ߪLgD9]'ҙrPW_SGWOcZQD AQ_1DJ;!7p2~ED0c[K˩9qVw2L-c輁EE=z -'(DXv.R-wM@E2o=Ff̎y8ac89퇈KD1Pa!FlkԌ&#ʌ.ˉ: -yr(5ҫJ@)PLa)\wqJsM`؛!&06zO'*#3вzs~Z#~hOXX#Yx kAGn QXj8?"hS-'ʲOeslDp]* bfl -|nAe^P̀eg@p]^Y+dV0ՀY`GuK y[E#LFn[ڒEd01" z)80= f3H#^!y+jl@UpwO‚[R1Gi&̀z&ًR"G1_U [ՔE9יVxn%mVmrT;ƷVDpR(n -޹ȕ3L9Gȵ8d`]1 ^o? -j܌G^[U|?d ޮ\c ~[S]ܷH )=HF| w?VBN1Z%ׂ#hj 5^A4yMEbL(x=BԔ)pSc1opE>>mjq(@ZyIcս#r3ba&qPeZ 9z7`BP[QWv;4nLvrڭ!=o+rFlL(N@2tAcHian"XN5^bG9-IZz7m1:Ax"Y<8]_Nfdϻ=cakQ b-΅06?t0c2d7LwB3JP/T#@ˀ#D ~+>ÎE번G+ 32(cD8#F8.:0b샭[(٩o --B!FHG W GDrkPߢsS|~;9PT>駹nۄn݆cDez剟aF]c|[W6l̤pc&Es"bMNlsNq[\\ɋP j+麾E`($CwJZD褪@"LYx1fM hD^&Qc\"PR?p9`T/`(knkЪ'4?AhVtUfνU ~r7d؃3J3j3́CO 47~%Mg̦601ʪ .HmK -2ǩ .W&/wO/Z)*lv :(9i$ :$0?FWy3;Înut\JeJ#L;Uw>G X͍ڎ X][3eEhU&_Gg ԈMeÇr[s!Szl;*LbZW!d;1,XySk*S֣~6)(\&U3vr9Gz]-!Z?;*reD]sh75!4G0N}?ҰäZ J#gAnunK?Sa0M\aC -@K?%cEt/~:X+\_uGd3;ޭa,]:;2#D5f:Q/D4Z. xW5yf*֩~:sk}{M֕Py&<%qx{`&@/ԻQ07]aZXW#m`yYP\]C@6IoXSJDX01v J!KixqۇP1B*&{"ɯ1_rsKNXϺo,3`UQō}dkvm_A("@9ސ%ʡz\n`z{TC a ks%gd:L/(yW-Dmu:ݫ"iiurߞ^{i,,jU^Xa㋌U\fnG:J;wuE_|Z?ebFn9ANζL|J+<-l}#9&_(n_Δmkw0cLr- T~-&'"m=P*gyYÑ7U[ eR&˭^:RC[2 n6֫YӅΩeTE&YT 9 m$ϫa]ۈRcBc.}LFxb1F.&/FN. ࿛v[,W3KD+8/U(kd$ۥUj㬫D6=(#qxt_rҼ|7xU; -Żi =.;j|C-*/m&9zFr]6-}f}hȃּ eDr҅3aFկ1{o -gZq[6ZbGNFj\9B']bxnO`nuk@S.6m|B0]R+O!FiB4-]ƮxBa4v"0m 00njan=NPFlˉ(=A3s+Bgu-\*/g'w -:84$6Ȋڵ5S3+0Nu۝m7O_~i[k`a.  k=IIˏj[fhL~§ ߣw<ͽP:^]GU?(Aѷ2ݵ^|ONəC)P1ԫenۄKrw+%X;PV Ҟm [oMժMP\} M!UEW[ z1*Q8_Ah$箭 zϑ{*7|_dzl+;i8m_a-J ,./)I@VKbWrI+Ȱá{O,+s`R[{1h(d;9DBcX-Γ)(@Tl*Ƒ]g}l9;e;`@}oß#cID*hJ:01;a<03n*N=^{,|ֶEjGz-[=iN&BDZgX|YL>`/ -"iյo\K@<=hKe&CWj&A[`EQGL7)"X+8vݹ!Q) -endstream endobj 310 0 obj <>stream -vzBSraty*lБ{|lZ>Xg tPj2I <8gL/$jVpy[l90V8un<ܛd-HG#"Li/ -.-],m ->Yɤ!t#NJv+oreRBAjphw97ITleH&a ~1R-KjiH61\BGܨ(.jPy͚S%mr1J7Z d[RDU]G1iJAk+-=vhq}^Jyf2e5#GL}4啚Og8jzetxGnU\䞔@c+n=8axQo|hjt a^&1n"(șDhDBLjTϕ+|Ӗ5.gP `$ G -#XIa"G3]*}z#C3o'3=nznWgso}TrP5~З hؐ\44LWzzO@d`bhbi L(|k+j)fO6޴/RRV}[ޟW;V*{뤱͐:7-+6 -s U0{MįIu޳}m? ,;K ne)m" 'B"Y i@ӬҰ⃼ʛ|:qvAx5C]=. IK 84:%RdrV tZyb,AgdAKyA.G8 -_ա>mA:+kLZї"1I1=PӿxjBĝ0Fԝ{BɆ?|j74)nBWtzhiR7 4~[YzCUt$!d6{ [9ވa(pT4sY8f[9C`P:Y/E1 & U#&N -Fk펃1g| xlGWqDܮ*tO:|[y3 )=4g79. @_M̎=ENV/4hC'Ns@>'>2dUvK@X}r""Q"l۹O9=.ϩ~GqcbDm -._ JpLW@ۄ9T^V ~.F+@ƺRi cd˙s- '7^PVoԝƈ$SKSٵzYd9 Tn-=ݐQ&=iwLükO&!5 띾*/- B]H, #: cEmT@ ՠԯ^m[(^#6"^OFYh.<|an??BYDt\3:QOY@l"oПh -78*poc0Ai-m|"&= ׎/r*1VC/ rYw)gs-ҺD\-fPoFWNrS -6BUL&p,=YN5]>yt g(` [C<1bAnQ7vl0ib E51@ h[ub -QoT|_sY`c]*멊D j'rO"̤`qo~ jݲ(΃9~ ->AsBH7,`P)+¥*jʿ= -34ؕW:m-懮w(4I@wbLHzғ$ ct_[ih&ȧ -98qt:>yw.?Э ]k:>0(!3t´J(hEUQ#7m:|%O 3[|b?~?Cc?pՓ*0UU-H<*Iz[ۜfqh[mj4e(aJЉArS\u]BSïF@VTG<*_ƒ#z[E+mlo2&5dC ݛOU> Ⱦ(uэvsD,\η_ |޾n?0#I&:2 xh'{0MS+y0+F4 Y$UԜCѢ!Txi*]ɼwyqCPgM&ׂ$p{T(A \].s0\VL#I+jwxŜkP(}E1](X&1*󬍐^NddkTT< kZh@Ca?3*fjR:!@\0PD7PfKPJd'Hؿ7Z2-4렎wtWYNT^Yh™ݯFb.&cpn湔egGA;AVA׈ Qg -Q_'悌|ɇnglC/6:Zȁ] N -X7@60QbWjx98 |CAuEQ!@[#c -? UT_p"PT"T`b_Nђ٪<I9aCCJbx{gW3[t&@' w/݁,NA̒ltK  W1Hy֨t2l`$FtA9 M:,=`hf d|X -gVwoQ)kTJ _j4ո"sR؅?fP)9>im됫lK@5/8'ۛMh) -FSVK7A#R@sH+N;@7Jfrp+y'L/iٱrG%z,H:dv& p߯fA ̽рq"X2 v+~]mfFvKe_u*q ;Ft'VgCj , oȺ;H| ~ m+'6"@v .x}0\Boe;ЛɊFe` Kpu~ž#BƒKɥhnd-fqlѼ#@ދϩؚbr}#2J\c@.y%zIԓ_#Wee?zP2u$EM8tKc1QKؖ EZ0W~dtX4M̯SFTuI˯z^43GUadKZ?9AbCirjt(@ X򹼇Z/~n l&NDzޥ"}7oh{cD'k;" 裓(5n%MhI?ȩFlZVe$0"ܼon z0hGJp{%{:=HуS, -5eWqmzD3F.h!!-Ǯ̼^|It[\@80S6VR?r&41>KjSURIZ5%/&)`t}?bE'w}el0PG`rOgjvNͦ -LjSv "weELJwi1Ir4F-vU@A}%vg[֊Qbk\jiT>OU 1Ul9Wݐ|q]G+g(vVT3PU L[:6_h 3ܿ.(uL$Va -*6Uha Z{4zUBK5agWTWjH1e m5zcZe zws#Cz -۰@V]ێEF w>p,ŧ G**jVݱmcT䃪<ө:P[ V"/;.m[}X$l3دyiKe>3^w^tFչ].HrԢ?KL77翝/=33r6wAݭ;' A-c7R4qZB B^ZzZqSqHKt9WQU^&+3wF$=heFŎ2.7M3oNSiUB7xW gɩ4;@*e8[maa6h++>nr^M# 9[||74v$-]W +:G7]V VHkbRqMܷ]%\ -11rֲ\TmjLE^'i5n[Y Cޏ;J<VD#AtfFϰZ5¤?\e^j ȹyA @|oۢuI@9no vF^JqB7?{m~^T]o}")ȩWU3$XFXF4DЧwSyI"3J׳-ם}(f#$p| k_ajMgO b\d}67lX_2>"v+o8wy){fwS=xE G|FŞF`4 -Sf]6-O $XC/HkеW#oDiI9v9P1ThV$ֻmQk8ķ˸-ȔGEThx-^m%64btAV6\Z3b95C{{N36C,T8Ӈ]u -%ZI)|gP|Fs ǁ6"͛k@\Z 2b*ka/Ʃq/~<UJkS92&:ϤD/(Ԧ<.{G{Mu$'pVUɖjDnnDBR1i -ԭp7nXUNepE4}y܄aEu^eQ8_M,݇T+?W*jOp%=b3e/Я=gرGkY*w$ iH='??E⠿9 ^"y/*H_K܏0(zf_3w+܊H[Gq-qt7څI_HDͿ? r;$dUpt:)G79b@WiSrø,q2* pu)"@LA|BNx&B/؃ d7$q>lG $7UzK:"=V_mo#+}QUH7}* ع3WR~IZ)ipitE{c(S~AJբGzknE8W 0w4, -:$HVqЍb*ۮ" ߏ؇DVcc܈ju,:Vd{EX g9G&?D#QOG09vLH3 At@켪^%9!‰}ḿXhOߏd -Mybַ 2o~ԽZʎ^3b_>(neGNij&!ndZyB^ZlMKItfO%ylg{"hHH޾2w";4 >*ae_a{#V -@m4RPy@~+ ڢP9CJ>wI%@ۉ$q|C|1!%:qC+>2/%}8͑O kÚSE`GA*_Β0؝un8N4fԬ-7eFq?rbO';dKK[إ˾GNk9=3k/Cn(0;6 HDbmK8E=uq@A3bNr;AzTN^$UjiWq(`D'aZ/! K\j3ZDP$W'0-#FvWĪjf"d QG?̝=&}]Uԁ%1"BS(P^& =cݚ`aJ9?D$Gts`} T{zؘNĖcTUU׻ޟ983@Cg$)bcQ)"`mt^ WXzeF!OȬPx_l86FR0;Άx1Z+X)fNqpmZvdЭwtIٷ6Y|5Zw^gľ}-(<|2 \Z߉X;aU Yz,kzPf>Ñކv@l'/@u`SR#+Lxkrw8\5w`9D9SlZt1Z#ƴKuQVK[5zއcͮ1_81Q?TH z`Jn=ܸ݆g^X\mF*(DSF,3^嶕xƌb1EԬU`)ҍo@ӉH#Λc 0t?mbކOlݧJb{wUanjD)v mF{h9H@c^7 oNƴqkBqMfvg: omv]ʶ8lzҞ'O# -O16U(%w׿R4ck"~|lI}>@p)>$ʠ)gI.U\-(,G=i:k{g_޹p<0FWl%zwFөyc H`X%m> dm -M- nZI(w$94?%K~>\J%,wK3 I, -V7lIп^3/3Hqp77{  4'ucDr-Y̏ -hcҳ-SbO= J"Xkj<jT0J˲z9=zTk 6x&ӳob-I8I%;EbE^?\8*Xԥ^{/?Qγah0GB_Gi@hEf :UUFH44a`mAT?fV<=Pr-=֒h1ƬHJ t!%R_=yRh6f3l=t*{˄4|")#`|7*kE*BF/ K/MG7@ִ$7V [N6h98P,PLkfT ^`}$t%s2-ͷ,$.5 n.8.voD8ǢQ5NhNiWJJ4?vM좣"=8,E -)#@@%ykJ3ׯh2 /B#:EAP*d/P A !CtȯU M2=JZuK=VAe0~Xa02 mvR١t#ᄻ@2Q]X1 [jx&Ea T^azɟP -WEWlbQxbC>&6{~*<[ܧwB@Ӂ&b+7LaEQ K1eRPZE$*:=rJ8h>"kz |b))Tjl6s*6L2ܳYGtiq&Xw55'] :tWG*%D.YuM5SӋf`">6M-2S+@  MZ@sxPe|1 -eACy$iIaƢ4Kq -5l NnE(f6- B-,&tPўJo;hfPswy7 -*,xb8 vj6DY"]C< %.bBSnzMl{HdPb?<$)BI[xe!czu/д7TSp<8)T%_ Dj\nyjX+~(+?:A*X}1(e&*z &OZ>Rix390)07dkT%qPܞK֟Ge &@ DU@T/UП!d& j>$3":d#(=lN[DJĒX3Kڠ؊QAcXoFnQ\zoDJ"TUrP+<}pH - ŢU*vUʦHRGax>i0> BA+Q_w1~9-ib!!p]')[sA@ʒ00.9e@ Ȩ6e&0[GtGg5ś0#GZ48|h -2S8z0`np֥GnVHO֦lŒ#3Βl=_"ش^;)䑭Ċ H}" ?,Po`Yjhdǵ&!0_ ^Kvb13+FS#:lB D 6Xz +do61Ճ1nPo4* " eȒ6NTk2n~ ȉOٞOrKJ=S<\G`0bӂ <6nW|ws`lxԺ;M, 'mNhς[H5`BʘvT#u>vi'#HY) 頻!d N :BY3lY,{GWSAiE[ -|aUx}g͐~5b"xD,1L5MU[ßY€Q) T;P%4^y%׬68'+E:0%>0tybEQpɗa>7 -Y_L^7R3SYu1n0SWs“jF#uGRQA~S1^ݼlc2L5{:HK)7(i :?1I xzOhTMJf$eP^9ӳMcaF{h+- G=UAWYkP6]&Ik-1gJcӑ7izߧO_oqdUTdߙSkn |l&:%3G_53ןuy8`#jNVmHu˲6(: -*A;m,(qOqLhU빑d/tDzmO/$ ì-`@B&𽦵b}&5iGP|S-3H+"g2\I\4ZC2:p U:`_{AA$񉴲NPI2 -F͔izɊΪzΑMmT+دdYסOV#D(kQdn-X%qoփՈS59q& QJMJ) zl,F8@m !C%٩R jYKkT3 :# ǡag[]El~Csp/kkA((kUb7!v)fKrT0%MDr{|*ZǾ iK5d[ -Upey1Q;ЙC2PFy%6HE>zP&}RK+g?%`Q/ - b"Q<2!^>X@**h14-Qs׳x{9R׉9˻<90!#oh ^9Czi3vi  -4 *[=8l{?!l&'O@Eh>^T=Yz')@joSp6[BZ4; -l.#dsPp0W,Sn<`-n !'Po1{)K]QƐz;$0Jx=7uPECE0LZ.eW`6zP05koMGmI}Sz-{|fgCʀ@ -\}p޺Ɨ޺x1ΐ?ƨ2Z8*f$]aWCL#sj݂VX(j}pfnC6-bFyM*3L|Q%יHiЫ\.8]A]Zӏo'7HdU4? s>V{JEȸqWSQև`B}?wH&Z#@"_u#9#ljCDF(sRĄ3\lA y"4I[@6{]KL/K>.hALSYToAΘ ʞI,T!D]T^ui$%0ؾ~.R!غ)2du3JnlK5˝&0<[EnX]8$U$HzԆLnqpH3E-5jr*Rbr2u>m"=6t1uQѰ$sK[ؾ$3&,0/m5m1Ċ9 -{G I}<ԈarEd֚YW~ -w"Q|OC\gyOHHijN-t -: FL=WqCLѐ_L r45-A8n͍7RC5"ȻfPѧ-90)KW7}[ :o Pp[=4W%gf~ Ez#Y=.9*K5W\ycG2h)BȓBIؿ~%A `mOaXRITjR(ݴKܪaҐSvSW=8CF"+Qe~W0ʽPS[|$ K|6,VU& -giGv]cm0SߞS*ۥ&_-)ȄC`F' {ۛ͠H`Zd# %m@F Gg $(sʣلNFyNg: -k,-EȶAscZ(X46ہ>{ _vdJޝI\9zݵ\q:Y}HCh1ߺA`H}=cp;<})Ac8)9-Aǝ: -yDIWL߀W+Ч~ 3Jkfo:}Rv( -yV٦UH b*,",b٢Je!"a@$w&kJO%]!@2R} -EEub*=jNJOc!u&4T8:"ݔ+&@C֊JǠbhrm&[+q.=1?QXL$6C/3 *7,ed?|Fꈌ]MNA佦RZ xA}.׫!)תkaPш{L+NY;h]1"{&c1k({_OAU9VSa -_hݬt`_ (yQNH!'QMO%+NT(i#eAEav&5P&yF9 U p=M;dñRpb4CfhM?ځ DI⢌cMrh/[2ܭW^ʋp[s7l5Ll@Q梨|QJP&a wePXeu*T <z4%ǮWJ9ջI7!" GlMDA]v!צ:с 45SP؄W63)CZ_7>m]PI|4XPI2<)`xO!zr3AaӋz ԍ@5O|X)F$#,Z Pú"tQvU?B fV0M_0Mb0!;+rPFJG} a,a>w@Ljyk0F݄ 0yv"@pAEy(ќ>ZfXW|d!w -[% f#T [=TvVoLb -YW/Zcӥմb!J0!:P$ŚA8ހB"Y((r(F1Idu7Ҫ|>|.'S)|_17Rȳftd= 2 oݫ }8[5rQ 0̠"Jլ-%-.$65oa[x܆鵞z!U70B$9QǾգ+U(T@Jқ1%+| - ()( dm Fj}|'v@"q?cZ*@ᚡ)ljsT1-s7 jb=أ\7`:\5h(<ۋD_Oq|H mo/(

-Ol tR R p)c&)'|N׶,Bq uEEjdpa(Ъ 8ʯh+mLYhz2IW|?kO0DSF`Vpz jfO& J4ZZt3oT Z/4)&9kHUl:HD<Œ4@{ 6BHTKy>OoH)!2F0,tά84a;s%of>u70{YP9Lu^+ňM{x CP QJerQO=`>v:ZmE2EK6EAӾ5NXռ 7L3Y*>C~bl*}Jz4S.֋8{XWdRj`O#iP3N/xT%Fx$i^ _Mm%SO۸e4 -8ܢyTLn1<i/zR0S`bF%CgMڽJup) 24Vu%߲iOm J^x,fܗ\0ch/f>d4y^Fhɥ.˞b}|w7H\@-swUjrh $ VQ>ꑅC 4!z@6sh)HTPҀbb a`)gl0jMR%S\=sv(AQ骅isJCK,R}Ɨ8i^Y]T$-'"tfD^Dt+$pZۥ)&iS7ҽuha> /L^q*ͬI@0Lj2OCʤbcFUՍQqG$4kMXH8fofEh$qQ:eX;= -A -ʑRNV8Bvb {P.wPAeOcd)tlU8O6?uz4a*#C3,6M"<tK -ufOš"X }_:𸒅[=HAvA3fZh B`ŚryMۊ1m2{7!1mvG9RGqM !x[ :@Q l΀:x., -dt] bG&NY!0f ;6:մMѥ_Dl(vU&Q0AC -;rev;|25>aZaVjU*V&yȚ[a"[|-bdBdIEI2Ug#t%C^]à֑@m`>\0~[6P6IƸ":xp0n- R44ws\ bX$EF6LW)XFKD-( p9nv5Oˡ59=<:@,,Τ'?/ -XN#JA@@!+6[xyCLd ;'+4fT̊ wjCʊ)@/Kг,RbETH]rP.뺰^6 }F-R>Zsũj}=@"*!=FІa4hoB˜xhs%AL'^މC|ׯx}a<-\1%3U9[x>`I!@&GlEKsp3>*!njEaזsZxSie5>kdPvtk\+F6+7u*ŨHv@z,+ZiFk z}>z< F~PªrhQ&)3*|LDYVQCﱦSzx*T5t4HMnkS(jLt6 !VIg:Y..-%SڈA?GP̶=/~@1MZ0s2aw,CD=.CT4KL:Y9G` -Y>/R13_zlvI g;RX_qMsByF(bH-+BJ*q6F%[zV -D< 0Aa{. kYbM>1ͅ^L`rjm(g"P)TȋV!2%=+ڠxVّ^~5t&Cha]N&$RRe=ܟOSMUՄ!SLs;1M @OuHi)_\H8(.bP (Od3AAҬ>kmtapѳa2O{G`Q03x[i@ֺN!lm9M:>[xxE;}S_W`؝ޟZ:χRQ!\ђ!Rسn3%ESX[VI$8;׫CT@n8brXflN4ﶀ]rk>R.h9>w%;<$4gAKgj&ГE4mLfp7tyK~lG bvE 5b'Y݆ͤF GP&->8 '-dzaP-Z| -!(F41еG'rOpFLdyev@)S+$ɷD4e ՠCwg}"QF;Pv5XI5d@lA/ WM99e dfpJN.̳K*ɴBhe#L6I*%+%]OuS#D(=SfBQH3ohe!Lk)g~V'jdfڻ4Oxv] T5IWF1Nh "ٖ:(4!~P׌l7o`z$?'5gK `"҈PU -:$~;;S c#N@ 2)`!~ w6 n>I HD{OܝR76)x[$A @.m=өDK=bNԐrX/eoQM6+J #z|=2讎2d1%oʲג%)U/yBmmLXUf%SP)a&1rHp0~r$OѬnfa!$pLr!iAaY#`Q3\ dc Z}"A %ݏͰ떃L(]6]gG)e!>cg&mvYzڞ蠘tV3ckb ڡ6gvI)$Lk|*!@\:*,;YܲPe p/T +$W (٩$=,ʞ$DG4!h?{-x6V֣Lb( / l593RjGΟQYg۞"45$QʔoTM,U Pdo!YLSdN)ݵ0[Tpٖ/nxvqVWN䴟$䇹0 찁=m&t - `l*<wr9.I6`VEݔɂ$v 4 ݾkz`$NQTŕ5q[v$WQVy*l!RVt*irgBTO%^ E!K*(Ր/x))KD{pH̍&"؈p $nNƌYP˦r4({P2I౒t EJ8#1"r "Wz٫%NN}PTAVU* W Fqؗ0A4 ,`발,.K}DCm\̗@"A_j&~`cʀ; Vr(|#IY"/%bn+~ $O~gcsa"]a! -S0u߰vp'76?iǤ%ԲԽT0ua~!ĸp,*)0Qԡ"̲'NvNR4)2!IY&_L*$5|RȘʄ8*t'NT"%K+2#tdlzړ=Z=27JWz(?=hgKRQ}qa0&[_K%( ⏽:rz:hڳ瓣JE4R+ B H5ks^!ӔIJW~`25CxiI:GV7!r~gM MشòP9xq-$ɰ[(IɏNu++_ -@?6QͶU[aDdD J4*C^S=,5+4 ~z -4fćX(U h֨lR BG<ڝ@#6`HZV܁b~Dr z 2 hQKJ)DuUU[țIۭ!kxúMB,u i~RQ@`ȫ }~zqL dBTZl-0V|F~b> 5AL2_2M_(I"vwyagcۋnIyShk=&ß/z4G{[ՊN!YZn%GT \ig] EyݟEӓXRq%¢fE(s*:ZMQ~@CUXl顝^= ,MJm&A&YM-hF)+*@-AWg ,^) -&`_ΟeOVf%͟ -\!"?nmJgkXqZE;enJK=8-`tR;=?^>u82H}RV%|65()I=Z%4aa"Ar䓠i,p -e$N1.iM W(`֨( >$*\en3%{VVEHT022DfxP#* {zq5'i=uc?TR=qdܻx& Վ8e֓?F}{4VBfd8g1MŵR=L1lJ%GycguD+06saY@0#VNY=RR_4eǖ5*jVBo,!jE)AJ=LWZ&Q-*upRg%_. -&XG2$T^ lG$'NEE$'XEZ&>QJzvJ]M/IAiQmhG &sQhb*446~'aSU-Co,,H TN3(#G7ȬXpБV[8\L7:i 9&9LbeԇT'UnWԭ y}4cGf7=8 潢_ ksB?nXdiټm}GNvrǥ[pS?J\[q44;LByjBɪJ>H]L>@fQfv' -Heb꫽aJbTgrjZel򆌮S 4^Xx@{?P{񖐲Y1H!w`K&1 + -Z2%ZoXdAGkExw`Az)1^I L5wQ#&q]$c3Bbn^:~> JZ=<-]z`-$C P0aEW3EJ`**ЅR7T5Vldo70[-YSHN.&ͦ%H-#9P5n厦 O*[kdƯ24wC+UxIPlx,}izQ)v"v4 %*nS339g\0 ylx0蕯*(t<+`^ 0~V06G0qu2I2}T @t*ZXJ0ju5YP)Gi(>xj AaZ3"Mfeu  Gm4 "bȷ?< c%3IߝVu_S0JXS*KNsQb*;-)!c:;s(e*]|*C#Jq".Æ@(=^I8X I FV2*8J9dy@ys@t]%!7:m,GLQH@dzAAa:ex80㥳1(e@̖P݊Q -_Ɋ0FzK"EѢ[gоp?v6$VmgޜHRGUFG'V7X$bvap;1RCs> W*bH؛xlدr=BX'&oӋ7YSw%$DGIcD~:0 C*`ƶ9G& TM W3nK"M!}o)dCvCM%Xh -xu1N%=8/qR0#IIϚ?'6 wٵiթi`FH%8dT; -HݖQ~ޖ`m Mkcfgl: ª &Gj4*yQJU? ӈvN}DNןQF4!ŧ[Vu|O -q+&$3KqBc_)iفdޮW[|:J"Wa$V =eׯx#{N^GQaEuB*)~X#A d(A>N5ZYvjCVpy$|Ft`BF0 gWcl[6lE͐Z6lf8TC搫-yfv9#U3o~aՍ݈ԩn$cjrqFUȄ=DY brTk?F4A"8;=@F%`;&,rwMTgѶ#'WC0TY6-Bhzd)~HUk0> aZ|7,My}GY ꍤ&`t&}IY,5yb7YDmv{'0 w2N\46$JdTw ˰~h|vnCRWC JOBN <6R0PW@/ pϽ"(P-~Q-7u-`ݐ#9G8*9nΠ&Dy ҃}1=.#z0q^$dXY!6ҰGH=I] )tƘ9[| -|u`±!3.=oo z rBԓ8WE.UأHj0-xU\*8_,{{ &rb9Ir6B}YeWHT͑52oxH#  |]M{BƟ(ĐCeK*Jո<ɖ6U>7Ɣ׃p)IMCNhd`uXO<K8g/ -0 Spyc@  BhCbNxnfSYqov/̼U!P`a4IE((f'@*W=Hba H=:h=)/ѵdn \ "sM(qӳ6erYv#[FN#W=bz9c71u$K ђ.7/Y>İ; -NOiJC|[XuY$9GO@3 F=G:; d- ﶂvkYE)IfHbP5EĒڑ"W}>!WQ*C /FdҚ,\&H]1T({U@hTap=`e{ZTmЧn(!)bDMlɠfӃҵ]仺 .)E{Ko|f5$)ILRmRإy9Ai -.3'8Ü2a28uJ*DAkݖrR׷~=i_n_~Oۏ/;7}?ǿ?rRo~o}e 7݋w?\?/?;O?ܗ>?W~wӮw//rUo?}e/]o_*qPi~iԿ^ȟ ;?[??[0&n_s?pv?ZPĝDtۍ664Ͽs"~=(k{fbA6 c -^D:Wg| aaؾ=?"k3Ҿ4$/AckRniŕ}(} -RS!ZHڂw5 -~_ B»skvg 惓񼽼뎉sNfl֡HI<Ʊˊ)QFjLn^ƶx؟Su__wd`?moc>b  }ei?E I*j"W%?G{F]uU訏nϼjsFή'蚏_Zc41gՓ&IL +=.˹WkWSsNcJ=\esFnf/C.vF6s˫2Tix@v%t~y &(2>Ɵ j( 4TҰ}5IRIQ^\{kݞnGf|vآhx|[嫉uפcMPRR_+Ηv'=]d'x{cكCK?~h6_մQx5pfzW0gjdI3/.hÙ(ɵWa3dqެH471]x~=4fa H6czF_=W\oF;7n%gXkLyzT~y(:o! #toO csgΞ'X4Qj6~6'9e{cn/[l݋v"Ik\۞Fa@hw7(\ϻYtXX\?uÞIP쿦Z/ {@aG̨^]oF?sau5Uwּ"[8,HC8,mϽ]VJK~ۼ& wF},˓3e)Hq}BDy_wזmO!/}:j.z{y eiI#!xc7!ews׾uX~= n%"Y8x-(X;^0y~Admm$_5tKYC -en m^G5+}r| 讯Uޣ_c^j{_qی7[įn<>\^YŶ(K={S{yӸLTݕ%&@/zzM?w(ws|bAޙr@ڳgp7d5cO1G -;ۙ8~Eqw AR] AMi;?](v0Wmi+췔ⲯBrރ'_D|[c9m'OOI{Q۴~j{0}c/hݡ|R z> 2k#[ק'uUKBB6O2ޘ礘yV']YI}N2{1YB۾U,ak;4v}^[WM3%=m ͞q -o񺴔a7yMJ[NߝR'e/dV%Ĭamʻha9rfI攫ڛv{nۍZ)E^;R+FtF<1Y[vXltaX Nw+; }/rW} ٠Gvw}=kx 4z| ͫwtlgs\ 1Tdq73XK;ߓH)wy4 8m 7}>_헦ϕϧ3۪7e-!̋axdK8W;@{^}$liDCRg)pRͪ/J#%{V9 -Vﻫ83^׃^ ?vO F`T3@Y!=eM=nM[RHpFA?[w~{zֽ!<ƹ;w}úv1^YyܸHӑ X:)A.Js][ГlyB{;5βg'P̺˫4ˁSe4tMI{mύ2h W~:p5~ysbQ۳EMJaoiLc7ƽס )b=oD^%\#vUnnFn={=pFpjmdß/LVyqSh~7btLίtn3{|FHb~D|0n]qPSH6O52X^⩧H|шyuhn^pA.aZ^5SƔso,'CsX ?$-7\[8(˞\Ѫm?c(x/n<:D׾zT?_Gjv؍&՜ܗy!%X\i@xm'{WY2aA־ tUok%rsQ JF/JI>ͻNҜlV46,}h E\Z)"?VKka_"u 9݈?7:Y4AkK,BoE5VN$~ΨF? `yRۍٺq6ֈ(,n_a~f[t{5kW!ܴXg/٦büF^ΫN9WDޣߕȐ8ss~Gv56*Y}!Pٷ}z@1ϕj{z(j(Pʞ~;Y- -xƞZ#C0Ew 7 -j6;tGu02x!WA5 ,x gT(Hܼ^#d뷝SD) \udWg?ʾQ\͡KpQ: w;֎$>$+'qAkrJVRSqm~!W[w7kEwK> \oa"olZw{;uxHV8hd$YܒTԓͻ渟}ƴcM{<|kw)GE -|䷵s3۩ {/bŲXھ9#(K({`Ut?әo/z򰑾ٍ#tΏSG#ŽwB5g3@9bJk]B{$7}6a4~hx7滕y3-Q;#d1>&|O͟P3|:M2{qjM.ׂepŦk܀/`#F@Խ,q/sԞM ~|xhZJ6uIM~<ڮ`Bg,s_A:S 1tXI+M[M%֖|&z6BXFmuaww;4,^'zgyЍHc?nEѹ$YDk8s9yR|zmSGV k(o=Ԫ N ky_=mcڙ -F/U¦8miq)U#I@+:KB7g!'79bz`?" xVˉ5a+atYA&*{ÐLȰ'SP|DeCxMFoi!b om%YGj>ɪ ,"_ý{P $rصAIȚNQ*7i7Ka Ijiк{& HϯZ:U4(+r5B8K,'CF=BuLN ߳+sSMP7a.G-eC8߫|W<ʎؕ޷\wq\2 :f߲/h*$ÞېОFRd]!xߍ 8-친}X_J?NvGS)>^(х&0zc8x)\q;W7iu@73LF79Řx3Ecػ@꾬Ў@_G&fvH1FI6YE`7`_< &Goba_=J8`35H|wn+xL2>*?{熽y0-kߥOt#i(8S k}/c~887/[ﺧK:d)scgܬ"ȓP)Sw׷݆8Z\ݧJ7Dv)]a |W( 3ppdK0ɦލ`ܜR7>a>q6 wFY{{O ;g7jv{i3=Paw݈ɩ/ -*yc!Y^㌰1TJ҇MśE/-,} h:ak84y b~#4-{A{Fcӷ /F!Kk,&|P:_~D# K^ jo@C.qElT3E?Tf's_îwW[Nîgm c1 -}FHq/J8e$~ڴM\!+-Z@rF-SB=-߀W$A)-\oߩp;ioa/,R?Ot?A/O]aZz-s#, ¾w+],QY/5毓-qR$?-2ML϶9{3v|">;6V}E8[MJc6 gC3Mώor)<49&Vmw,ٙDatp_$>OިZrr`,]%eK4y#kM& -w3w୳-;C4Q+/:pڗ<1B;{v(;aUn8M+\ 3b+;ŋ3X1+*"{[s2l/ ݅f(GkwPɭKh>Jt\jGYͽ -md< X5jwIK9ђq.ѣh3@!hkla\ ; W|+O|I2#-V,!G^"^Iܴpx0N(Ďh/N$|`'=P .T_K=λd]VFru(?;a'ۣA$L :};{xׇF{bۺtYӵ^7uVWʮ ((9,˶dʢAH0)3"^\\\1\^vgZjquy'}O%{W8i ǑRa f[Q7ѝPen(;c"yrÜB%2u[Ƥr8E0a<At u`B -*lʄA.Tz!@SQ<UԦ -`1X)4u`&m>*jA^ -&8vEaPQh;0MFSe#DK%Aj6[T{Ea^WtK;w"R er"@%/`rwneL6TxW ]UJ%:S/,+7ILKQbyEvŮ$w Z`{M BETvP@˨\B*mڕ5G%P U,cQu4_#LUjs4cw4SKNOw>XZ$wqhFiBv%D^e} d2]LdUrT}e NaJOإ򸀎{c @؜]ddeA*UBk 6Xb>[!. ZďS 1Tȫ9ݟOB!4(48R.?+B0u# 8]ʋ.T$kaK'bk)e8#9G?rT+Kr]aёGJY֮sBľX YtMɋ\J݅Njޕ˩ r%Ü\7>pb(.}ڊVHN6A?LSjwqPs.-0}.PNU+@{n9|ʃK)c¬xn9U(PrRg~Yky!zn[1;Sŭ(z%eezG (#C䜲],x6(t.,Q{Wd E`l]C0V/j VFUUwW\ F-gVo,ZBUjh "Ƞ9˩K%}Ժ=\jl{.hSYJ(@8Tfuh]FgE7@hW!TQϗqRTIAXRA@qI}49\1KUOҺ(g12iaå -0v+ -*JN1 -Ixx9J ~#>x&7GwtLy'0ܲR*s%hȤ\`kM ( !yK[$gQ% Hn)Bg lU|wTa |M0YEa%tL}JM wHȤ+-./Sనemg1B6^ſ!d  /R.e0(B}BHN)2"!el䦜.ɄRLK*(lzÒ#V(Y2* -2 -]r9TZŠ$,qb, тAF}n 6r/WQ2.}iMaP!T̲ⰡwjHaXcH02JibUB˧ ('#)K <ˡT+NZd08ffA+UQ2gt"*T-0{oC\A" 9D(L .9)2b4{?ZBWTS`ba%:J}$ 2U5Y4E`o $0 c, -`btKcb LN1 Wc.TAE3"!CſT.SBy 2 -@fQ8QT%6r)khXO*_.X -D-P][r't,U9:JTjEE;&"}!ZI2{,2J-d,5^JT*`$IN5ZQFKA/E#qzɲMh{9dU!*q[O9H?jTRcFE"šFIrtX^%&/.+9}cй d?_!D2*.HjI֖"HI^Y6CSDt8T4U}CNF On'>NubI(_L`:Y -,xǪ(9Pݙ8FΡ&g育2* |K[Ȝ*JbQGCKeWXŃTe]'=er kX -:`9d@eBvRa׃EE5qY+<6gOsA-PGXt|x0;]RN} -J?\c吸qn/I{X [()&zpr٥.~,J !^$\&M=(//c>} TEfHR(U0yV.Em1*9l*Ċˠ+yrKOJ4*p]L:AˠP9F4TN5IUeR/spA+b"E}e8*Vነ^09Y>gdP:%Ojet.{M#R)qńå,bLO] YR)cОP`J'.]*"CJJEP;Qwi]^J5t?Kv8DNr&a.^⾭9ˑ2Rfe65)Fh')BlQ*XcS^U(m.y^*S ->p`ІLݥO2*:P̃I̲4tDBSFUꤲx&IK3 `d J܂2Ji rz̨:|" .?*s,L@w -[(mQITQ@^QZ Fe9eP(*f0T#.kWm R?A({ %*Pq6>gP蒵+a vY4I? tXîxOծĀbYlɬ+3t7pAFOifY*@[8(t -J -.rB8WHΥJJ(䵜΄)YYN9% A0]ǟK:ĆdFTvpKJ*.8f%BTTŸஊ:t QF FB.R- -u\ -):|b]uh2:HZWUN -*|O;T%Q3U u`ʜRA`:ዪU”lJZ̰$+RT#}nPr:];8ۦ{M*肜)+8TNy~VQ.r:ʤ2RJz€ԈQhsvP~ݨ+/'Pr#I'F%6:T)G}?j>&}nDg0iIxaRQ -R4=Bckb?qZی]dsԝL][_v*TAJHh9}- Fx=rJQߐPPTt|= c]tA,+ -+U>f3PmeNɰPϼq=奮,D$/etVVY4Sz.ZYHNPrصWVRJdx( -z-rw*4PjTNW)-J?T)C|_ُb*A0k0w~LQԞֲ== gl.*aBq(OBJBnI^#9ʅBtm6Gf KҴbyCsQc0WAANjwG٨-[o:!~)O\\E%\NdR S$V%M㷈~:%ChcK@ݣ?C9[X&Pg}(!ՃBen>\Y͖?n9R쇃=D4  -߶{̸u2wu`hW_iivW]hqQ- -O.gV2~lIӝ-5[OGG:W$w '+ -*VzlzEAD7&I9u_620@* -[(QF06VC"YLi㏴%/h%˞YF:k-QKoxKMgo=XxSZokmR%-P a-vyᴟ1yVd Y@ -h,b1XJL\EVӜ*'CXzi~!ʶ`U yJ%/D6!J@ ?Bt6Y a?F -7;j\&qbԷ5ۘP_5&\F"(ÜcS L£lyԮhzcRt|sBVv.sY]gbNscNոCox_M%&1{ti/p9ɖ߸1k],=g.n|g_r\zҷg\fҷ/kNUTǯtT$OL$^u3SČ*6#>n77֌GӛZSN44uг{mc(I:b&=}6=w {_moegqqﷳoֽV˻/nT<:7űiYM|FY9uM2nMw.;UguӲS9[Rr3nљG׷4j~9ycቔˬƼƬp (ԈAE5M޸S۴ky!h ixPKL@՝p%gGҮSxz' e_ݍmI-;%g'呞lbJ{40/Ό_+H{پӼ#I(CzśxonbVۖS/\;7R>y FF&פ}ھlX|ڔO֔+;a -b.]_:0t%4*F}n2*i'8pOFgWӗT?=ZETwz?X,>X-f,I$vC|~;s6(첳/>xPܧ}քLzֈ۬H՝4ƬeT3Џy6gaMW&f;ǝӎCIfsVzvˮnKzm]׹[^NtMO+P6߷{?^N]{9Շg~93u6 -1QyL4 di/T4'%Se&m~dIjXC]մ5M;5'=<[j~3e&ar&|]?oxR3}ǣv#anįIu'3)7; _oϾw mA>Isdj؎FNꅰdyP !?MMne5d#=V5d\&E%:`-xD@/ ߬SbˮϙǢ&}z^'K sRAyUd#ْ]]-~JLWٖkR *y>tt| 5O'HI8il6$%u nrNӛ]"m:o9Uk3S.o{a]Cf^#E?Ʉ.~G>t„GXw bUG62p-҈a yD6mfoʞ>(a8t&|6kkT0Ăm4WtozՓw^7):w|ƽ=oOf֟ܬϛފg1jUA>2qCc#[M[d?#{>:n(Hm֘['x5&17弲ƴt}n&bnŘWᄎ-}KLIOf&_=誜t柟}uoW2723=' sj1;I'!C3~+6KS.uK-> } -HR>AuҩLm蜾{㉾3sGe{_M9mz}_pݾi;=lCfvĠK{u)7xФɣ2o&=ִKݞv;; v/K+ ֬D\P'݉] gCzyʣH;?ް7Vlº`>-(ۈO~v΋uO˚r _ 7:h;)=tfމ5{߉YUI,}KݖKiПQO?łf#ؼGҔj.ѩWO?kkUϾfm?zY6뗷E72~[kQFq®jL۵mr_L \:1e}8kNuNG{NICg1d&Mܭly 8þҰn6(N'YIu)K̉j0 5wy{C7~⻾}˷D^'l>;PbVv67Dkc#98vܘ[}G|Jσn@gx4 el^Yu$ݽ{sCI: =PoM5cؗc]mJlZY^{{~︴?䌢pϬy1):um.`>֧:?|]_<8ɮ6ENE#؉CՔUDlȇVj<ޔ[ш{4]9/cNBҾ6ƫk']lxh2p*[R820Ixe|:|2b4P$<"zɶd0d ᯲a-f'~d;U#y~A#%B]T;o4G/#\= 5fkNVk~K6`g:Qңa`~Ekҧ^]. 좴=9|s咜[~(#lh΂ɴSfC&#z M׏^?}Du؆k}gspevvys5:{NR E:n[Ѽ>w~svز0RvymrD޽ʳ1|\p8|8֤GǏ8Gs[z~m磕oimN`` Uwŝª-HtN|V Gu0G{rܓ6ɞ^~z&O{ 1)g3f*cS&ݪW3׏xwGvl0o S=DOL~~[#sEpέ>ncܪjszÞ}sfȀݚYܴK@iuHê<;Q 2AUo6:m70cýtP\fI/(eoB,oMnflMd'2(!Ӂ 8`Ә[|:ꖜIDD+! -;m00ȈYhY6l/%6=^kGHѐ]qSOٞi/=\t΁^zGrnw1}.Ѝyp{ԟ]TX֪E.N _:`2M̅p:H|::P_ ztu+.y}|w :+8p O%}Ҧ<4yfw Y>>ds U5r Ք #sܥj%|s?kzٸ74ڔ]6>:pO˷=O^{"n?t[XOoNh:0^|:wuMۻ -O>9az"9 dߑd፱nnW=pj2(:+:v#[3=VǀOvĿ.՛{;\fG'S}WC4,sLtՃ?:x=źEj7AW@D'Жlڣ݊*\|WC§ۚM @W{^)"heWJ?0Gr>+;\rkc\6 -ɺ2y[/mFxN&\}'ѹlDޑ=IGob)pBI>+<Wo^tB{vM6 +;K&k>WeVEN#_aW GwVLDHwǜ\hn:?# `$ ঵0'7WեRXȶYŁ]69- ~}5}.ECٍp踣gwO'yIve)m̵^mCҮiHNGիG}WcD7i}LccAk(Y=aդI3QO 53t##9~7/oVl{KшA?_?h;z]oG߰>.>95]ـF@Uq'V]aq=|$ >=:+NO>ۗrJf Ф -)僶2v?fT!.0C۝q9L ҨCTs^ eۋu)mbp`uneǝSy/Vaauqu&q" i5+NltdM$%Yכg7sA9@;`cNəGV8sQ󟢠KU_.Wc>I6a%IQ`~e{~Y.jdy:嗷'2Ub!: 6uOOSI}ItT; @fhC98p ٗB_n`Ul/"d- YbJd(K9Yč>U׺$pkOȗ'x@'96fD'S^-Jؕ-Y+k3W=-WO&-Nj^J_4;GO[ٗ:MOӝ~BLcmCl5%ϣ“/ƺ8G3SlJY}$8Dtr(>#g/Vx_`hf01c2m`:&ӭx "q^ݿ5nju&=2`oA਀}'3&ܣ#@!o43b3b\"9\|Fю(p :)9'>z;tbec=?bL~m_M7 F:CT!ooißa^5ok -[+$z|d)̛ j$ Wބ"ρ/X$o jqn\>| 9föDIQ3Si~un^+Sx2eӣy5v *tW񐼕gC^,^ x8A&lNoL8g.Ug{ot&!Io6^ \o6d-4z3:\h_vAѓAvrdA6.51`u0,ty63JS^mkc5pZ^?|v_{v}_ ]JL oۄKӅ B"l&Upt&Z4WլZzqwe8q[8 G-eUlLOn.JM9ն!R|g߳O'جʗwZ^ryYWj~|?GtV0[3m#SħE8vbC|K7|^> 5[NyC.cQތTW5񰍕WcsCќ,6.< 02w}i z -P!?r)3wK AC<4x￘NpkUЏ(Mp\D'òV<$m-; :RUЧ6.L.,Xa47vm3a iE{u<8|A 2{LǪO=е|"=yU]  ZY28o5'}LGco&ÃEn^'AX-l}ůޘhfU6p oEu9R~ /4p#17oԥ7&1@:hb0';׶h4aԭs`nYC0"?Nvး]۶>)QNj\s\:?yt.}bkcqU֯<k@ e/X+wގNļM?J^͌^܆o{-$M9TϪ-x/Oz'ڮgwx'0π;nYڴd7r=:u|wKqFu8pKӝ3W'&dBa&47ti5XPt~ 浙ǜ[tHE6:͒2R N2e70Uح\sޤb|mI?NِQhWٲ吜DԂZ&,0Swm0p%d{ބGRIӬؘu^1y^_2%ob]xKV&F~p`=1+R^,Rwn!U'}քOݑB$1cS<ȇF,e:%]FQ©ڜK8tݯ oޗ,  FI|VrjV[[S=Gcf%ߟjzbNu{̩jZ<^jg=;e4{{mZY6g$5/d:֋s3 O:_ŭ>ȵΣ; AmvpSNAU'o ݬ{+瑷yja%I1mu׏{]:GxׯR&1 _;z!س 3KM ^> _sڐ];g?p}JT؜w挢t`o`4lWˏN+Ʀ=QmNt{vO-#O鐨.ܳ-:<$kG.|G_ ""[#(Vc 5k نn,#`Ϣ[a߄O/}:&Z%(Bg.8p=?„G+#ll4aO6\`K.jéޘ$}Z!Q#'+ڧЇ['8)c3$DD\BOpȫicy#M>!"2ܒe917!5=0|4 }N̏BͲB[i,}˫z/~a?n͹᛹[V'=شD+o%keaqIox4+˖Vڳ5kI8M೘GtOdK1YsZ䤾svbN=cݱ7ڎiiU̡S5&ڎsV}yS^ė_u]ѩ KyܠycBպtrq%>%_mLe~ve-KxmIZxcTct}Ăkm@iR1lBgkn8/|Й3s6ub֦kukyk̬lMҥ}EaLpe8Ǟ5a~>0Ib.*, Xp#;+kjR/^KyԽV2B+#BFwj_K\ -\^,^o>ýجLjNׅ LH֚ p3<o΄ܼ^ zBX[t6l ޕYX(Fl6le|}o͉[_NIFB7\ n+Ng3~u/B}XR 藙XPŃ!ͲB=fvd& ʸ[әfgńb蜩/2Wg%5K[PqrV눗pZ5I3 јߚլޚJxTĦ q~kJq&>nޜR׭폎+~4_k&R> KtFݶ18|,؇O+Nlawwp_f^3= XgTw[3 ; O2LoJoJ9F$oGTb-uuܡx|?GۇmC1AXlokwpPҧ^0JΉN~ 7CIQf7&g7@=Pɹ?^:t C,0ioN/t)eļ^J‚^'oWtacN; (DF+^P=5)b>-, |.6^MC^,} -xefXp$I>$ς'J"'(jlUA >JE9hJt=ǬNzXoRy'{nH(i{=M@_Ú{gS7U|m); \))!Eo6 a `Nju\ݰ:%;^ޯMԌe'lO%590]۝8z4x"=:lNR9U]L2Y]o7DsA tKw`m}]ai39r=l[XI- c|bԶ>Q-4%֤תC G1&9 ;pl}$kʥnOإgpA$$IGgӡޡwF8 80^E[bNVzKxp''ۋ&vX#ڴr;"iٙ}-Ti! RCg:`._P6a*hzfI Dw"AUg&>8tXS>U7>CXzWӂ#ؼu4ULf8`QbajnaUDV,^28`wn"AUúU.r& m4TH FvX0ZZUjwL{rC_ jgi.`}Z51o2fQ_"!s -HN!f{ -|h| = -^Ovr+P_첺۽Q{05\nN㳻Ԭ> -Vv~~,v龣ŝj":?bmxE}Ќ&N}kcͪzq{i%Љ7=s(F/hP?8ƃڊ.Ӊ0XStwdcFꮸ:8v9qĜI&ӥKYѶ z ؉v4LXw;5iԵ ])iMy06Iph4ڥ5^}kkm<;Xxe^rK7Vgkѧ\>ܯaIc: mNm;z΢y %Y@W}ِO{~a-qWv/Թo /4o7K*aٱo};-Ls]x/̅F?-؜ekN׽6_ܟ ve2xV< uFmZ!`"i԰Npj1F[0,Ģ7eEqL\:rݕO,_?ȣy4ѫV)C G#y:Y: nlD\Ft٣6gEUI P -=,|K,,xDŠTHPKe-6lam.5=,fh]Z`o lȬoՋT]o`^,_4ZwVlW31]̯'# ,P3Ky'A XS:7)`?Up5;ѱϢ36ulJ߾X~61.>9aM/XM| w`-$]j=3NsqG߾?0ai)g Z|V^{`lB~ bAuE-'SQ;`h.o.12-&ѢSQ/kf{Y)̭L X+IЕJ뱀k$yh4)7} }k vd` 9|p_ vfhk>Ӷ=Vwf 6 ӡ a/gBc)N_[PaṸ_x:HEΤQ|إ'g÷srn >5X$p8|eBJ^}`٠+H_jNJ޸ס5wO⦽6t|CL:,4xXX&Nd@'-VXAm57n/@v`|4D lXӇ3 d?->uI -nC'͏.Y(~)핵cnI}.pcRxl}J| -`kZ[ ښêY1vP٠11s`c[gw[ِA {YyЉȧ߬MA?.i]Pt@۟$Ff}ڞd9/rûWI>zө'|ZKްUwzU-d50G  WGN跠u0|cʩFXx l}ҷ|6k;+y~I-}ΦZt * p3(gl$4l8ĵ db|=K/H>HFn Y )6o2g6YXL*4x7A *7f4}s꺸g|OGnW?̫o3 Gzƒdx+oݭeByIvXֹ6%8/3GAx}? /A -ĉmQ[Gq`".Xs9m{ҭJtP/n֛*6Ek;cs -ZZ!6qi̼ؓA_6YW,#) 8tklt=w @=`vG٫[pYuhHl_ri_*;6<kjN~gڿ]#s퉬)A1{tgA/(zT%Nx-+7ft=QbN3 ]ZG%V6s&"s%YE"8t=7oU\(FpO/Z_I lAF 3sc . -[=c)͢+o"F <  z.Ê<(k?_ Yp'Ma"G՛O$Gc3$`^vIĦmM1ɵ}m<5a#x >TÚY4h( bns.p노GӍۄvcvYmҭ\}X~i&:+ٚ[ߜ-;~g Oty.^1W8GӬϙ~/KKotW(nI9ìI;gw}I9aj/٠3aNI䌺9m&x 0Up`l%:CDgq&Qu[DSI}_8˸}ý&鷦/i6l.JĵA+V p]Җ\l@՝t^~7qy5&>HxX/fɘ0"X]!eIEg>i]tvfIY1ٶW|]^8aEgR؀) X;daEOگ:U-gd,4rYC+&'mհ>sS 记F ɚ7'?U~/=n)Yu|Jt,9.ݮ[~uo 47] ĜTrNz:R4ug|JU5n2vm{|Zqnc}H3DqI$G_=MGbqXqڄӿ }U׏&aҩEB̡ly6:=ڭYiyUe.vp)[cpv'~#MʩܚVۀ3ny6o~W8 -zྤ}>b`ɹdl+ pU"D˃keY%G=19'<9!< '$ 6 8~IݦĜTƥlF{'5_O(jN)/# iY w+K+Q.*KL<:h=`wXԀ /\`Gj~n^՗pmMlmѭ{۶ET"[ {I{%H'Cm}9L? qfZZ@G![U9T_2`Cy<Ų=P XЮY藿:\%Z&\"| ?qg}_Zٌ9*G:&top1'XW\(U/?s>dU?AO>&D>I9O{cFyύFs7+{}>Փ2e_FK}mJT2kM<|y(\؃ qH9&DI:bw\כߟ(Q9i>a{w%u}e(|E54 :вe^g$!lPF'fw0}j(3JK}O3=6bjbH1wV144!z}=,r@Ƨ|ב̓^׹ 1 C:®v"$k)=%m>F\˨"UC˺a~a@Oո8كl"Lc`+KN'*R/=@9AZjke 1E+SiqL}JRҙqdCiv酎Yd DδظWȋ)J&/~2z -xY6pSt4II2pEL|jy]rS1.F -;(/.` <!Di1V%rfr8 9bvF(ܧGR\ągQcG}A1REJ4OV:/5Cͷ8lV}z. * fnSX۔Aqw8 =*II' -r -cYףaiЁ#ig8.~6u%g8Y -~)vя -sMXU9R0r;?4lvыr8S )k:1L>< sOt,7Ze4zt0JG)Z.$>:A9E }6 {==dm65): 7b¿إ6|thY=wzn;0adىpRt0Ynx-nu# Ss.?QPQUB_+<73\L"m1bAjytwXh}ܘ|*9o tGxU? ]/~R~f9n7>?:NHR&{cH֜g7f):£α6=DZf_Gdyu3D6'%+zlER77È/#$:Bǀܟsff̣/Rզ{Vf;Nn'V+sَ<YF Wk}[ƩIGOyo{ -^Vx `ЃؽA\/jSccQM-cfi6=8 {" d$*b-q`&DH b`em&~k=e)wJ3#kiua!- +k$)XNH<sm%Ǭ#H!OkMV).LI<ńacWC 5,ϧZy."}>C)8M|~֜b -{ۍ1}f#Ĝh!o-%Vj/LПꉎ]|d 5:$ymlt.e8זks]a]EƁOK/iV렯0k D}0S~~ -UA3K1|ІAl81y!;ȒTzd89*tì$r]v/gHA: LbЋ ݰcB_]m!}(qkWZ~ r.uݸhAhֱyY#i -V銄{HytXP()z^Ovgiqrm3 j_ONS~,k2OA׭ $߅c99z">lue>Ip&ނxupن5WꡯV\v:Poܸۛ0i`ɘ;دBMΓl͎b '-xG0uiv9.>G6MZp s[N}\|2a*a VOu\t" з>iyf=\}0 -ESI'LEFI0bC})XBM#ԃQFv?9"+ǘyArF;RMӥgTIA#$)'82p{x۝>u>i*FG˱"~eADZQu- MEozK?ًvЏ;-@mJ .&@OGQ\EG*9Yƞ-]Oj͈%Oe:01@}z>hPlxc{{cp;H_n,z},'['pr/5ewOk^LrcNκqGD[XTOeӕ>iG1tAYG㤄؇6s>s: ݀y|&CL"r'>(++MRZ|M Rc[-%!A^ )dԩ"S2􇞐k=VP|≞GZo#Z;]EJr&SV볃~ =0yY#pۃ7d7ZJV+.u 1lvOчڄSe+#}fGEuUpno)72rat a=Te J{&LEN@N3Ad?&&;w@nS'N帱\hꆺk FW1w  -lv;5X)-`qTv28Ќ`^/Wom&lua| mφ|{1yGKXkA1BiuosЖz*q"Z+%p7@{C\V of󟫄yk主{RR-yJ0N=NҐ@ZU*uF:+pKf% 9O>x1=D$7廚czv_ўh^o{c -*HG-5]w:ޫ 7@K_>ͥf$gKз}#IvM0Sb$/6[Q罞~$.H\6;~ j~bMVԧ)Q+jǫ uEXISĻUV[ fY46][wuIZA^DGIIOF *f])1GcVx7*v ?ⶡ9>q H -<BȇUdos_k)xPl"a2ᩆ9\\G -.^5_kz s:]d&yy%/r~r~ -nu%^Y~x|Z|#GUP]`䫱uj#fgɧVjkSd 1+͹/ .#;<+$&bܓfL3@.z1Wlp0FץBzBk\̧?ylO3 ɠ1fCn鄑ֻKcS -jkqq&)jG~4]kx/0f}8~kuyv`=1~B-;պS%hK&Rd>3J,嚂uΫui;qb܉<`#3 2ǙZ^%I½)b"R>pK_j,z5UlRQsl|H=ԘsɎMYΆ&.Ttx&xBeγk eIӝǝ~qiMfϟK5Ȥlhɗ۝(i .}GQ/Pmqw>G\k)ckď[q,g#WsOWf;+Y xOzP%wрRSkr<ʹ$q/ =a+spbyMA <rDй -r4^yV[ -xJ>|VGgBMKqhRSxqwwCNtmh%3K[KV_^h+ߖ;/q~$*d -xHuJӒ nvpa2bm7_j,n2b{1[şKU|FuS^w_GHjQrGN;Ly4LI{1r_B}4 a 9CG˵$Ն[@PP29~73^^D(E/f*q>EKzH~}$b# f%ei,~>rwIO)jE;z7ӱy}"892rޡT3`=ն|':AΣqznxC#8BNK^nSwhQ(+#İ[Oj ߟhhCLS<^2F9c5\+ry&dMبaqR31x -i<^z"AEA˜iF7j8al3FN;ҰJ )aQ<ɜ$=e Վ="F aMؐaZѹjX%? WRQ2Ng꫅od&G/ԃ_hx)w嬨]/wHfjRW]XQf癒O>MȐ{;]yn56ۋ> q3kQqUՅV%%@ -Zhٙa,0_lop -Ѕ G¦`A71aq^o3rmjn60]WPOo[ۊ>MoⲤW_JCmrx¹ 3KF6;JCϵb8.8іܟ;h&1/|?Q͍!24]v[^p1\} ]^Nv\'>tX3?BN<)gj>zwdZU!p{>e^:s\̉7F[ jj!PCN}/f} 3W-ڂ7g.>RS.a;YSOH\]~0H>!FA7+u}) -[000a:d^„>tXfRߧʼnO~*f8RmRQk.RWP_ -(v :gysv?PqS+ ];I@M圩(?ܳY.dbl<Ӣͅ½̲2f.|!v?=P/_hI)7_Qfx?VE@fgƅJr2PNS-N{1c9덶*cZ\,]zEIE9,Zl-|\X#3 -ݛxvx6LZ]|<lUHZr%8@F ?n>W)9*#S~4.fkL{X^}2\JyIFV7srsTbRּϦ65|1MrXI;&'wEnBQ7ׁHOJuHy M%'9jl}c9=ks5\DŃHKMNÔ;ܸ?q6;58DM}fQt|$6n֕҃ ReRMUrwi9ƨQdGRv\[W%t8BNv"NT 8@;։r(;Ѕrn;,n |aÄhf&j/4zKRr쉚?qjN62[ji8O 9UYϖ<,rZ6yIs9?*9;+ﷇɱ#lD94^i.7KpnUS6$/'bd).Pɀ,w#j!٢C'noNcegDdؤ:zZ8B-c&Ź=t *HFI{M7þczVD2Bf;J30>Ҭ")I\4fFUF59 \, -RJF -`j2*CW駵7[ٯS7,XU-Ȣ!_UVtJɹP0#eCm!$=b>[)}fVb^9`jU Gzn ȼ?z*疚`vcJVYAN3B({#\r軭6a5<5 Y f'1f:@*zxc-c\Os4.Zmz -endstream endobj 311 0 obj <>stream -)D>LBm(-$+FYiDIB!Ab4Y/:zB=2bifəؔjb z٩:Q3&9-`AQлfy6})waDYttEʹ ^'J>¾a$ǹ'qbFYbV-D0H &!ޤ"&ZgXRM羮y_Y67{lńna"O5B|mɇBC#k{+cZ5J:FS4>/p C/Km`wmuŶ):o&o]@S;о:qγҀQlֱG>.Z"' -6tߙޛ9է'Kk~oiQp^ica콍W()-E-6 0z7Ϸx͵eoM`c7(>Lᅾ|mT2'siO m̍F"wY^o7w;I@[}NjBjyH\Ջ j YLRmRmU/6z,lUH—]0~Deu"cDjF86\O Kpnv<iRMޔ)gșY*^TbJH)x;1r2 i7Q+g#gbNoC` Xn?_n>#%=lF$:sIs\DI`juO93BGc/L^#6c6I!]cia[<]Y?H;%TLXHP=5t#N5viAM<>lnhDiZ.B)|~?א~=|YPs^kz(#f/"t&jU -%EFir^ͷ:T`-.*&;}Ԥf~N7ti:(Ylyҝ@;_6k=TeK7A+OqAJ.exx_x'ε+ ?}q~ps]+pg\5\mi~Bz1;KCn`s.b/UgOF [gPˍg'*1}l ]HC')xg)HSݻ藭x*:;% -&"r%^laZ5r+ٟ?]x)vpl*5M Z3UU:=AKPn8^Lh]he@/~~qsYRWtv$}2׎RUߑҊO!v8􉜋|1%BЋ0>ʳ$6;- -6:j쇷1~)H__xg-coOvd؈)MQqdNc\k71Y*4,ಟ]PgaRAn{eS| =)3cWJIjyسYŬ.ukDfpӕįɷ/}/Qbb"^%%_'G^}%t0qS,Z!ۆ2Y^҂ʾN$|j(/#-Foz \>&, -$j{+NV .Y}5%C%1XDŽy])`cQT#ˋsңK yK\8Jzd>7~5{(X灁_ʿ,̽R -tqr{CG@7zvOP (/R3<<\O+2aCAnU5TAP˻%f\c]E\ -s{ Ԫ3( -|p3ЭkWAZxIR}sIWWf}2U}ƍViTgN!*%RNp0(  ǏAa/A@o *[ o'G0v+0*jc f2r7CAϟ"޼ GA7o\ ^'w++esH o5JncG*wIi@^rs}xy -z8WAρkxt 7 dTRn&frb~Kq=p g&Bpt @}'yJ#BS\섇䥑+Bxu3]x^ȿMǥGw}CۧAQ^!e߭ _*Ɂ+h6XXlqXU;TS_)+2:1".RF?S's{%0n}(w(!qNcNR衭a~6p;9pq=-pgrAN^!o6B xC7yW'bvN9+E*1? YW#<=@\:t| -pyz }30^Nw8<>qW"}%p_ `ۋ> 8`?\c p}qq%{><} -uvp=.c'PXOW*VrF1js܆:J ^v ;K)_@1NOA^ -zrA]\A PK!>wFx9t^9Y$$(kK_+H!a!W??Xv=k柠@?q=;1%a'07ՒnZB#bJ/~J5SG пpq7{O?{r} * \IpcsUTu<N[ -Ꞷz]& Dk脘?\ 9AOo \ ݳ `,?Dθ+Ae]@y#4Q {ZM并iO;(6642&6vϩW c ]y d>L4US)cm*G)A +3TW|wuxԁxik9rzw !b_SUIXjHM?P,GܭA?H%5|459{u=?%y]bzqr'3fw_//'ʱp9:A$Ƹa\isݪ,(9(ϛw:s9'rzxeHR5>F 1k*|EǜUs5iبjdsQV֍oݼ@@n/@n~΁;2J <1!;heRn c i,ClvQHݫ}N8G'_M `9P@wsv&K9׆8&aR0rgEUIre㶆SԽ.U ufef)MM(o_PĠ_.AӯNuP@@V>WPQNt3c>QMU%Ua ~ײ#B@g&Nk+9 yIIw2Dh.>[["f?Z, X*;_wՕ*RMA?R'(/,Tx%' ؼUˀ_ޓauVKZaEO7GDwZ[ jk=H?f$}'SyU}4_հ?%*F,CP+Uz9!H\(_4v-4;}̸3uˢXn(F5u[ -1aG%l+k$CwyJo]zzhҺƤN˭ry1YQ1@6l:Zt<% -H3bm>N[Fm w*Q+E4Ugc)k9V^[=Q.`]4MƺWR9__bTBIɃ펳2;QMRr_+uғimm.#%i<ƊᖖiksNƫl>i+ņ!QvcX+*ͳ5G33' 5߁ x:Ä'iqRQhoq]a@uy@KYه2D/xM,6MOzmړjmnhUWGhqz@eQFABtIU53P]OpS'؁}]U혉֊x݀0kmo^XVyc`Gq!r (Ё1e,ssHq@hGyI ɮW^4ʅ.L𯝚6\]YW]aTWo;FW+s"mSeqJ꾌7:RXU2rlS<ɼ@GX5fZegs-sugKSҳև0[RB81 -s*M].v6M?)I)jNmpFdU)F5)U\T%han#;MeaFİ>fL8Ֆs=*jϵ/f{Z.֪*9}xwDPxU4BUW]mR֊յ{ -~Ɇ)%E'{c$R_tV=ǫ5#5bV`cvn.r<%$T"mhgCWߺ5ҽiTrbAVU lŜ}^; -:GZzY'Y*kηNGtCϳV-jqjW,oPwOV VTe9bNfV-Ju$bEJruI*<l]Nq)ig֍>Tq>|| *xvmP{Z{WWeY&cM=[4i0'rx =59gZDG~[gyݑߝguoGCgLe-+SqgMJMFJE wOG5]}i_kbA\~:+d<۔"Cg[r?.zXځ]dA,'s meQwK}?(o>7YUVukEeX4Tq gtn*qƛ&H)FUK5+I':6X;|Eu>$cbIߟ=)@IU7Mb=,U5Z5Ρd)ޗ"ڏ4| :\;:m?5vZ Gjn=V7}w;NTTuCyb^ȴiu>C5AcX$lu9݉?Ǻ]ucSKq2dX|2])ḱWz`Uc=Ї<⑆A0+Ty`Y+¥4.ԗFׁ<-VjqvAF -_x<@KݏгyItBm-)0ߦ9(=v{w:Bo0 k]1j,VVv)Xl2Pyc0qTӵ=M"Jl -lVo@QЩQlsykolZBY6$/V. 2F1N&P3jVP3->yi{!Η56keIu778/,))'zEEHؕB}[S^ɠS@q\^?o]S0__8J&EȈ1݁bo. eߗʫO-ePmSLȶWkY|6WhVp F^/UJ>UF2+8M39Ӄ9+.;rUIF1HNUְ+QO^&w4#56ڬF)$@Iؔ1zHa&}X7`_@GNMRdFw|9si~6UbZ1H):0 lߟv vPt\QsM 'S1J %cnHNfD||P\ {v)6=9L(>W|1 [O5폒H`.fi3b{}5bkETn#cUsCSr;?Yv:O^)F5F<_h4y8^h..SOti|4%o(yi&:Ѥ!fhGSĤ9FREPwæ/ĬtA5myi6% SJ^7L.8 1z [cqTāEdzնFjUzy÷5ϥ^@^'Z5{ci1D/g ? c?7EuifU,>_i.? lnwCXj=H_Ꟁ>@ltZ~0sވ}F2i#$,o-zzY< mR$z#aqn/'{b7HyѷD) >Y ,2dkֱx@<"oZg麁Xab*ʲ@,u\{grRŮ]" |&I{*$'ԯ^A3"\0􃒑ouo4ɫT4ee,䡒wYETX'hog닑8Б{Xbue}61tB,&-!{PbA$[j?T,iX+9gB1:::þHN (9l >:G.ku5!]e/퓰$pmNͼ֓5ݯÖ{t"..xF'Iņ>C}>'憞/=&nU?,/8ֳGzɽ/f2)~ >4t\.@%ȥ9KQqT{ -uH=^JJIe܄/7RMĀ8Y ߾"lbc֣aX P=@J04<^& ^Sv3 ] 3lD䆂}^Ⱥ5{g"獲Ƽ+3)3uI9HP}}wI'yC{L7{i Q6z/R* DX`2 }bbu -m= -yX}.ۓ踍;E\BkX᳍#f_N!R@{$r,,ɿ:2@,S- { TdGF;g QpPגȻH-̲o< ˶'xue2XlcGJ[OĬ KRMC'@_*c} -\v1E'SX5 wJ7ZɶL@71!xD?9ӵL~'t^zdhڞE'oⲼJnnJ a6pk -5z㜩$i}cyRSzz㪿p WuQ1n9ƯeNm2TWH]@zE~.D4jZە!ӭs 1X{Tj ӽy+g#|K/' Oɗ7o]Up`;K?%lpsӺ?M S<2.%ez3LV?\vU|&AyjM2=+ %mBf%Q*a<66 -~(+Ϲ2CO?q_iBÀs6J^1P3Ekצ%2:0l}0HKML9g(z욅&XN* 4,c .9OLFCT^D- 7Urb~m1g7g; )1vl9E1'ZgW -;V|>VƮ ?w4v1i9t8VԄߚ*|q/J`0O [B|wIN"c]d:2}T7{Q s;sh~%XͣL؞Z{7 ENrkK^O]yq/=Egdٛk -jCZ!ls0+ F-}V}1৸}5yNx4,qm ޯf1=jJCT7t@-АyD" iN1<)y< {>pEqHyl} -IZ(prGm[y]M5e4w@ :QbpdukUsP|¦oW=7>Z@EOnQҟ~/f!w&Pq;֒ꆼƼkeO[1IX9c,]gkc&Qgq|*r(KTȉM<ȥ2䃩3>쌩j[] ѮQv kks 13G!m DKmo-xd}KsMSKdITpwy!׮t_{B,3U6!8`V<8h@|57iqx(,6L8U1>) >Mʸ-cLPrtbJu%7 ,}k\w-dԡFи5$ahLh.} ٬aFێgh`f1窂xvfG޽)HM. =2+\ -|'_zy@MFtU!*}[4r<$jwωrn]`9D}jꍆq]Hc -Z\΀3cv L%Qz:=s^g+朱;_CXZ=O( Wv ġ =xz\& }x2!- 7 ;`Yz} -d=QK9Id>㺡)Vpc` \#-e3k7&IJ&DO~]%#)Tt+42~_@u]9\[C8h -Jo ğwYS?A)z.yf_ 4Zݒ{WKl97q @kco뵮o*9lUHfhSR?W{ 5O̵q)&ЃAg -ᑛu!^VP/ ÓLjSg7g % -J=f;C1Z3+<OgֺX|uvo웦^em־_5 q/\ ~!PeiImyK#U`c@g3Hucu9+풊W%7ˆ:ʞN`"~!jH,6O=3XEo~LӝFḰK ҚڶqdWCc穞wIA{ElT1:6 _0!.)pP+ >s}%ݔs.Ji9WaL)Rr~Ef)|㍎_# al~}5sX_Z&AlSC¿} sȱ߸;W$'U R/t=1bSChNb*ӕo iZAoqP:ln_F>01Y$PY¤+%9`FxŔKzD]%bJCƳtT}cSb)Y)zlO^zj:hiE:#6yRMccX肼AG*>NXνe.>^ܞs!D&Lq,š<28N99ʯcٵ -5nOCEiÿ̍@?'jB -2tyX'h8fX;61^t"?qyg>KM?7 {܉d'NH91BDKKuKHι§} -`ucsֆkCyh_F-cr3W;YXm7)/=Ksamc_:+BoK;@#j5M.+$lu;+h醐yn6㿛=Ka˝1[xjbҏVỲwvIљ@oվy9;vK3ʠ9TSДC-FّqWw^۝4=|IiaiO~+ &sŖ;EHl+`5i*Mx;O(+4,"m ,Uv -"2p')b2N΢-3h풣Rtm@9wo;1y_M\yQ+z4:OŒG*~ε6!,8Pj3'Y[S7k%4rP%bzO&`z:<6սJ!ڥ$:+0kuoYe"0@`ފ#pf{ YĚz )1ガ౼i?.霘]1M.0U5gqBW{ -2& -~ pKٙ&iyC-{¢DKt`c6aWF*u1d#U 6 -hS@]F{wW:Re6qOAtqa7»38Y|>ְ_-_7T(K#hQ6`~`Y뛣CE~1B 1ΐ;Pi",ډ8o_Sٙ%{װهz.%{..2xNߙ-#ĈKyT4y!cgɹ61Zy1w2f*|߆J?ŏ'gl%! <w@r_Mߛt_-aNpAxm䑁Ss>5bSN,LT7In}q{ h+cOҵ4m`O!#<",. O#~i.gj +V2nt=ԾB3bBZ<1p_ĚC W|e拡eDc까{U{*M?4,g?K]J/ _Z?1: :qɗFcU`O'$}uQyL2ֹYĥ)!-sFWK(Zk 9> 7z2Sa\(b}٣ߥ_*2mjWœyz- //V1ngc-Fo !イ/k;SsСۣ NVS`274]qIe eg&_9 2B_B-"#W:nmTG穕Ӝ{'{ru7=J\Gw.sewC3%'YKړUXQcǥB [+LH]@udM}&vGI9JI{t C\j'8 -MpX0)cB5ukBZsRlBn~腼K.EM8RaP73hE(\Qɽk]6J]=w,'Ɩ#svI_ -i/=^̩bS xCb\iT73bO K\rR -="vw6sbn> Z3S{Ń# 0sW'nT2'#Z79nᓟAwU;cdYfiElOE,*IU:4_iYe ,?_,kKYdm>f<~c3Bt 4:7wӴ\4uGj['j#p,>%xe [Lt-sՑ;KKʐ/F*١ Av%]qMG -M>T!6kBɬe wŔ?{d͖K6t$1o@]H?2={P\Vi̋&PĮGt+h5Z@)i@\*Z[̀ +#3~}s_ؾ䥾⩮y&bgfهj~%fyC[By^ދ9Yơ;J -LtEg`KLS-NW^X+70cۯcu ?Tz`"&mc:\Vtou+&SbC${52[#M=ׯ`|20O蕱%bWLǥnw#eD#𞩗I<7I>Ԑ`yg|qz^6KYnyaC'{|]BW)ƖQ.[_ܙA'Kz}msW>kx[ǖ-r C~&=;ch-,bbT[NMWG\n,]*}=MȔ6R7[냄>7׼o3D)ٙ+}鑡:@qK# -?nh~j#~\\&895CsK%Aax0pW$pȈ%tG@jش.@00r˱yherE듰I' u)іqV{*: - -9PQPv ȁɻ"u~OA(ScKXen5O;X*eF/PqWT)"ـ]FF;B|R2۫gx= oڦd!v,[=3!m -Ie"-5Vg\A%2w)e(ޚD?_/@suTԡ+tځB)ѕ@g: 61Zf"mRrEJ8ݹ%mN -]K>CoV7eOŨ3~qc^z^[k ŠLc`lV>Y*+$ro+nE=Ai-4*q{o{l W hx,:~motKL("{ŏfywc19m8qwڗw⪐{{m2L3X&|Rbɡ -KVVx𱆉wI -R Ŀ܆zHEl =ߜFLRmczj^[n+ _~#불]]q]j*vm"LsR!3дY"}rA S*,°Manu] zx/&Gt_sVn}?^i-ny<@+ - 8!u -/Ϻ!a_0VmTF# YS3 *klOR k#ȭt챑N<6qbݡ_o T t#/|Nj0#=Yɴ>.>_Qg>~/!.LkRZDg*:\|f wHIe2Σ1.%QN)#J:`r~_*ׅ@V 1ք]l!(u[;:/(!J:w,1.% !]~RBKJ3@>.> ">y*pUn=eSP2ضg֦M{$ii{3P1ǫdGT]">||ghl~2C&gvq\5m.+¦xI}\v3J,x䜤.~BE4[#$ Da:"z`VU읱/C~^ @.5. <@b`kYsƕW{rzm7"uSq7C)}.dzɰ"VI!;QYqӬڭt"ޙz%^-ȳ sN Ƽ;k:Z0{ ,8/ysdVwF HCy׈WSK>̝47U{R\,o~eCFkwU?bM>{h`XV'oEI_W10{:&q_$Q]FnLBތsR]iqH(8HϲLTi[~Z}>&d<'be=a:P+:<^{C<]aZch# F)[n:kCGɹqZzٝئy[eNit=s4^\]_tͽH[h- Z)}l{=X3C/ -x/t@ǹ e3hl:f"Pʮ;ؘv\}So~>M<ΥW[Qq9d.<)${}!.jJSLS1d}#ˉŇ*|]+"j;/vFG> jJh{ ЇABb ] t'YT|ouza?O.VJ60޿П9`^Wljhh.m_CE,zc?+M" -''+Srߝٙ&AO,‘^γD%\؛8 ]Ses 4$|aks/,S]rlWIjlW2`Zi{YjܓQ*4TJPpGMtiwkk& -Z9_q hS q,DqAڞ$Ʌߙ[—:aѪ)KQ2?>v}0$)W°_:/TE]_=Y~t_wDD2f{k,bLi&uL-ÐPHUPYf_}95=XER_O?~g\ _+^k>騍:k@8gbYMANas]r᜘2 G.#p]@ţT)5G-еk/@/zvU}0axe^޽ɺH2Kߙ'JW@QMR}yVG)T_»>q5~e=ṣ\a#c#cSpl}0ӔMs[+_, *h C)F"+-Jwy0P/Vj{KGYJ鲠쑮ns;8Ra{d,Xcm⯋w':*}l@aGZx6+J~د،ZNCIZm+HO 6wz ~kfI S?lWL)t_`^^P5]^(Z Kt9vsO5lkD[ى=oce{sc,ձ7B|9/󚺽"-c%9isN,G KLoNT{rQ8'y7v&qy|}meγ #Y(hm\es4W^)HcrZ`e_V"!_&(=9-z%2=QXU-Z J~|yg.bc⹜rcne8<['u,bzg)멻 gĬ|eh}^'7_ -68HL͹f6e=rnRC.xU9Fe菹9*~,~5)*P>9 |S"Bgx,Ǖ4;N;VQk]b|kֹY)JBIc|`s1SEחj_ڄ̢Ͽ _pRZ7:bg 1K T$6E:y;@LX% e(VdkRPnz)k,{59]oqcuCkx)("FPĽH*ieު{qvgH/,oKqL}YC޶D2FMyh) szm*#&]sSo91SI9E&?IUDuQ?"7VgW]122 S02t!葑A$5 '+׍ "ԑyJ#qNV$ -e ?6`V1,.v Yua2^)'{y+^\g]&\hN8Jx, QOWi3"?o@BeݥOڡ@23 6E.I= jj(!;6# 1T2; 6j':qYDȼY,|_C$YkWrv=Zj%_:l_Hrֆʃ3y;Gj?9f"]yLOƨ-)6M/s+4E'P?#},f_յ쓦 ?TVTv~VI -'i#I:eTm{͑ʷ6*im ѫ$4,eRdީk)IRrK A2 B ޱLsx{?,l&yE.ts -WW.:ϓ - -,>xljȡC)yjuZ-$fhE["VNт)- "'ɿW}a -vVC|.ۘ?HIB11iN12q_)?֑чZ:%c ʅg+[fV(-~NVM@z"D}uhWʙcF/kZJvU3S -l_d^0'&~K.r,@싨dTQ*m *w^2?F^F]#])~3M+'(7F -J՞*5Yjc7. .k'!tTPvg&^pƵb]+衱 lEaBz]P]kc$a3D2rSxiBW)ທ,5$.? @Q/P*/<Dkp?WӮ[T g~A|.N|fwY豌Pn(yT>y}ob~Kzq+W5O)0k)yk+'i,ˉ> Ncyyrq}U/9G̽ ?SSj, g>gsKs󔤋UOlS8teUXqL/i{2R E^926[> qٛ8L}|%hH % p(|g.ҽ.At)&ZބbިZʞlrΔ'H-u}#=jǡɶɵ;b&d{i Nf6m_}1{#YBJ50pd,o)[ObVeuCյȋI|nn 2WRcq{[uJ&«$UlNC#7&+M=5YfbW&4OUZ}V9_ix&ܜ e]Ö^'Ϻ7ȿaCKz1?KxAnt1p]鼩*t)G౿S/*xEеn\3-3{S1\2zi.x[~ͥY%wbj7rCŃyB-!::-Ïn#ѥcA??'[eȳ %~A<㜮]BORi[?$ؾrΒ;ŏiW:K^g)EC·l(j"d=Y\o5MՆM״W'ǡQ "JCuMW -MZ<+`}< `C=tB/+Lm0̝ xʞuN!S }5!Qh0.>݈اyvQ#qkU9Fܙ^6~}a'za\FwMܵYF^ؑ۴3qq(^5lUP|2p$.s{)u*.$͒&ɱϓǑ~ e 9\46uFaR}d-~ׁNbصD.k_q.PkX"p_f/F~XMy|4>䓩T[Hw#LC780"Hy6+z()FF`vyecaϵ}Uu< Y풱^%7>[]&,"DSJ-ߚ ۄE^nxܙvHRf~F i vy"$DIX+u!]nKMtL!]"j`~R-kymIXhU`Zjo1|iZ~9C#2?+G^}O\bc >/&*#,89+oӸs3ĨPQmBe_]42zc}5p\m:0?=esg'^]e)?J^݁g@/5u}A+|,SĴ`,&:Z7vϔ}m-򓄖x p!/!5hBjf2rtk&i.HRaK g=1:]JJ Kߝ4]1RpRv&e"94uUGObbos8X_- }Z`(pHhp1?Cʚ*w2NE 'bZR].X~еC^Lb] bE81p: . PǤ虜F*a٧6=n䫉[o3PF*~ -^y9T~{㱎ю2'h{K L42AH2?4t0vFERS;p̽6 V_d\6g]Uүf si[f$ӒI23cbKbwT"#EA -ҤJWb-u2gsy>!l׺ -Z>.sw'סS*tҖKWAH?i "{KNdV6%N ^9W#=U~~-b!fb֚.6!+ca.zEm3h6e:zŊϝU!^OtC.oVhT;n/Z #:n%ENЊ*jg 0O<|)6uZ~5&w2[n7(י/~Dd>ܷI 6-2D\lbSKN;̵|wZsifN7w_r'H[ 0tSo!MGC3vBGܧD)ˌ5?+/c]ɝM@G(|8XƯ;.\:cm5vlղlcևm8[N#Zo oZELKbV ORp>Z)@|Խ7oUL |K9a6/K^sF(޵b> 5.dή[jN:x\|M->hHIۚ򋓘zj+ξK]vp3跻rݶ0 $mwҺlEfvU[1@ wmUc6ؖ%6ΝM㞏<~g\s3FgEdg[vFQF舖SnwXғrgd@&iUξ8l}<kρ~$M3#Vr鲋,FGnV͈+/HʮYsd•X()ಸ)*QAb7Utֈtn r~%޿=L{# q䰤~WPڷ.l:-} -V- ᮬKl/A:fcG6A#=W-`c쪓SuH,S+z e'^:0nKZ`sĒE\ɕS_-ZY]0FyEm !L~zխS]1~Ի3{nH&u_;msӶ!UyKNt@SCy0E3C!\zi˺p0Lߴv*x'@1gLᎆ,v=nA,^2  %y\z9䭘 gdwa~P٦`VݳOvGQ&vE1eU~ -5d,ۛa$PIL1LA~$A?k7]Qb s#;n|V^-H{?Pk>>kmZl AT {7Nظ sx亟GsPW"u{[m';!OGu;8ĨU i=!sTE~?)+A uQ#9kfFK7 ȡ{ R?φcSWS9kWnxM/exił+_⊶<,2V eF5?[vf{G;:RASc3Z =p,1X鎽5}ˆ.YfuJ3 .inqsNVoFlq#66v6/ f*@\jBM̚y);ąW &r鸖Q8G+52wF)S$9#>؉H\Rr亍af먖/ƕ_e:M(\6J=wGһkrՂS@XtrGk~jl^uѫ6bAYwbVdj2'2ٗpG,m'ng6nik^J01`7oxqA p 0sKm#,܎ _'zQq zF5wd5Odv.vy6ZS -H(1L{럅?ּj#7bżS. -XItLcA-i;^tAX#L(!͘c$ȾW!Tߙ\՚lᢵN -{a.v'( =;*_.XyqϨ5S&CV}4䆏YqUͫ|KR<fvV`WΚ)s6l!bϻi3)hzC;W岅X1LppӬȰ7i16ymq1 ~&fsM[C jt᪗O^6ݰ$lDВnKtAhh)'1"lK ߍS3Wmv9+q|4%PD@F4k-XuJlXup/4i\;E .co{gDu:<躃6pjG~)lc,ٺkve(Շ\rH^zϠ@]ɵ+4tBGzYYS:#}VI/v FZQz)ER+loKNnjou7ml˛Ry;+n!mFny &{-@jѴF[и)ed- 琗z+"|6LHdg{yL `h6=Ւ:J95'0h'yw|Ci9bU(5,)*b#v>b[aieK0Ơ}P5o}0\wҚL$o_pC¼悱Бz- `oʴva/+T CHbZ tzHe"C͑(=BRci kSzA_,h8`s|֎[_ͦSty4J4Bu쥣V*Ä2;&Z)&z阚3ZA Tg}%쌴Sv?Lx® -c*O%U(2ZAKf00Mz(c.X@_ug-rΜ=k嶌(3:zY2}*#wQ'oə+^A&eNy1{j ZŖ޴4l{INFsXO-!KvmRMزl̆2aÌI=)o0CC"m^&j+ uN[. x΁x_GͽUb&E*'FH!ܡܙ r+vٰ̲l'!R3n5l Ӳ.jPZ6BقZ vuo}ڀMZ󵁶G0e{!noB<ۦy i'5HwClZFsr4q%Y 2#|tjo\й;Al >88@z x{5СRڟ}9>f;h|R~tqZaEG#@vCbժG. 7x@1+*z_4fvNeSa z:{Uigi *&DMDޓ1V`W 9쿧Y!;aʯAnY8geVMm / -Au2ؘćc -FUMA:s6v-`Eo]VЛnTǩv-$#rXE_(e3v){/Zq A/'f ˗p6oVG, 8n>q6#ZaݴU1*]MV V+R;z^UĮPUMaf uۙRR;11oЖ?hEq#@o^bD,GM>ޡ -H*idC|"RQ}R+1 .>n)BϺ)S|aشf1WG14SnE%U n])0oRj. 41a 4ffotoFؙ's:_k/s)g#e]6E1i$m d-dN8n\崙PKzi=q|zH9UǑ2PD3cT-ca|K@oB@kԺ26GFɳKDy∹{t^Elը*W.h1*!&58D qwW:*LT: y j?dк׽QiMD9ENW*ۧcvyc8S&h96]LM1|]D_I.E Zsoq`+6B(|;Y`}WoiJQuqݬW eYZ>nY5ܮ7j豰} OQ+yTaJx uPjݎ(Tnmˊ$m{OOcS^aP+moHןRIϽYFlf sgkJ*ieJxz%=؋2+:MRn_:T.50pm̻<<],0Tj ׋Q׳Zϖ/BWCҞt3$"ױ-W+%AeSeDȏJM|9D !Y'qcgRnNk:@j`)`3)^H' -9T&a5<y%W㣲*O`oV3e]]; !fP(8r !zVIEB'8KQq'CU>"4ď&TrU4% :>ddS~$OWꚵ7ԉFg?.?VX.<_pKQFLt>*(x7B[ui03)uZw@d7S?<~R{,-J/YE_6E"H\ȥuQ7QE -?hmG(e0L׀%Cs*ȂPJ+qJtTKI&#/Gݽ4uJyԱc7n8n^|YmU]}5ˣbdGFK0 FsTGzzUaLNOe, w=YKv6dzZٛvղCC5Ike sН:͉wٔxuIiOgGݽS*u94ͼc FtO_{C;@PkD~w$\B0cZ(;(ﹴHEM#}Tjڨ.*zu? U5.KKdyR6f i@ -UY6 OQ - ,ltH.}H(ƽڨƑGIQD݈FDťĦ {~E28U@9v>kOz`^йX휊cG$?gw:qLw' -ӉQoUDݍDRyI,7"]svy׸MD7a'!_S -̥zȕ&&o%c c鹒o0G>A48㚨sdy - wSIuu cW G-ӗwaKok>K=ok̑,wiقIa}<[g; #?n}P码;`Пg쎱x!X~ZPms's<#D~u~-umߝR -5?e7.6y`EgD,RG0)䊧J1& 0*GdTFǵ},tQp$9BuIs - zNwP\dY8`GWS Mk읂#?|uI=PomuQI=q!@tQ-9ǣc  tA8={5llE~W!RsbؓDիoʇ.z줁#vjm*eWT儰%8=Kq<gcR??|}BhJ.hF tq2wrFrfR#֬5c]JTni+=L'T^<P{䏻Q1#1K$U\vr[ Ni :٫> Z#PX}ӵfYmqu,|2T%QnG} -r&弨#y£ť_I^IQ֚p/^ -ar /]%DZ=X2?(^wc^}n$Bޱ5[H`}_3bB]q.cgo&!.d LeɃTzHa 2e$N_8p#MB3D2WԑoWuUyժo=i:oQoln..zNJ;|jQ;Af5:#Wi钹ybg6gX݃:ί isEk#ÐS GohosfP;bj64X/J`h1/Eolejfvqm m3BTgET~X0/lPK&cPE+եnCLj+pq8r}8F|#(_dq}rw?Tvk!x{znsT˃lha\岓cS&]ā^AL&LH%Ca]`oӬ~<%G0n:M}Ta =eZ4SݕޫRkDѯҞwF4* ^:%'Ÿ/)cuTv^SgAANQp/>]ӜJPnۊ*]P"H&t޲w$Pi [Ǻ{6G(-^\DfZYtTRݧ1Ơ.IKZX-=~' NKuJ.#PWiƒ48@, xq=h$^ɥh;"uN\&g׫M +zl-;^:dVK]БjeV-EJvL" WޓR2A -iG/oIY>>inyѥa!oZG̘1qjNL`^4Mػ~c{堸FrU/F޵w{ZFM1}[jr>]3<Ԛ0cD2oq"DY%-С(v(;2,݋6 -FO nNmX_)ϛi:jKY"U}< 5 *+dU=XQ:QVEޖξ8X9Y$b(W>ءёB^ꂁQ!T︉#L\_778_](hԈOɵgCL¸gfY$ʮb,HO_ S{3i [%o&UikġL;qh+)\ ~zOk\&U,8!rƭTz;hkA6a [%nJ0d?i|z ͉-ۇߵuZMX|jL\rj&"]Wi`5m c{騫0@즭@yN8o^wc>L1_dI4b\jNKM/pԪ` $PV -6~>"u( ؉9k<~Ë_sg6F`'&uQ/,Us7]e7CҚKFVUdHPlOc ↹1~Q~?Y79#&WO.5ӘwgcwF>RY}4쇙Vlo7BվTs0Bi s֜Lq[:NCl fI}WSZ\zH,7獘-0CzmnК< -zZG-@g0%xuG;.\ӊ6hZ42@S|W67JW6Ō+Ú uzJB 7ES͛6D@;DϰH0g^{bbF9A6w} ^pUL;ŤC`GżհagKւ]UPz/a.Ժ*yTRxwԐ5·)ɾPO4~^|3ʘW7'{0BbbR)nhHW C=_3d8a!tsu ,ut->Sh߉-4BG,Z` ViL u]Uw &_S,чQ|IyD{ײTWPW@u6^8 yo4[ik-_ЖͪGtg_&-08;A;b%Wy-Yo{Xuꦌ #du/̻9adh8qGnL\՟ˢᅾF\bd5TG߱ ZDⴺVq0QF\&[ы.\}d]V===q6[S/؟{iTxǁH|5+vm^Tޚ*G zx¢y #՛6hTO%-Ͷ_2b tmшz?jN0uͱSsҒgYc3K );4\6sÈXozahM@ۑ#'3jTmK[q.c -۰vؼ *mM - &fď}'PAܟh_GivM1 L/v {t( 1߮}ӛ渨段!a[ q̈́شcsv|E32C5Ln;śfxʁ55.n']‚, |]/$w|ɲ0 ٢xUSt0Gٚ?+ 1nԚR4<6>n%>`e ަG}5uW˃qIӓIy˳ `!!O;3N91}s5++Où}5q*`?HC]l/ⒺƦ}9a旻v*h-kFxRDЋy%W5wB -nhU ,i[垷⒎"~1aNg74&e>hڹjݮxCߒ.}eSύ2NMˮXeKּE=o Av5mӋ+:H}I;o;}/_OLžSzf!,A0eXèO~t鼺\k!UrvjcW55«ޚG@ICKƗGH߂,k۵te/6Lw[ÇDղ*nZQqsA@? -|M)p\D q">`Emݳ/FM1i{>R`Sζ>q<"ajN&o3b0ڿŠW O7,$LjƩ%37hAI[AiQqŕ~-#hm:h|k"1)z`]uV&{+/^}v1`+jh}Fl9y`x[ҖęG_<øU-Ч;~nAԳ.*=ujboxAl_cwʇSS‚K*~|ꄴަvIkNYշ$j!2Ѝ Iu-{Z1ucq7pgэU=;,cOJnRO='u\H=饧e^ZU}O:ˆOyDXxx[㤲0#~諟{P]!7Lm HL|z:~yjV *9KN҉_djVhꄤʺ'v^]R^_dNZA_ے)`T@|AU8WqoCWQ,ڪ/ SklQ -tVDŽ:3@8 뽢c (~DPkKۑ_Ga%~ %LgO{A;snj[[4'Ы^ɍ)ku/|ĔsD -B/&a tgI}] pxWyUѭX(d@}_ߣ (a?N#{?7Dȧ8jߏ:" -c@_ȢSF(OC͂+Fe^v\m2m\6X8 L=cŽyEən慨WV^ KDqjT’ -g{o[#Ƅ-Awl?݌= dm4Go+KaVi'4[tAmxmi~:~S{?'j-~i۱ج鹗wƆNeIQusJ Q.7;b#Tl'W^D<'w'76(r([Cm &{o -g|uֵͯԷ'Fx}b$xY7 -^gj8fdVuUҪ_}bɆQ!^ q_=܏MoW aY)9$鷿ClƗ9V7v ǧ2.YϫwGmoX | Liw~е$8S4;PNd8߀vo[ߛ^pߜP# ϯfZ%W_;Pk_0r2NYgt ю[ϣ Վ8뢑z.վ^@^hv[җiJx)vq@/8ZKg.mnLر7 +ܰ6%x9Y&@$~00Yzͻ 3򹕚}:gNZ_[zYR>;Oƻ$T2(񾦌.ty?;tѢqO{ֽ!Q G#VX>x1TEW_z wo=>i}+䜰P*o-ixܴ[z*f6!${Uw܂;6TnMs`oIj3nC_6̀ϱr q3x))?ry;j|هH)ȯj2~]'׾䨍uzR,f]WC7]̳aq >xw}±cb$=魎4m;CmEFX֖.h952ɀ˿Q4xH[ڧnzI2aJKjΫ^礝3Ǖg7#Е]8+CmmjD¢K@ -qX[vtr5YQܞSޜV>06怸lNJ}S!A`Gٽ`gѵqmfNJ.SntW<뮍Uߟ^^槕< - ~|БnnU'5,πm_R7EXz(kImEڰ`r3')j_`SN|R_-pE|ۋ;:sbKU1vJ%-7-y^L|~zoV6Ԗ3OJߞrEiX9"bÆH;kg{J*W,5ݝwI?r斵)P5{4 -<@܊ż(mcZ7$;!;H*ieTR#m%uчFYw~C<\4i= VZͼ&(-8MIL.8;#ozL(9g>Z_EY\7:rτE'@7tDGŽבGS ˫ OLwk&\Obp+:3&.n$.M5ş GM3:xYQɽ M󍁺k8^}!NE򖏆XСإW<‡AIy\_e̖cx0 `9%8D{An "y};#g|U[͵ћch}[PcS9[Siyi-hr} ѻL.g|3] -@[g, 4LTߙW5?^!S>cؚ8]h\|,qRV~m.ϐ@r/Y)U 1;fLWuɂu -.ΪZӖMmnf!\!|TqQ7eeKҮRn;)ڲ*|章|w]H|ļ6EDu OoԤ@Wțvƺ&(AZR$f^YysFQrk"ȋM iRli^^ysJZq7=kIDX~n׆奟 -u] -ή6֧ PQ~e󋎆w' -{ði{@7f5{jڄU7j?<ژz_lWh^ЛowR}l53$ߜzܒG=sKɓ'>Voz .Iʦ'3gC<;XNxP'I!EEk/ 'b֕>]Sڢ6YpҸf$EyUcdd{HJ==]ro+*cD1lÊ]Sߙ\>++fh|}!,D}9>BGo[aS7ooYi[|0QprQ M{ C̐Ԡ HgalXQhF(12!Gx?gD̓@2$̊!+w? kFA_Sm?hkx@s܊ef}70MqNDg7lJ*Ya}t3+ qj0;ܶq=t7DqSȌM,~O -v^_S[S\TOP~.=,_l] O3aIھS ,[2c_Giy㳯>lD,ǬsuD]=Q{_mevu*W]'9 P9D693rBH 2BY`Wu/f]f^Zú %q}OIjvHi_@LKf!򄢵1v_g (Nyȑ6WsC@̚ieG׳[kNP3fFݎ-_|GI˄ ﳥwY6dGٶӳu6ƪ -*zg/(%߃-̨םZyߛަ)L⻆qag ?m -+ko~iyۆkko!N+>l6wIx33“[!-`~u#!׀iw؊SܛKC@GNA\^t2󽳼z[#^wNr#!)>9c~QM 'Zxp Wj^`fiI 7Oawb!rR!ǨEYf[ʩJ̡c|T%#׭_|\{\ߕYA^c^\gU9ȷĞD*\lf@l!0+~JVT#@Ԓj(F}k5*zEkbP6j뇝 +-uO~f~붧eug!SxOkX-Z13*}_q(|x1&!.YxA>a-9K ?3)<=Y\7gs -HvQb"ki(W۝'W,wˠ_;6юE71a>:s뺓`'E;(yY5C+XU.ȺO}ёREwܐK(BDD릋K'k϶~ГA%1E-t}'_6+vwӣwt6:)~{^rw7/^|=-(:`W+/sGʩYy:rWN* -hMa#95CkKnj%_7%E>sc1ˀmN="չMȈ.Ĝ_D]3=-j{ޏagMBj!ΫlS qs{k~Χ?@_2cv=ޘU旰d8 jkq.b㶧q) 0h͐RQp ^)" 9_98êN3#ZY~w:៥&Y렞K *8ʯU}e\F^2j8Wy"@7G9k~6 E_NQ}3ǘ1){p7ozdݭ^ΈCt֐l˫!lԊI Tt -,)6KbnاiAm }RbxO_}ӘUa(Ј >vE͐M-JFMBdlP}]K<9AxIKl[|2%fmQ핥a~rpI[T|Cx"n]QJbMܽcoOA?Tu&U旐S{]=yeskescz4SkOכ=?؆ENI f}[5.vO&L -Bn\C*K}QRͯ'-jYG>-4èQ8ZL3; ->]C]1*T܇W"II!GN{=ȅOn 'ugO驕9!ov ,pIӢcn))?!*4`T:')гOʎ[3>̐AMG2&tNӋ|2ZIXŅ:'A8☢'pqm+&2.D r|iw'{> -k;;f 4 )?4C `=蛖~b~Ls"Y{kZ~Uw/m^H bPVzNl֟z'4B/>1M+:XbF.;'~yeqCFkup3s.=aӄpU6+z±]}r>:*V}tC1 9[tRb-ܽ'>Z[B/[Q3!MLT@5_0 hI~/>1ݯik# +h|xD;k#:B[^Ռ?W=!Xkms@iۦin$bi}27h5&) ?qm ܸE Zӧ%W/6]jHE6BJOS \ZfcdAgSc<@U}T(cC;o`o !Ah8㟬?"ogH~gz<RQK\R\mےv\@v_lF.g 3JRJ8[乕T+?u]ъ)b I蹟#f}Ay(9[VSгVs_`yW ⢵pgc~>V7 5W5%Y3/6HH -J_iIؕBL;ѩCm=u?J[r?~aSvXrNPsT_2??5j~U:VG/6Ǜ%t2c}6%č"CN*W?6B+)M^ :tOSJ  >īNI ȅLiKo!a -Tޢ ˘-?fzbd՛_( ݫhw>Y~t=t]ʗu7~PFA-5k5%gGZ7'Xۀgf&fT}N?^}mׇً/g %ǦX ?Ȉ1Cxc oxy+,#:@,|#;Cb zi^g~3Nl'[17U<>Ni)Q\ƷTuG䭑1E8.{}yt{ŗv)Fg'L/A}C/NP?W'i -A%lr%GeZ'7S#m遝eD"f@Ko-+~0>)v{Qֵ Yum#tQ/qz 'tsUZz2({EG4j$Eubn@ѹ8, R:13Vlm)fAsƽ%qK޵ -4ɶ ZUPN-25ЃMMɶqBh+lu>a}yk\XknS':k}y>G5!$)sIz6ߕ1vlSbL8ЕƟ KJO:EĜˣL}G=`<#_zӐЪ7Ǹeۓ򠚇rJI /L6^)AN^ݹ輰`D&)ƘҴ},6FvM.(:b:= O6>)b`emy)Z3#U_!F"Z(AD`K]K,>8+-ŕF -C4<ϧ[G}@3uI)omCd<;C,͉1GAq w 7^sC>.fj^踷.ԯ s>-Z,=M xătįЭA7'9>ۣx5|0>3h}e/E\ZvZ䈑 =XYԈ6 "B~n \|!<Ր#֝eq{dK̀tgY*b:9 1LZx]]z?aVtQ}3)alPӷ)Yq5h Y_jstN@NZ饥/j<R2 &%E5jMПcZ, QL䄼⨜T3p7/` :;z!1fCZbk_p߯[lX dȻzzhŀsLҦ[iK1 kq0r:\M>6cjl}V[Ljk݌ -A F5Ċw5g#&=xaU}"g;^-=@Jtoݣࢗ!UgzZSB*|jPI*v[F(?k?"٣5xul^|EbS oI~CݕcmmϽ<*j(W|_);$ -dE uwWʎo孕Y/{*Sl Vofw<+}gA0+PW+OWx)*o_/@c5BtI5Y>#~[wgLp?nbvW:k4[\hc~;il[GH5{Q&#F&2y̹ş?I)XŧZvZ:$&Gk/!߇\V(#9g^q2LSNuP jnS԰a^%Qvt]#%aC̯H@3w,6ɥ M/N.\ j9bB[. (NsXE)8"5*kd|G_ÅyUr(_K[nn`|9ŨP?AN@oLמhӼ%eȻj~_s,hyobBBXť|NbBDG?lv/rtF_CUB{VuJٕC~FJbnqCҊZniy}y5 4z}p=bQnYrgWi'l:kWN jǑBȔޚsIl_oZA]Oî80z>qoV0{I1JRGEǼ!+"Wuͤ(8)j^g1R-rlZ@C.*)96=` sΎ-lƅ\m -v)EܰO S|4a`U%z[ʩIP)n#OŵbbדArRA.d "X3[@;\ h<42B, -y!-vL4\ h(;sC /jHhhd}{ s>s!k*K)E(Ud:1a= vPCuOsmm-%6jz«8(ݭRRL -̐fJ>کla>{. -"L}F KRw+V{p*] ݲNҋF'l`v"crz&WiLgy;E4ut{]+ F寛v-<켽vqYe`E/+ [_ -Be4ECu@4)M`LYe-b.ۤj-ku-tZLt* R!#w}_nF ,Ї.T51.rL km8%1S}z>e~^.D֜wu FmcDlD̺-;I[D\\z99BI#ZvH3vEu:_wN֕sjlѴ0!k[gs'fn4\j );!A׃w͌S}2Bm@uθrKJ@/yԸϲ*d1tt[#~dsgE2[•n ~t+XJ6MlrsѤ[L_酞ZD]->t)5~ ʯȓxq,%dƌlԮOݱp!Bf?AFxmbq 03`MM0'A< -З5օbSX4jj{8|V ֧ybPo8 >Mb .$2/fG.=˯w -ƹe85{]2@=oHi$JȄM^EէjX$u|sݴ`|)m[u@GU;GŜМX4!yg.bnA zf9^.煟[ |c);<3*uϰ+! pumg~9 eD"R׳\܈QHI`7lS5J$1\uԟqșٸ1ũZuR+3=#$l 7^X|8xoq+4HOLs}r11fښ g>W^9I%pvuߥjclOuBѹ g*RYXKGp(~ dcm_lQR -Rq@IZ!Xu*_P -:VIĈVNŭ1J[&@bb]i1<}V|9XONs)^9lw^x`+ja*V Jvr1+zgȹ>|X9-lͮY|[J/ږVїl xv:Q -ș˽3~)(njo[Xv)6I(y0g^A\24XUp:9ʪu?xXVZ~qĀX `G_j 8dUuhwGwKǪvL@o ]vϠ v@ jA-3h{@+4}{â/\pI(^8K.j]Oj -+H%)>=8/>mulR>se̋/#ujpy֡Km6jɣN% -7'|XLmUPt|6:@yt<ܘ]h恞O->OA.P^8N.@۪W?ŗD -uv){&y\=_Czf}9NNߞ,ܯAۇM69,h9зj\o_ \l("# { -lmr)& \G.Y)7n ֟͑(rCH£.1r[ƫwrjo|ԮDg]'D@D(+YV%qjKE#~iYZ81SFlݘ[bڈr*:-rX6f85+[iZ{y!$V1+@5bcQ9N\ !e4:BRaQ ۪= =Rՠ - -&2jbA I1*3x+c@2vmP߯?xĥm)(bqK]V.<=FBDZꃟ'&vMk㠎GKPIo&YVrZxS}p;z!q#_ޯ2fj?%316KW3o -A7.6dz RQHΰ4%QC{bC z.~gv;dE% ,tnd[&<|oP.A÷3*QhA@_Խ5qw"`v,|KYujYR޲7]XSvD|.0aL=-DB\TO1B|u{-aas86cջt4恉OO?lcTRK/r0a-&#itz؇sԒJuϒr-q΀> !Dgβ_6\dD E&<码΃m˅pTc^mEGYBsR7e͈F8!S4˛ӫ೐>]3ek^5étv̭|е2쓨Ƨߺ}3%niϰ=6Q`x>[{pbᐰJ1-aJ,!okq{s}:Ky %g-^kTsC*\_uJ)bG;[\RrWʪt5iza`? 0(`l;,j>1%FͿ_K3b{=3,ˆR-<ؚv:8/amÈi|^@C,in¯nmZm_,E9#Cjre@Ex؝cqKK[H dT|LD'Gq+%k :$(`ڦԘBL -&"f.=`$W.˯#3ܳ+=t?}fy\zNj<䘦o̿qmSˁ9ȩܯx9:7\}Aݒㆫo=V4 - !3e ; .5E0v/<ڇ%66f","!z1(gtXHŬX9..fՆt*b@CyU1-ݳ3]#59me BҐ`LiIXφUl,̢RYo~V~;RLۘAu 9LD؀/veFf$dt['@>ڽ;I_&oO:]/>:k ڄ@OblNK.9>ww$/wF-K׳`BZZk/)^z_h]n_v:EbAdG/pi#=o n6]8qNcSԺGe޿6ܘ]j,SRzinYOl[*g Ӹ8")e4&c@86<ܘecƖ]!1?!80/y&!d 4[kjT->X/WĢ.o䗢oԈQ" #:NcpήYH5h= W}jvW)\l'=zjO -iXuQ=cQ ߍ^#oax,J5évM - cӒl`_cۡYfypj|GY"fԧQ6Jګa;6qKNZxWJ_7Oրޚm^ݒ0u&Kȩ?4=#VӠ TrRKF)M Blg¬?ƩY19[cqqF!!} -jufn Jl6t|d2,zWzJOڐR`+1+6%Vȹ~mY{ݏ?E[yrվE hEm)ħl!z]l5OZQe_\5uFMݥfc2ifBt.IijE|קb'Dtt_<ӚZ>EcF^@*ha}0bhm[jnji@n|1s~hbZF_PhMa bsz5Mr߯լ ԝ\-yk -|lݙ~vv;A,E}kWWr⹓FȋQ;zZCX$G設 uYԱaI˫3 -z\N=#p`n[|vBo Â;S"<҇yA%_*YZ⛁^@.n .g!-òaYk 2Jh]79&mA]a$U{1lRoÍQlV|O5\[ٖX[*h;)V9?0ExW{A.vl䎑OYl -j[hv>kcw[쑠n%[.)*{kRI^M+':*ص4s0B1.C2QrCKqeq7j2L‹/ -kh>M39˫1-=SI>ei |@s8]<dXٝ'g E.)/gCB@snPG;%⯧y=(l`#:ccSaկ&%{$MsX3 -)P{vZ7t曙YbcR`qJ}sVn5!o[x5 yVS,d5WΪH)N >ӫΗՇ69ҫUF lLF:1WtKoM}wN-.giͮK#o\b@mW1 -1sۯ"9dTUP#S,5'ۧ׀gvJ1K\$U%`M([x1[3Zgj#Jf/f[R[yz[F:Ӱ9Jݯjv9,=05vM:hIxRTǁČvOjX\5A^2=gʯklo"z6tM =;!֝#fH9>{Ȅy3/ T ܳSՃ0.)`i@i9]">&!lp<+Vۧ.0JܺxmGEkѧԫr@o~5`;hXV9fuAm3# #8x4"5b8lzp1a"'YeRѫ.^>;r/f 5LՉ<X,!lM*6pW~r,f[{Us6n Xp\hƧR -<3glèYFENTU cĴ>TfӝP}@lM$ )90(Rw46p~o_`*tWN,2P{p7ׇWkzwٵ09zI䭨YhЭ 5VPF*1Sanքm>=fSQJ><y۴4j?$5I,Xf^՟^l<u!lfOT9L1~Yo :.-fbc2-؞PïmϠR[5 ,h]RbBEXG(̱n#5QŞ|'ynVއ ]qcևf9s,ԇE!ko9ZQ6 c榔] @}cgWHά )%>&Rr˟>-<Tf>i=fˋ?JjǴ}# gn/|? sĤឡTژ 3~t~3CݙwDn̹wr Urms얉P)>mGtb$hΞE([wxT>= 4LrOkzE[^Lj,]q'xgH;seY"x@Mߖ2Z)눨O[] +Yuum=B1mS"?j ȫ|Xa|ؤfj}qڏaVdwRf-*^ْulM[~y;ZYuFZUHp9 9!nyeҀZuyW[ TZ 9J<P,33_ٻ&!="lXzm#0݊ (m31RZYT:+kiBWƫrJ8X հA1NJ.u52ǀYe!e\H|pX`9Ɨڼ3F1șsl#T(+o%OKW iJkaK窐£A=KBvN\!Z &+뿙ZJ[hm )[RBb4)8OXok~ucp98v~7\ozԢDk9M˶o_e<<2't)E><:'=Xm b4);"s<v.l -K:_+"e1)tuԇZp0̔_a}!sV|ԃJ -dN@@_mbyϖ5:6_7-9,1~IlK8;]۝/3_V[ )gOZǥN2i}Qr*߃޷g& )wQjWk갊ڟMƟ1u=6)-mpkk?Y]3ң:oԹ+!;KY)?n:3*bѰjs=s=KףOԟ:9>6jc?5s0|ʓ?hf`zjcoE'/~g|힁IŀcNYj~rIP΀o~07 -ru - - q30jjp͡ lhܺ赠UP Ґt?,,13\ -8p.(qK@O/rM.V|pfwұ[2#Y|~?4cs)EߌZ1{#[ac[zKOٔ1 =W#ntxLr/(]=˃!E%hwYLݝֺ^/ a'EnOk6F_ltSm}u5 z98Vc}+=pA :*keW'aٿ"&·I%@;Kٛc7(Y~:3j.Zy[8' ^Mobw+;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9l7MO'Oұ9(. t2:lBq8MKln %1(Ķ\;~ -?/>^uM"`c5Eŝ9~>;>,6C@qskn?]Kh86ۏ_rǗg~AL?$("lO|8q,x#.$'ߺ~xY]I\viCq| o%~ݍWno:~rF{7%?oq]gYsL߾3۶lْ%+(sAd"gT9A0 *焜+UPǼԩy~>`Õ_:?A\]ބ܂S&fVqC%nZɼc]99k%iqk}:1˿vU'1^[Pw&T-nM6ߊʗ_oef8r{9;q wkYknխK̪[˻㌣ IdZtӴ.t饠d㍤q[s]i.;ǺBrs]X{ §UP -J6t%A(Mނ:"2#E4H[֩ w9=3hZy:5 U[іøUziYK[m;Ӎl 7\{YYj(|JҮdYsYר$My;ӪvwtnQ}ާ‹C]M\K j.5+5_nt+ 5w/Szs9>=+A]5* +9 T -Vx՜y~Et;̡ff -V&"Zmaiku -+zDHG " *U ܒy%k#νF.fڇ-Df"l2^ܦHЧ@>!zoSgO͇,k'n|X+'gVqRs@M<#:M!fAYc>Nu;rLsoT<q}23k  XH}j.k)B~M\1:1=koY'R3J56HQ#ceOϳ%Kҍy,Lۏcyw0!aErAT)ZY;vמ53~8=qR6ug!k5W毠P39vtvVsr.E;0Ny"ŸGE('m&}|P*FgP@ I26ycjV^;m_bq|U姁ϙ*~x!fqbwvUW>|Q%6:Z6Չ3|*:(^n9,69%WF#ޟLcETP-DԂ8 #^ \K9I55R^q}/I4ҧ~ ZP^۳vDX#j1IsР52H||\EF ||> -5WJzy&dÜꌧD~> 9(hN)|_ -ksY >._%;Z'6iԥfzAjɈG}24 - OԼWuJ3y{>!B¯2?W|X#jcʎlB:}3~it[Su_nO7|s/G^5c|cO]k|y>za㧙i|P+:w~NS 4VB]o'Re[-i+keK-jXSHgE3#M5Ƀ1MqK ^q`_ϴY{ RƭmL -.-=mfk2=͉ KY٭7*u"kWw%mk;-vG!V*(nŜ zԞn6Pw !G/|GX8eSс]ӕ4`v w[;_8NNGwN&pO`s܋;cu_^⋆w?B85hg(7ru"u19Y=2-m=Jjh!G!X GC1Z4 P1S)J9ǹ_/ë}d܄QMf(n?;N%l ֣ ܧbcY+5~v F1VYv^X_B{sn3m6f:+mC]ʎ|`$*\\{DݖO2*,D]dXF}]$ oٜXsUG:ĥh-E {~e3T3`^T>4Rvn6"^~Mſ5v4xݷҵW]Sy!f#m56^u9Z'oۘ]ިsbRV򖴓_g#>N̺e1o'p䔴ՠ 2I<̯^9d®}6i橸E?=26i--ŰYG2(g>Tk}%ر -j-Ř+63Lޅz-ktPz@j:Ku_ȇ|Ȩ={9ӌ[Pv +ѠTD# {VL EݲQ4|z6jS;Tdh*.E1!|6ҧ^5*@@`#Nq513Q:e^U)oKdP#Gzb+{+E ԲJA,jH2Q^><8n|Lqќ9,}5aP}2]-heeXg 9*5D!*3Rאzsū?3AUH4咷P>Aufh|ڽ6m?gPv^T)ҳ_/?[!.)߅Bx4\Kq.ck>:\pw9k[c_ khdǑx\M> ѶWғ驮Y,|bg-,0/ -2%S3m0 )+$Σ wKw!i^Xډ Yy㳜9,۶u_ne_6aez}nkKN<|{o5}, ZEA3l]*#nu, >ߙ4ܔWCA0;]:u~E%#>"_$NýYlwRXZѐ HZ~Q3+Vqs\Ȅ>4 _]J9e)蕤u7ct/MŨFb_EN"}O0{+Z놁 -IZ.y4!0h0F `w qq}"!V9멨_#<M>f0SK:? -?%B~ƁB_W? 's^`Aݙ[ zZ)ڦUy̘3g!d]Z^)m$u\O4a>iA:Y{s/OJ3q,nխϩꬷU9bS6glg\t>+˝QٽN5-3-*_kawlikdJאN z-0)q>-ZK^+[ wᖃ{^Y;6`pc-mONӟ!>-9CYm?l (#8dxt,=/(ٝdONNa6!.YA)KPqs{+(H~wUޱҩQ.e0 c"}.,dD#B2ފPXܦ%h^+,juDDΤ}foHn2hԒTz%7?-cW(w+a+>8gIM+u昱 B~=v{rʛ332_MAxW6&;]$}fNݚTs%WRUTA,6ߴ,ύw ILN[[:"t3Gn Nzy:5 r8d܌3$m1'5'(YGť@a% - -֦ uu)a gu*mìZ&$@j{HׄC- \z аq9*?w1ZwV߲"N= -Vj5ԭQ 6dDz-V ?\Gs^v \+/bP/_c -Aa[]JD50|l,Iz-/*Ҡ *^"*!6g+,Ieu_Fp|D&B*"i#Cr&w Z"tsL@MfST䭄פ/0N''ÄW7铢9D@G-7323$x?OMǤ TH{ -0`TR`|ϢVTO'Olq=bcTV.(nޞ]UUgUdd8 p؛xs);1VHF2bF:6k0w٧w G4lnZ^ҳf~|Vۺ5-؅Zxr`wytgHhߨO 6Ǜ_i=\F5E "Vua7U+c\.X)ilAݱ1C[C]Vn}~kGWk\-|_֣# ^QlN.c^y^Lڇ:uUߗH8o2 i`0J dfɈ]itkǔlNۥ;6d0ԯd,NbgDTY`V Z칿O-Y]{s 0pbdu>Os@֦jϊ -ASwڡoM+[2iݱt{k 4Ibs{~wq/A5鉀VbO6e+I.eyu3)^ #ޟ:o6 ]Hn戬43u cCzԜO~]Ib 4`-J=)IԂkMב&VwN!sKy/v`.Yp'Oj%-i1+Ϯ}4\QQ#֞6}Wu >stream -OwF1?AKpv/ «k>MqJ7fG~GZo`W8mqwVRqdgv^sF)ToO5>.=+f'Š͗G5rk92y81qdY't~(>펋/UDP elBϨS$G+k(F"#dx9E{ a-]0u`{%c?lU|ꤨ4\t"x9WfY $\uҴK'O8] xУ:'ݧ{p [?n&5}xLOAA6QQ5d pwּ6=2.NF KF 1yK_6 ~{o䣽s-K9_ҼW6-J XߣBTgH$;3܋G\痠^IsØ[MB.ߙ[6URԂsy(Y#kY8IbJTu8 (ywn= ̩aÜ]P_7bITҌCZ 1k7 U{֦cty):k:.k託Kkq;dѥ'ߤW^hx1բǐ, w [9mSڜ}fl1Lŵ9ŠDOOͷE';w3S1 AzW1hfʻ X͊܂YVfYi4hM/ZHØPA#pq^A-h_8Œ(Ϲ4"}/ , \4yN@g5½pmԣ`AwS!bKՙ:oT^A7Gn#oZ2 JԮZj):#P;v)Ĵ붠qWr"Ɉ@vHv9A8LʡbƸIMDAv%Ј^y{**_fٝT7њI-_ ћ  F:_Pլa^zrF- zx>S>]esy?B\9Qxo\*ү`jp~$b4xx 齇,>.ҙ-dhcPE'Y* F@k"޴]͸ahwɷSȂꈅ@v9MJL<sj٩yq<0OYjV|c[8WgԜ2hJ)jWFҪ_Zů0 ()3!tĜ:mT%'8' `켬w4oOt=jtqljCIcC:}o61+JO[_.{Pg9gdOnrN^ g]&e7@>E aAIi'c^JW;Ee?@\bD[܈0#c}q`94lЦJ[QeU~,v%DBFJy-:Q)b|3R ?s <sz2/6XϝZËx_CxE-pߣ˨ص՘hB^_6jRKЀt.a\woWK֯OSK;DHKs}P{s?\\Ҫɨq*KTT%urԛsǠ@<%ԛރym۳̳ =9IiYf^ z 5 ~[_(`e(vY]1QJԫf{!)3GB=X2>yQ94w;s*zhWcQy?lFm -.,ـmL՗ђSo!Sybva wݨ[q+K?JNAorNH1Tsc*,j¼syH"1RPI9=5!vegU-_C9Դv2V[tu>3~$J6}u)r6Q%i#KPkOTOCioo;p/;M@}J&啶Z t`m -{z^X΢Ǿ6GD͸Urrfz%2}C1W!/ZAz#鹓 hɀ^bZM.*!f"( C[T؃WDr^ly,bURܜB=V!JQ {Kn1Ar#z=coI_V)neKP+xܛ (hH y#`oAtJFXV{ W/ ևUP.O_KK9@ƴdH[2A遷dY^.BCY/t{v׺k.3et}O܄~I^jO'ASqV޴ -j(/c&;Ͻ:u -ʨ h~`Nx5m0[&Fdۑo-5jAbpnq@ jOc5^mާcnѵd+Bªz#(C0ߓq]3WޕK{[ɂyvɁ1I绘}?ǔB2,lʺAְӳ촶33'g !ZHu"9cgרNLq/%'xW)F\ i[Tk;n9H5^ui_<< jEb`@fyFJ'^ރW1l00ȿ~Y;XgqQ($=bDuY|[rk_W%윲M& -yQ+Svunwtg=&dK$8V H<;pL$"Vrnq Sr -1CH-JHHPKƤL|Q58@O-vW߼[/ȨFTB-IjyDPҞ!𯭍wO.Kc>_RXXډ8uـxc2" wBA}AץzcӪ!>r;@%j>]y=Ei|tib|'`~ 0r~搳Iw^c}prNTKO|D]F5kM-)6ֹ)%> m5+2sԄ*7-œPS vfX'3njqiͤ#(,_T4jf.A|ϸWJC$Bz5C->_dF<"b4A-krۤ+П?V25 GAJC+bؽժa%Lw= GQ^Fjx5W /1˻\,lӚX)8ybۻrǪz -"63ٮ+Hm2CZezup"hb1T(\g%<"&"i;9|`>j]q9Xg«QZlħW$vΧb]WѾ7o͉+`l R~% hŘZBΌ֬ -Mv-} , S$}~xJzCnԃ+)Л NŰ(y+JIqI!zGߛ^֨XP+ =5#VQK$x$'2祵=wk ߣspgҢp]XDo!a3, cV43E z,UҶO%cvqƌ6GF鵷Xqr}(xL$! f1$lrn ɻ"¦cwsn2?~ŐҠ;ۓSi|PVh0_ -l@'ρqzK`s)`Y̭6ĭD|: 1I <~%9#c۪8"Q!t7ɘ^@6FNƞϠ:5GAWۿki3#,wg -ԥ|)kO@Xl9]F~ԽuQWݏŘU 5MVu }[0'9s[D5]RW.2-k3Q>NR;^L%˸ؗ==L^L**d!w\5Ɖh-2,ݏdL!YhvkJM93t{& -h.pY!ϯ`!soЅa OtGq.mc^B=wEu0 4B~~tRai;7at>jTy(u=9DT+l*zn=Ibx/wP~bD G{+7f ob_#^Q 7b>Q#hV}ܮၞ;`8  -+y)9>>(ީ#9qYv)|pk>ܼr#i]fC.EKZOy9ymfAB5*-;/NL}˲VQYzw!9=fʫ6ƅYGs6΅{1 uuwg8g<?=d{~ޡ!N<s36֙\Q#I-*S҂K/|Y;!O $ GObTDʎԬKjInwr*ink _z#Vgf;" -AfߋZnQÇc?bT λ] M'$L k9;*5ѽj3Ҋ *CJv+o%` `o~^.,uEGE7TSY&ݐp( (؅[q"1 32 8dRܧgl yE8Cy,\&\KL1,.Y\}V1'.ְ3vQxCo'gXgH@/'Pq=~TNgOهSS3y(# ,zҡ,d..qm:k+&'xqgI9zm6أOt~#2/\͉#룝VAIν8e)1Ѓ'ƅIwQ+Dvd48_lIٕgssl}e#<\}?kPphYUcvNռVyMcmVٌ{qkWzsV2~bz9Vvr״G! ҜUx>Sis(E\fub^V8Sњ]Lk6A(xrIfA\]!_J>p5;c]w6v!CR^5Y5!2t^P9oFt%;'̨SӚV̡Dlʖ ٝcY+b>`" j̩l?1'4f .5 I^p5m^N9=w9W:0+Oٹ%S_N)%^X%}*aYW-Y{e!Sgҳ6^wX/@Ɂ~"6+ψK#So8dzZF|\p9XxyFA8-ͬ^y)s'5-;/ǧ~OLY&N_ߝP7>-WAN?}~nUc1ѹbaƿ@It,=zI\/B/Yi}WrVs՞_f^9s.Ug~~Jt%=- -|:5/6_6}>3q`-s?ן7~_t+Yy^=?mP:7nhBMnM9;ӊk_o7}϶2~ʻg3R+o#}*V֦h kJ^ExŘN l+Ammji+Oھy<#a蓖1O0lCRj?=-x?V TPB$hX 91uh hf^ =CmN۵n93ŹDk<z# 4S 7o4~h3U~Lt_"j?̀w$ -J?WDSf_cܻOvG?%&ggȠNq$GjZRNg]";>_~~Ћ>5U]\|;sh=Ʒ0!W_&e+;#k/:lxy_C/cmƘ&kv&gx'h&xMvy27:x/믘?$'[o?:~y`x7;yt"V^4|8x|y,}]JM Jt9kfwбB|fw":ӎo5}`͟6B?JL^9ZP*m<nkNש)q5IS͗-_.=}^ow_Ê_/xǃCn|]`iL˪qe3/~^gOv|Rx_5_JRo+Gc8CCM|\5m?iapf_fg~\|E`췁._ǍN~:Dv&z_olzy뗁M3qtN/JO*˛#_~\yMX{e[#q gn}X|&?['EPOoG7^3oۮġ6?m<>zM{wnMS¥2k\\+ivcoC?ഝ)ooݟ&$%2̽/9卲?"xVZ^JLdy`x7vK|u^hr5brwF$%qɕgj8/UWo6KtOT;G_9uZJ]EJ%HwW"%$$8AcDph{|g_ - X={_?L-m@\zwٱR`S;1? bR򱦲$&ikߌ5R| -ٝfg{!7֚ӜNa?Pa!4?,ԁr5lzOZk}\Uq2IHQ~~re>3< <5 g4e}5%>p:EhE="3~4 -)t]Kr=.}0S,^MuS?<|3w[B)$ݚf>"o#oÝ.6WPښ)ՂG{ㄨJnn\SGQ]0)vXi"7+(ڢ 꾮:W -n'EȘ{!_o7 -?j+^ 2tr:re?ä. 9?.7r}丵ie%}E_tmYgf*WplV'cjSW -^S;< !~nG.Ղ'I)S_46Kyä9 -`0m 8ל(Bm ^#QBs2=Jx{$ezlYJMYӂeMSB_Ey7[]N.4Gy?WUO_-ÿ(9Yk_¿Nޑ\[|:BJOx"Gܘf_~RlΠRj>t.bR~|XA// bCDU]asv3?(?n8wuͩ/tiM7J!*1&H|3tAxyN/Me7'/'/9+yKWL `v|ѕhDxp[m~D~qD9`u`>Xl/b,5BA}^E t6dOLL`#~g k' Q.8B,5}^o-r|2~k\߃ĸ1b~{"bmk 𧦞x7}Ww&ql ہlɥB­Lߓ2?$*RZN9UQ>Q<2|7þ6[m, -^m-~RNҜZךvsO}u؄yތq<dmu̗㴸S=/;cޣ \3x(#"-]mz4+ E2;MmIpbU>Ǒ -e$\[遄\z.i.ar&NaqzށL;C@ ~z1Ŏ${՞6KV$<_j 7з{٩K+3^Np!o6PYg*g5Wb>a)ITi ?]U^Tt -xx*Be˵{57β(NGї~7Ai-ZϝX¿Z4Zmu%+剶m-/FH611}{E>W$п0[#61oY2,Gm]bCΫLIziv }GeIؽ&X$dm [ҵ>E|)>FDgQX/'m2O,DQlzׁ?N'y{bxc3 !`'=hYFII]!rV'"x%3G$%moNU2;ߖ;`ݨ9;ap>qZ1iijyYl]`spZ's>JwAFX}u !3_N=MNNmkTL0*X #XTR 2`d|?e~4Q<ڑ!\y4 -&(^/{ W*9f ȰqILԱlRҵM@ 0 O{-ݙ)O~@&w#3~sg3&*t&[hK!>w0!rZN/ۅv h&i)Z.QhqIL5A b\WmMŎb!Zܓ*]*pwnž^9 UTH\dnkUl*rkL[~(:C̊7'L{*n* ٗANS5.,)( 9[%p@ϔ04//'~(\U1DF!ˀn+t E>qeghG'xPfpy;BeUx,/+9aDamWpa!l@J}[(uYC5W?FY JnOؿpt鬀arJ;5lނYp񙋡w)z[7@)t^.v3#Fp!Dva gt>(:qjjlz(׻aur ^׌ ~@A;T*C'Q+!K/!'Z;o]}k>G Lc)XO5o;@Me+ˉ99ptFX]]%Lj( ?vs>POهkxrq -o{C+/0AO|0(eV 3ۀڳÎe2PN)&\SzrsƇ\w ;Zkޗ%t%?Ʌ3ٚa.陊vOBxݛz0^z0NLF -&k"sydK͙WZR٤ȟmܸIB}8[rV#%ۃ%> "4f)X-Ʃ%QR=vf{pőzJ~kV).0aAXl擵E~TmBݛ&XG3- z0K̶j(`!E>[p;V0QI.X(>GK?BY  ^Jt9"!&~4.jkL}(,>D삃 jx B}fw -Rv_yg5`iT⾜y2B&YCa^|+໿{ᾛ̿\(oF=';8f1;o87p&V;_t dl~5~QR3516Y;u/-C+9VmuғLzZ/#Ysxi6%3R4|[:?Y!{_8(w&165fS{2Vy I¾{^+ 5\J\EV9P]fLrlIlK5Fu}qa#n($a=Ӈ8R"O}/.D]Ne+=(Ueky2WYy -RtRm:b[4 9w lNT hzW-zi- Ee؄Ùr}Y=P()ޛ`F?8קX'Jc/z]Խ~nװ,^%][M/FOi},M*6 PTGo B~h[<2ܶQћcĂ>dd|aٴ_|pk ҏք-O{ Ҳ8&"'/qv l#yg%(k&(nr N22Q;kW {Qwo y# ]V!Dj(%\ŵ+;b~I\m&}lgD蚙3}̇|]n?Yn>X'ŖIJ,aOYXxI`jyՏ].23MblOVõ[CFW#DK?Y(~QeOAu~kF]pRF`SQyGL.>Tևvs zp*ܣ$.#%**2Z0h-բb4mϕ3'q;RT `Nc2n\ 7$ZQhe߿L}܎M|/fzSt}>v8u<%Z(Kn*~*L%{Enm%%bt5dk7(ׁq_ yRȘU9wI ):-9y}K`ϹVr9l mBXyuj>?':5%f+=Ƿ> pkWk >X4ǹ.)ZaQ p()~owYlخ1H.W„ w*sn{G9ʹt}?:n V%l07>R 0 @>yt_wB߂r=/5CS鉶YN'rmaY C$ztm^QuFvUHdP7@:\@9ޠ@Ώyz }(P/"o7"J?OW>-"'kd3r|)P7۷7|=qy9>=7 -z5`ܷAގ `HN+oznTjƎUR=1-XCz|5/RWP('rqs{lː&52~u|#JZ^1FExzT]RZU`! DX(co}mKzB>;^?m,lGm{$ȵvו1!}Q5|{$,w޼~#0__Q<邰bG:QQ'#UȂ'0Q3?z -| -0@9?}z|+%}u3"kq6zIȪMTE=S?X KO $Og 7o@/ݽv -x׏n_ 3/1+&f4xw[q*ܵQv2Y 8)8@@^rx'&!:Npw\%Y섆d+)*تtcőbeWMPMˈKe1Q҂A^Ggзou'_.tsBL ~؎Nvc^'u8ڷV`'ԀG9>| Ae9j!^j䈫h]tcEi֍JhJdlFpw{砷@y8<C^ptw2cIfQI 47ÌaTaW~;uŹ\__?v=s#(r׫+m=5g{ss܆m% oWBh=pxإ@񞞠(w Н@o3᝻_;sofSK<}0L1n -Q 4j( e#ˏ0OAn=Փ gנpIQk~}4I`QVVQ ]NVJsxbՐ/A_^8_9-A,޻qXC@/@a?.W$\GG^W3{3|ʖ^ -P<;>$:".J/xܜ^n] }>|z eK̴"xŎ MC ;y6*bxV ºIl6 EQF%-ȹJ<@3bd=e 殬`2uZd\(Icm*{!#a X3-XS :6>-.1=9ٱeqݥۃpucՄf&D$ݯ׈bE5=!qY|k.n 9(39 Җ;iQNQ&ƅ.XH~T^{SŸJ 6˥DK-B?M Nupx95,rABuF -*qNmG~2.w. NV|M FMu冢.keWO0Y}) ʋsPbeTN*,/De5mvMM;{3x>S'v5n'ie 0z)bqJ8E91Y_WWƫKpM;+b:!\ԍv/4 ;}I.MSSf)jɻF-1enV[[WFR|z_j9Ғ%nmΪ#au}]lשfVJmnkS,jz][Qiiַ6.Դh1Lu|싼6FgfA/D q-rja@KykCccM,0M(zÕjྶބeUsWG1@?Ѕ%qW@uT%lf<|plGVĪxk%?j*r{"ops 2XS겄o7%vUe: #/3gG'Z -m˜^Q᪸nlS[(UẹE.|Y?O)V 9Y[V&{*[15 vL9ь5ĴaR!dݦ 2z M?gFr0&?봪+ -cXymW]qC?]NKF)6J?iQXfOZQY)ͶJ[$uKd!ب . -E*]x{4K)OJft}x ߮ Jzk6ȪXJEBN3 IS6pF;c5doʎ=b-ӹ eW3K&F)xw0]8PWr,*ή6M -BS!&Dn J~`Bz)+`dj̀uj5ݢX娨AMN,YyOٟn,l[[7UݛZ %ryXIѻ -v9pε|V\ALQ޾TYpE?tE?S \@٧E) ,F|Bb>:evlEA^1 -trEEQ>Zh=Yi;^0腀b/kXi6Q׺a{ -&lum\F&(d?,&/UC4"o#B2jy96~ww?}=\]In3pV;cHLjdRau#~Ɋ{rx母nbMD#8('.zM.Gs<3M1,d%ROmk[a<u8O-ڟ&d&å[_o4M}vEG]cS7uO3KlrrALYj*q7 鳝fJ\#X8>>MͷOr\¡=uwТ8o_`t1NSz9!^/Ǚ'ʦ, ~ǯ^Jܓ #Fq-*bi^4\;8m?P7vڧ-J.z=Vw "`WBIWcյ=Y Tˣ]iu26.G=O 窛L'OF+յGS}%d{+,3 1٥{rzU(9s8YTD"#MC, #m"<&jIX/- kIXj Ζd'|Me}OS]W IrEņ̖OY٩q{4@ ~-cNI!PM-8Y*gY}6VwEWֺߴ0O;_j۝WGڱ:Qm~pxԲuqہPt5,ꏴ>Gz0v%)}{ݟhu!썑Ҏ昘MQZeIC+5&;cj'h`<|\rD,݁ # $c78iud؟&['Qig4bU:mThR纚Q7Kܒb{S䲓e^f0+f%91y<$1PEɶ)q"֤wziQ:wp`۬MԽx~(GgKjUp+F\[N*AQ~=n*acm}abG2݁bo8:u%a XW2l*R4`[+ ,j>iNѶqj.FOrZLkǧ8~ T\Ԟ]jIϲ*i}5;Yè'?o*4Iyl)%*ҪDe!qAy)e,CM2>dnOY΁SMbXFwghu>Zuv<]r$YhQ px?;y}3Yt{%ϵ³yj&g- X8qNU#MMJBG .(BֱZr>_|:{ -5P3XbǞͳ{ΑOfRRB9 -_h -LꉮA)m -{'JB -l+4[cŊF| rpr|K;_2;SIקNgiig`놆?^@$`]?"h5 -ۑ͓@C)<ޟoVu ր%aU%cC*JŞ1BɌ}8_ߛZ]M+>Yi/*pN?:73N25pDӟ)ao? ~lNw\|VnF>3}rϔߚr STE^oI-v6 gPKGD`S㓏Ԅ.{wS?,(ef[G) RjeJŸhC?c3Q i[YS7F01nd4i9;or + m 68AjRt4nU*fgs &HUh‚vDy^m( n~܏E?g խGڪ: 9ϪBi#퀶.aK)E'Uu{w^"Eۃw6_yd`0$(&% lvzпaam.C7\,J>[ g`rpQfT9C5DC/)yfj3:Hp<*>"g+P6 %mF[e3wY,uYI.n8#{2>%%G,MAEWS!6%.psA``ߍnCܟi1o%M"n"eQll#06AZ;Pbt{Ĥ35d~᯹gZ7.Q{5AJѶ&arvwdKOQ LVbfZ$x@c'τV -mGU&9)(%&n}_U'tE,=̡9QPf9& æ)igʚ虻Z{}a&4`wcLk gcCڬJrA퇅p)+b -J7.Zti_@X$ -QߚJ;bR^B7c6Uٟ !de (ul֑P`WcM <| _:7E]*vbE!D7*[ȥjxfB[YhNXye.0V ~^\v@ AR\ 7"om>8SNT4ME/2K6 4i!Ș[mWC/sO $C%zb@Ny8_hXK0B+u p`abDARڝv%qo* %ߟC *:^kpuD?׈n|>ыL\j/:9_.L-`Zl&dwJv_WYU ) 1C;9_,/).3IJ)&jO;6I)Џ!cŧk41]6 5QDs @0ȩ9k.4+ R ?hk3?e<;Y*jAkM؇`ah`>g*l -BUl* [wYlU\+U}(j>K\Q{"^k@0 z4:j~"L](WSwnTP-}{A8ֶ[0~3,Bebm.vkbWWVfk귤L4`e 2a|M:x>C/z]8&BQPi\:࿂ -\LmNʎ˙k{*l} -7)I9GZ_78P3q-%&qOIKۃ~dUI/vk(vuǸ}>U>Pg8)rUujO6J֚{.n&ע$Ԥ"\Ŀ9_i3 /3vsf2Nf_+[౧ޟMQ bϹƂw `!cz(_V7)#e.:I)7flcFK#_tLy3!v>I!gEK݉Z":sޛČQ|DzTsY2ʈS]uY-L|e ##ߵ#\5墭aRҜ??|\MP]1K2V9 k Q4<sj `PPx)8 [~7 >A@F(>rRzֱQz>SNxKRߕ+PՎ2om-0;XU_og#|IXI> a_Rr%o…7";gy6m:4ؔnz|:G-5%:ld|)1@pIȱ82&xgt@l! _j@DRToQv7AK},%ݗӳ/Wrv[t?owhؓʪOʨU شrn;Żws0k*45qk1͹}EX+|}Fx>6ӳR|?K5he1}N #,;$ś^s¤#hk0$w-Ü+yg ,9rޙ884T ܒ|4@pIFof8䋞./q2IO3mR陮jp_gP 5(&sϖ$0)ʊa6tNȻXEZXbZ;Y-{c0I^^B^a Oy\\<}h?4̟5:l 3Z0*`U9?"";{/ysvrw5[GUdY -2A[ 9 ѝsy+粵3FPW@\F{+/k, -71PbW$ơY;\)s5!cu_K(A=$67Vj8)s²}`C zjs/j8gAB2/Ȅ\/SugdԸUQ_Lhk$6ëd<ĎTrO2d]q㾚?/ ->%bCoSƑ1&!$,`)b85[/dV1rixqg'(iWc{ao5œrv bն_j`XX0䍮5W Ooq1Z1~8\brw LWAҠ&a SvWL>Z(o'.Bch%N))纺?/NrG, -xdc3j7厚;4q_lJHK*wdP@%9&1AВڮ>)rfgcfn.&:=I -{ZZ塞,`YXԡjii~,@G*ϒAC5|2jL |cw-zK+"3IhZ_+;Ķ^^xcPu,p R}sZs4W ;=`^ZAHLHE(?'u_Ԧ9 MC w"ผm-MP_xϡ"h;3d^qObW:trGZsz$h&(CT*cvM6ґ! mm}~~d~3G.ښ;VqыHລis1M81 ϻakG}pR&;spU * WRJ3E{.4}C|sH7ϵV9v5\<.3?M#b\xtyVX|cc^#[ F0qWD~R=iW@ _'>}}3+4,ҙ}wᒄ}bg:kp9L _f,saSafٙgUj}rmÖ W6IMwg0)oMԤ)p][5MSIcg!BAԧK@.H4&؏HG~jOYؼ#+DA pOsQ Ąg[2RNpMl}w,e7es hm*ygi>V s/ػ^$K$ls'HV -2vSOaRxPc Ud 6;ku{j8y*ܫLvKq+C(, !BhqVVYy!gRӴ<%$Pp_y&֞쫞QprWCsK5XC32k׀/Z>nNS־?Z,r˞9tOUfذ=u@= |(HMckڅkG ]?V:+#y.y[ Q 2UϵkX=89Bȭa>6p_==)L0O% ;P1.)p߻Z&|Oή01\\vit)8Ʈ`3œYL:ao mNSK+cS+}Jd`3P!p.pu 3(2ku bWFjwgѩstQ6Rܛ֝}H'hpѼKywp6B5Oml7E71Cq_ǀ{$t#Y巙k>Bjӌ_I+]BtLʎ-qz*9MtIp ir=\g5r{9SK9k6A)μ>R=G,l&B>[H}+ EQ݁鋵e2/7Q~=:#h${"0)WB-r3sϾm.zwW3M2:7(*~G#%F<;ts]Q6)qbkXˆk -1vŦź==2p[V'\5K\N?Ud 8qB9s]-_V_ tzuT엋cD$MP}?Y@e:Xn -im,G_Wꇎ" -W "5SQK-XNoE>ϧZ n8匬?kߞXlyWSvnTCzPs1< SAv7B8QẦZzo*_`Ү>bwI?62*,]yoʿ-|1(7y-[RC`|W+O -.ɍ^,|2Z}`qxҎt(#+vevcVֶc[/ =HQ2b)H.? G%H=֦p kC/70q2a~\O+&ዅ 7a XP -C9#4}17- -mZFi^v҅qKԦbp -"MJ ,K턔3C -"P_/V >exemGKۘ@yܕqB1CMzJUpS}5ixq.y dC<\.Os6 ørQٝ7M}pLtRk厊2fJA A֟== += IM*Mb'5[:z0h-lXFwu-! x52`}Ls Sh̽pv5`WI/u:\w蕓u$?:BA@K,mЗƊ;MӐ rbh;ާf2Brͻ-^%.{e6mJ,vcឆmJq[ô;@>NУU \GA8f^5Y.<^&ncj7hms6 )EQ[swyc{wڶ⨅Yd߫\}6~3G# wXS<0$!ecWO& ^ .+t_6|ŶMӊRnp2udk<\7yp֊&Aj: -@X쨺܎y]ļ_e\yu_tgv:`/9pَ)RO ɥA$Xw:B ܑٻZ/7'mʹ״Nqoԗ8&_ -N -~d躡)(*W9V}0B>)0fAJtOw WgoXTR"𘀪&eZ%JpOf# 9v|*܅fI<Ag\n*?cilVj0ӯgI%Y>fK:jR -~-o$L %6ïg ,䮹}IPujwswuXbWCSgUm߆ fO݃ s츓於{AX)Ld|Yleft{XyImP=s~^6t0Vho 5b.|_Cr\,JR|}yQP+,RxVX`3Go7 m[ u%4?D 5>IZp -cL4)gFȻj*8W75m0E[*Bޖ -R7e40OY#ÖgE kbb,] j49( yݚ&$g(9Yrw -`j˹fh(nķBNRNܜbf]Ť!sMR[O=ؔVHu+; \ھi8hkti Gj7)kY"x>3LM7a~l*ywZgrcW`R -lkܛt.欒y|$)KUB]u{4йH#9S4l;ИdٳeM⾁bknj+@n3-ǟ-}= dB/:~+D$2y1κ4WkDFk_- R b bjve|^ $Ž`Ҫw-2HY/P?՘.d|;2&1)UGH0q"OI.y 7{zFY[w( klsH@֒@ x -_$W٤~z֍ژ˟c{=#\5~!`#i&r?$`- x|p6vSB,vM,&}P}פ[3kn fqI`#d cs} -=_y)gܙ_.77rH$&e'm!qJ{_;C?e#<ᤵ4B*2h_&mJ*_+jCS iu_=_pu$6U\8=Z?1؜E+L<;AwaνoXW{ܢmΪ8 4,#Egy5׀E49&%U8E$yo3M}cp1e^5 m* bB6^ہzՊih^z"wng;TQ7>j(L_LsKV險1Q{F2Ȑ2, ]sƯ9I A-tR]Ӡ!+ #zoֈFq~svroB3^t tJ}I8e뮼>T/?бjuBn\z'[kU?߫3 Z}3掵zޠ$R[u掊V5KpWƦڇrz%5kR`n>34]rH샕}/\t -юڏˣUJR+3O#|r ݚB>/1l⚁؜M F kH%C)\z3% J>Y`^u~t0?eoE&]]j f]vEX =ЈͱGs_N/[ΐqs`"D䁙 lY)Wb"bCw_vtĮP䙄tQR.">XyC̻G)L59&vT C)lܡI>4S fr"rLxOx_eSgA؆)j/ |: ʺ6{$hr!boVc}MmeV+9e(Rfzk}Zف۫|DǬٷ sZ{ CĥW\w[ //#BckX$_G:eƧv /\WE*H!ۦ~ԧة%ZBqi0q 9!@yT e"a.tt2 6-1QnHsºYo,S? ?wW8N8%2fi'\CA)>50M ʐSLc0wA޵vf>/%:*dQZե#K갱M)W{rFz⥥ v_(8e^?8Zqj&<\W§D@)I'-d"&/ij½֛d:q{:|1HYĶY݉BCI_πfגKvԄ,.1x {jkd_%dOryiGvazIs[MuϾK9RŶs#}27ၽQބyن*>;E_ g64\~}7" R@ -y뮎.zs{쇛8W 8(9CG9cgա;s݅̚&m"vue [R#;+rߝ e<9I9ZTLXHF(8$@%ڞFzdTwR PPjUrj}HcZ#||APG}uX=#1ŀAni{:jsA/.䧝pf0<Z'?ݻ0.5Yx̶-i\[N-ׅxm;Ջ2.ּMzЈɸ=_?) F{*?$"o )%#SШ w(pQTuL6 -6`4vެ!L15^Լ׵ < 49T9PnŎY" 3Zu9%qTԇ,2/: OMOڪcǰڸyqMcC]$q@Yt߄.xGyC6g] =K M͐dz.XO:L>9/ȿ5^%:&SȔ- Њz -#̉28':Aw]įfwu"<a}2k$玥Dg=Q\-5@s/4W>W7@ #7&X%ںrNF@=Y'w#E3m;i]p^\v}ܚyg"gD}uүrq#3e=4ciFd:pݯ';F^GK_﮸R|UL>ڷc׿1!sڋ.R y7fY'% _4g 8M~~]_g!%ŦnҕGXy/ Y*;Hð8u}s 1Fua"ү`fŠpt8>[8̀Z|>{0Kcx8[2tyQk"LQ27^8κP_h}|2\S[W84ݨ} -TκKOݞc*7(l=\7Igه~5G6Q2 -Js]&zf`7?^(oEa#_[U9h/5eTΊ-$0}DC4ش I[8k Gq>\$:=GlƳߗa[JL ;渊pezi)/r[*!Q.κJ&[왅ƸRВ*Z{iAԟXGuvwby䞱:U^vmEUo,buBԁq O+ET }J\vk7$䦩|yNc3wf5@mONu6gR&ȭwL"WCI9I |㞡,T'$P؟}3o_쬽za朻+#cˆPN˹EWI~Z,~ z}PHC~!BRdcS|]Y_v{uvzzs~Q 5C;uQ?^=q3ssS2ZΪ dk2)?v煌m5隮~2X>7p9] =>"c!pdm ش1J%{.VӀ` ExzT،pVAM\>`H~sT>˯u̐ӤB%wmqmͶZu0/T&:..oidvJ+~5" g"wYQpq;*:D/1KC;c멸a3 e `ꇿRR7I~ >ǫFǪ9eH=K\vH))>rǾu(՛ -6tcR .cgQ bm|w}YL\j(IhpifN]K{ 0L\P#Pp.執AL}7 wmݢnz1^rԔwqծ -(k5ѫcȄ%QÞY$^GI.pI!X26uL,=(Y',Vcۛ|zֲeYW$u;? NVǭL`3(׍M%owĎNS Ĝ{2FɥvP{V<@(zaα c+ެ # 6F ԋW߯ - C+,=Z3N,E\ͼOj=G5<ŗ _$?/Q&Ag su} dx'ЩR)5Zc !=Yܓj>Ʃ\fm-ҏ}'&愔ABf'<4+"asO pG . --v( c t6+9ǫ"R\}0I[F_E510_j]S5q^)R\Zh -.33I͕*ʭ$wM<7r;F&!'ܽE>EXq@U$1F'=G,Tv?隑/WhYNԫQ 䙱⮩ z>((^Zhq Vjxvo]P :ӭ@&ZF+{\nSsA{<nakvHQ ^|}˝cU+̇|ꗳ귺ƚ )%# [y*~M &y&I>) r/%KU7[QJVއy]b|eQpWI`>2hE!ſq/~"E*ʏ?Շ)Ɍ;.(>>BM)x$!9L/Äċa=$HSN}7㝯f~㡑sMTfSέ c-\pt':Aֵ;O2Jd}T{ r4.9 =S*0I\~'%#O/Q#74WuRdY+cKC(i1L3nsmB:nP*fڌ-b@gP -KcmIY41]0&[ʯ1CF`(H0؃.U7Tn@"ռ 9p}xcC7${F --.uռ6Bn!|ĒC:2El=DXobӎټ/;2_xc,sW j諕/Mи^;Vk6F(P#scQ=WvO*cdKWms[%K{AL}:Fxmƿ)Xk?ռ81Vq5J A4MOlO+楥gi`,80Ǧ9+,`ӗP:~յD{omN}a}Q7>+ڒF;-\^(%96֏xQ8)%PK٪G1ԉ6fPY)!TG^z ryk`͈$dڎ[nƾ5+8շǰ3뜬WPI'fǯM32!rELWtbZ)'p5Xs`pMc;,lui^pIYh@쳃F '/.Å dbC 3ֿ`y; xr^*qllcx){CouE.X sjSȿl+#+Cd}{qrq+x>m1X|9 zޟ'q͟TzR>;Wl?t EQݑQ ӑ~ &K^ ֑%$}Oz#mC[?zC#>wgKMvm!ևkĀfe$f!}^֧4 ͅ7K_۪;l bC#sdf3لf-s].fl$0.dܠ#U贠T ZagM`6ļcU-c;Pk#2lGco85M`ҹ K={ĵcaJ򚔖Pq`^嚔].Bz*ܥĦ1˃xLHڦM9 26p2+=P)aoND]/.rR)sKһS Jvf>jufj{ZڮI8p9RB9EsXUn%҈Hs/\зG&JR[u`+ 5*夆aO7cRE=sŮ˽oWHIK=D^1c$_zϜ茕ˀI֧a~|Z|#ÃlZ hxig@盓ӆ* -[ .91>J8&h i5~-ѯoF!c”95纩|!++b _6}f5SܒrQuyDIV )gñ5CeXOM3 -* JiQK.8+,ҰZw >mc!-NmGU% v#n-gAGgiT$R|Y֓/4Ok9)2Nh̭>ɣb< }"CZl[˱Mc㖧 )q!R%%eo2L ^^`+울&;S+]rJ%kC,ؔqank =9Y\k늯Z:W>W,v?R1&{'A=Z}*|G+ˆ(_JrBŸaC:?3cbV@O# fHRB J+CH6aKM B^o2j6.&\smS膔۔q kr 3jAZ `ޅAD99KrNJ|_#Ok^zfEi6>@I\в QV[[ϱJyVL!,,W'91ۀ(]VxUpjX8>*jX- \^sPr|jjSN.X&ekr.̭͍z90\wEYhh0:v=o!ٹ]#"?0[aO<ub}F[a@.q -j6&9eTs7v}oag/1slX`x/&n) OPVTlFXVʄlhDEo}JS0l&^T&0vSsOs}wrh]QGT7=z[8kuy(YQ3S(gVTEB|3_!{f9YaJ6dM΃y5u
g jАs -!%g.bެ֧pm쎮b{؇+_:)[F6 Z`Jjl'BY"$iHnWMr(`e0gfZd_S`v ʀZ¥PWww&rH>YwmjlR;ۯ$kd:u;ܵ0T*r.-RN9ԣb\J1EU_|S7֭Msc̬)V}^2Cțx)Ak5O7z;f(E^%f `-5tzIm5{tLȣ8 qp[Fӥᢧ%MlFL۔Q np)2JɦzQi]ņM=%qHA4JC?qg \Ց_c#[n`(j -{D!aeTZC4?Goֶ }vi-]# IQAPڞ}~~xd1.YYs\].Ŋ!eA -p@"&D䞃ٲabG;v|˜ӾmlEsދacVtMu˺nƺh%o;&ry^[j=6bmۻm\ɪo=܃St@M2f0ǧ혘%5OɮeEMJ(E:ޏv p1s2`}SW+sBڰ5cfi9&v0񛶎ukc̦m {0Xwb\p;W V c%5t0FClٛIfMun9aΎ]gyb'h]W -Tղ Qr䢛"@O:aVPk>Y>ߵ+w|%Rr]{~lp<\=z&]5kpճP#,H hNx^^8N0Rkv \G^ xʰi:dHkmx`16G95K+e0eM JRգZus/Xq=Ě-g;{}ٸ2N sM͈e@mؘͻ.UF`lLj;nulnuK)T:՝U=*L0&kNGn17--g+p״3ܚ`ot wCSmv*b@LY"%֤]񮫭mkSʷ4)e:|k7! Tnm mٚSmߖ:t6lT誩 fՍ3rB~7m-D7೗f¢r|~5,G^G\SR* 3USxуN;p0vmMu @lP9nISp=-s4wsW,L򔊖7.jʰscViKMՎ -:mJxQ1-aEŖ~rg#5k#m) |ROWtC -JƲ;6sږ:'=+Uͫ.R42(D[Ӗحanj6Ψҗt!qyT2m3zNܱ+V9e.;S"bxgm=r@mښFzJNL>jSf\i = 48ڰtu雡n>,^jM-ܱ3%Vū;rw'Z(VԊrEO]Ǭgy.,t^2*&̊Z=e}`TRx{JoMuIߟuH7Ǜi@N%[LL]͓F'l8vcoPal=]cCܿI)~ۖ>ᖅ'Y &]0p,Ǖv5WP%gySf٥zo*J q -Xx 0ZȘof_3-]w..̽r[_GּxF_75]p]vGղ qCڅv bf1ݝsZȼ=Zt8 l{!T{UcS혐ih+5a]|b{>'%mY+f&aA -QuvtԆ\2*67L/˺bZ)1ZzB/T4x>}c/q >_PWE;h% jsް xU{#|h5 ;RC5>J.\WP|=ԴZ+]2u3WM;Gj Zp>W[w0GY6!O7R4{'%뻗fDzi<'n}zhPEc~F DVڷiATV30fSjOcHPv1:[^lC(^- - _c\ ^Sy@ʼn߉DyʞΤ!z94Gr I,WL=[yV~Vw+&o.ܽE׵G^/z{y{'^WIF%6MdCa`hWT:bU[>ȗ˜B7#h1S8͋O~BbMA$UH3W l삥 1{teLl|x^.J)6z~'s4u;+1yNA6ioe5 ‹Fo^M7Ց]>%H뭸쎿A"?%1Kz[u ֝^^^"^\ʺDBؼӼ`sumÒnO('qS@yǕ*lo^ן* -_xBz/+8y! ӛK0W,nҬcnh71itE ōH-M9:Č_-zWSTi Wzv9B(.~^AcTQAgNis't4Tmf[U0WY׸[r>F>.]^ msԅ[^/ BgOT̠7L~ijGe?;#mF#k~Jn &u!:S\ -o }g(ീ}܅RŴ -˟psGWd×G>Ψ%Rr3PyEfvQ累A?^tɻJU^?Tz}!u7>(SLș::.LjXm4'Fx*k1J_Y,32q蹟B/| -{xS :o{)&K[Ja^%%Z0  %*.g %uttM硨g`AazS^^KX RQ]xWú.dKT!=Owc2ZM$^ O_|z7O}_=5``]Rrʨj6eʆ!k<&{E)@GNiӽs O!kxȇע5Ϩds>yLZaQvx|P/WSŷT5-U飨̎M6Cم/s1b^Uy8C,+K~ɔ/{;&d VC(H(Q48SmWRޗnW:4޳!^|Jn?L -A\HJgG+Qd)WӋ2u7&P+͊\Bz61^T-/>I(2k@B\VŘ/r?:k$~P`A9սSSD }w}Щ!H&Vϐ+0TId[rG8^SP%I-xVF7|m4!lIR/5)yP _0u7ϨY|[KvnVO78\`Kq0/|QhJɿ]~S$bt^ϵ袁yh"諜F]vtfKJBڌ"hՀ)t2[ݺR9ɑ)L5.|.nj>-FN/C?'x=|DZtW@W;?&,1a};֢Rp.TK9.c -M!_7Pѓ?0R۞5Fy\-YF;DŽ5NUkZ!Fs9i|3=]OUs'T_C;5Ah"E%u~@8Nl*cQMZRRl|LASt\Ey>EWܢ Ɛ^P]/WXGdfW*4 ʺ9F=ȶA\*C(kJ(`\y:gz\!ϭhN{r*TĽvS*R:Œ>U_Ve8N螹y8޵cIiRb遵mkDL -l|-&FTNv۟,aXE/*f m˶Mذ1m'֖}kCz:OgUenm!eOظI}7Ůl-uyYu]zA{ֈnTEb=mP`kwGCWf9-b>Y('5lSޔkг I@.}($ >d.Gz'v>1aԮށx>wlE yyX|l8su3G c7&Nsc?< |#k]ǠFj@]AP6A! ]ʢk Sgc`sK[WݘPTpsl8?o(Z>!B!|  flkש?oU'n|[k؛`wn;:6eܰaV- 91k1~F'.hIkfr*wIQ:/x !wivοk R -_6K'k-&qQєi,ּQS7~ 72,<{hǎ+0ӏ_{G9^j5D G<je@ JaPzBTV|cDK?:PKrjEE)}v\V6{0`RaG: %1a]cR畨49)\U_cDȑ7Ag9 56bقby8p7_Gn I cS׍gtwq6Ao`gSL2$.0 JTܶPr>Cz}^~NT?+DH)YC I&T+؉/5sM 4zIIM)S"L =Bb\̤1&di#<᪱i&,J, -2t#G+d;S|Δ $+35͇cW8c" F 6t#MzF^gYРF~uN)_T G{^*\'=BsOQ[\ԆU 72d₨&w:ekzHتu⢠Q;fH; E՗}2石$40!帤y`C/}= znmy:_9qK<ЖpA2+% |\}OwMGؚ):Bt{EQe;㉫;gd9[lNP3dۆ0:t9QSl 1Ik޼;hIJTpgp53Jd̤6-X,aK#M+zz塓u9ufTW'J`%&.D>垚)o`җбx&PGͼikJL,0*Ă?6dʂ̬{?iٟ5h>*ڐZR5-ԪC[3n]K,[QAоWthEŅ׀=Z–QR _o"l *6wj*pdI$lqҚ}YMIe1#T :iSِ(Tԇ zDGXa%wiG>t@7#g@jqfB6Q՘|@E"T{`Gm ghڰG6rgnm25< -Dܺ0p\?A6a<*X`Ɩʫ -':a/ftu"qKNݵ+Ԉ#M9[jX̡>_nlͿiMn= oB5:Xܺ>nόL65Ei3ȁ #Yк=#*d Q}^Q,M$oa;*xܞ -/VЈ-6D(:4!R"|wJOF܌O 9/9>Y6&ֵDP}W}圹N@@] 2|&6=Xύ7#*\t Lpy08`Zܰm=%'3m&ʮڰgi(<W{VlHMf=+YؕDkⲏst ZvU[&䒖HK/&d9s^-߮J +2lDO)nݧC ڂ`2d\`ߒS Ԛ 5$tuvU\P_qb:ϝ -, T{b#VI5`eQֳ-uYО!Ђ7B65A{z -uJXGXЋOO'zK}\<>H514bGtb".aP2[S-("p $ֱRl"VDyoݝI6FѶī]Ow5ei}7k#uIuP6\NKǃ_*kkjgr^Gߝ {h|#N,*|Î mhB5FEpA&Degyeץ= K. X{J{8FfdߛU:Uǚ=]mԞ.TGΟylBH`;b߂)^(/x2+zmXUW@~åOlVt_cΒp'vhNP賩sp[JhP컭 [pe%Afx2fY+C5Q:h/wCV,(QW$3:N;Y 8#GNtS$)uUt#uF[UNqs}vNZd4v6*;i<5|R?(4gU Z*D"u_)MZjcߊ3- >)zl`s}yyO7_;h#(dg\_WH=6O+U*ȩW5謓Q2dߊ++\6;wo.l3x_A_.2Oj-Z,zO})6 -͵%A,h&5c7dvzK_Ԅъnؚ2ز iYsKl\^Ww|fAA?-Z K'-͠aXkl_iM7C5ߔV>[]l8on 'l(>s~Q3"{Q~IFL?qkL2y?kBqꊀuY{;:W7^,z`m))K"dزngdߜ/.n+C=‚ ىE:h73n_C]|Qcv4-eﶲ́,iJf>5@sJMMbk.gE1_!lQ)!e^4'"?}uA/9ՓvՕ]),+zR{karѷf0:eGJve3!CRYO,]t=hUYfkK :eCZќpgnMZ0+-?ul* g[m "K;\U>9>}Mj'p{]NSSselS3dO 'Q`|3Pj(7{L(d+oH>j#ǻ* w Ҳ/S֥ekڠUIMH]0$K ;˩s>飼v5~C6a[ [$Oa*~x>Ցޒ$q -[䯥\:NsּGI2@#sUHXS( -sb:SwK!{IL%KkSJ/zi -=*%Z#+*Xܢ0G˟uf]re :vA W5=15e1ӳOKQvK{K]2eMZþ" ޔWz=Ζ9ZLꆢ&xxc5+9DN1- ߹ɰїe>#%_W~T6f?P/j' -MGvVC6R_EEG OEy)#F m)va\/ -Z.l^P`2xxǀJ>,ِߖ}4(maa7u[Xxe9"Spb!_͠G{NV:3;_, *Ǧp57m2%*zST(Y澘yOT7GWdMTYW]bWcO]/wt]mC<b|_Ylou\1v~߱0?6Rn8 qUI]貨6-<[N]U9,ySJ`o0?+|Qlad3k#r|vā\w_sDMn߰Rna9" La\zK4>1O{ke5MeaĿ M嚠!<_"ڊ>tV^@;Ig5)~e3զs]YVve0zF/JQ6F# #XOA`߶(qxɿg %,bw0wQ e5XK3+鎺<غyevwE]ahFgcJu2-]uxFW6\vhEgJFnKtEq\#lְg@utŢkH nEK37f_\^B_R~6㯭"t=5mhaxw~.}*AFD#Blj_Wg~ ,r^DLrtWrjmoharHخ ޑQ+kE޳S} Ґ$&/ʀEӽ/LЛy7ffy6aw3TN"\7?zkbuW~MWqKⲸ3"y\ wvfHjUJڦ;Jb쵩W{VDgD_էM-Df6Uy%IK x!뢲ښA~K'kNE~{]=Ł{ںٻBlU]S^XސoƎv=49LJonyfc?J_G?$#Y!)s&Ycw -_D,7`+uY/DGɞ'Os/=Ȩ~հC>XR/7%G暈#;<ɭ޶|jK<1f|o>I[U"lb%6WmH\RՇ -J?qQ[Գ LÙUHHwV5YC¬k#ͭƻS|6T_Nd<"P|Ӱ1V}dzO 伞:R?B,ڵ14h[ V 갩'Y޳/G9^UqL<2"vqVDĺATԽL{>CUpEӑ -t<kK=Bį LKHIᅫS\!{GWsd$2fSQ.*ti{ W?Ʊ3bCY,ڐ}QהTÆ0' -,8[w`>X]|c$8UQRRvxOy?g(̒F1zh悸wUK,gNV%>yL7~E^w$þN4Sϳf:j59*෍wps5ODM -?H>Ơ~lĀ,1Co>_VCM{B$`wC+8[GS[ 'QXѩ;ۗ$(O8fRվ\7JZe:J `q.h=HSn;@O[śZd5=oD*[CCK^q'Ҽ"M&jΓ--*wT*G, :3PԒrSx2.-㢚Pom3Ԙ{ -t}3,ȁ+;ujm2l -8tbj 0K =⪈Y,WyEP}Y|Ow4:phG3  #hϽKmԑ ^L%iUdo-yP'{k5WgeQRԭk1{FRɢwkM ɀ6L83`3uMQ}5:J 'W71<ޖs{SOe̲6wM -\xuT _ՂH bӱ|usmBV# kQN}\6i5#C:%V<Ɂ ;z*?is ʚ/ -HȲdoUaڃau9.u[X$#䬩qiz{ZH䩥>ySh 9+?>zo 'Ftw;M`HK;%:hAP:qRlmm͹(% -h] Ն\a>\㢯 ol~ٞGGMCw9fyu~zj],髓Xyj#Z9õ˒ҷ̛4rUАm=*Ԑ~j#nk矁:6dji1q.tMZ.j&=ԅ٩} -"K:16ܰ: CfIƚʠuiɻUQy^ϡ mn -d2ptԄ[I$Y! +Ңcd7@O 7 Su6HҶ7幽+龋[_MSCU|f>I';_hku}g3E՜Жt`&U6l$AO γO&=vu4fc@TY0wGBd{󥡒;FHuy!ߏȐ=3,qSSeU,aBڵ|莭Q5Wd3@h+#g׵Ց6x٦)ZSgiyx2N %-z͋Jz$N\h#yQ#w4T/tP.Ҏ<:ŁAkJ/j*C3zSM3c $Ȏ cXZL&)xk;275*nQN0 u!w %lw;#Vɾrn >劮AvY$+QEI99I%b A0s$)ѽ{Oy=FsRs9};y#߿tgPoRʬSiM׽fgvmszv{{}- -yyA7f0V_W}[cCĪc4nN1* b[vL.ߴ}#~QR;hOE\S&(%) 8y79  -@4?K`{Tel ]U\` .+w`=ӈq1<ܽVsdU ~5Փ;嚅lx%)#_!|Uۿrk -ڶ=)k\咸fHo s͏_Y@]zHlNGzGI;_$o/{.Ǭ7d}/!%HZ%PB)⠜<2j{߷5Mz6e!Vش}{e;)ee`6o1*.=>fϬ mޙ.x.isZ]d; I3X&umOA 6ǠE!#&o^9Çx$RhV 51ڜ36߷sc*zkLqn_c]+ '̏oB\{`2{2ZSv]K,ý/n:'6mω1cgOf-cl WKS;~luQZ=.Kd; (ki%|O"NSw\u!|&w{y'%ׁ;`|\w'rA* cu5F'U=ca]c;^}v> ˘YNVj7Gڮ}onU_/'/z{ c ?it~ -uC%i9ޓ3v= 9Bobnv~7/nh_,[oOέ ,bRF&>,~nE~Q -Bڻ3p{z5427肸O i(]tpiӆ؝Eb{5}7GHh3S{)%7~d q>9mS?h:6BO*q7|ww(34ug]js{'1ܜ胬MnL!LZߓnlng:k9;ܕi^W&@gG=gPn}6LZ!,ڿGݫ]mOtqLvYy^{5y)weLOP -Ao(<-@܈>je镗9r$N} >bs ng;G.\}Y,`Iڍ_eW T1+8={:sZ&;ߛk|TOW0M/}*>Z7̬AA9 #F7vt(^!kŁc@gzژIq۝- ȑg3LQ;_8:{op 0 ـ{T)JI\A1X ΐQs v*1m_wlL;O!6^JIAw%Q=oͮRӡ ~y^{kZa}rr_Aa -CjRkjK15 Գ1` i\ -zr"v}{}"Č5.woNkY\q׶a ؀6Q`~5=Kڅ☉E qՐ޳c`~Z@6~'R+k}s^Tq^K`\(-o%T pк%Tpٵ7ݧVӺ>;UӁyzk@ -\XvAЛNȇXǘl)- 5/,W$ָװT̥ZcKtϛg{è?6fvgV>9 a `yq9\_Ah o -\_-H%lp_oCs} -r_\`V"[ WO8uuM~%`=2?4$tDPuͱӌӏ=ߪ:!k/{?<'WLӫ ?_^W&PW6ߵ{wVqs$hf/՟A~+osKkVz8-ENOJҟ}}{7;,|5ɮumS7?Dp%'_jGxNIST^L KiXS` - ?VjzTiY,9ltץSsP 7[$%5VP_$TQ+nK2<5h$[K]ĕ߾^K`MKE\0aUG4SnvS -h;CطڇK<])NmreWEtE\!̃3Ċ ̈́Uԟ^jQ9zfMgB"(:l^']B7 -Փ}5+ .ZbKH1:,Ӫ'ZgM/;Ά59b\Okü9 em&rc{FDyC0$B9]1d0fAJr4BPCi/f G3̊߷E-Txp?je_‹wՒ~+|lo{+B$o\сz* 6Ǜ 8lqlӽ-[C{vvP(|9TaA%]vƍ[ajjvmakPJN= Qyv(3%'IxP@g9 7|F.kQ<]2D~XGvOpս= -_{UTpzV8\O!\u\$`z&[T$pUYlQLFiLi8c,"8O͘4y= u3&TƄ9#bA<ΰ~@KC -:aAsn)sqMz(5mc-JΉs%<4HL)bG5`lOӛ+e6^㐋k/ڿOiG1Y$\l ,Qw׽c5򡚓g'wowXP3xYBmHbDG/ o;/^0 E>ˡaSlL|L GX55C=AN@V =,=1jJwWUekJdEҿZw);ySaтڬv\KAuXg2FoC/@N p7%eB=smR?A[~ *j3F&2c&9p(u`LzZmN (qydo *v͒!nP:nޙ6%y[!Ð'GnJnXF!Ea=oz] pƔ9N)ٹ]!Zŧrn4{׷'#J߼Ay*7B5kuL+SBDG) we², n FllTl$tP_@]y<5N:=PEBeBI -6Tt8垂_0"3+ -1=+{6-n$;{/U[o|=MNDU7?e"$6yI1nZz5,?~0 =kl=JzG&@⯹&wFρ<ɍ.~FTǂZ'%M"v0{ frnuW+oZNoh~:h#G4QRڂrtpKEt϶_L=("z5m"z` U3yn}υGL$#z!ӻ^NԨKRt畵@"葒Z6zont߳I) rgYp^" x!#a[He`֨^a/AwV`$JNmٞ躑23{vA_`ƫPVv> -((-A5)&{ȓTE̳-LCJژ[ 4p@b6`C\iv~[`Cffb":|O겉a'T<0OIKO;?&'('UVKkTˁ諶_v~my{1F6@;MBf'd{ո2" -"Ġo3b`>wXV~=\}RLoSp Ơ8\?l-G4|RreIvэJi#: W-' -11?S'zZ,iuuxGLCj -Q5%ds5':?wMS#"@gX:(0 L>{2FFq];/eyPPKAVy_ejLDy 0,-\rXMm(]!9:ƴ}} rk9R=?P !#*lcPLi]f>5` -rc438 ]30e`ccS2^ -`*ggW<' 5fmz6jxDURg[41{: (]?m%{o+PzV&(E;oڒЈͬ;¡:Ҡrt GAG'̒~3x~9aWJ i)s1M?xO[ jH}%(ǔ%tOhhi{?=X7 -@ݙ$xxLBe)f {Ѧo2lWF,˨uiz2tE<7!%@cP.W&XBi`R =G)Oy=k?K!ӧavz"b@1$,{w])hmq1-QANo]/+>osL -7FoOYԉN)1C()gSr[y(:4(Xyd@+>ŽHr/*2J{Z7I) eYc{l淚1Pzj}`zˉeΓۣ <[p0i^jkS bU\ -ot};?3-/p9z2 -endstream endobj 313 0 obj <>stream -\rN689v޻HZXa rMrpOWg·Jܞ@Uy> ̖ yr{He%&!5\5ńBk%j7{-l_Q3!q쵈9p=jvMYbXp7P4M<|B u˷u-v1l~F%lܟ ؔq])*b&8e퓑[C˾+zؙ—f{)q#>CKH &ƿ:q5 pi3{`%Z001.1 d!%g@ Գ%5b|Kи_Q" -Gzr<ָ^,J.w-ca=jH^D.p59BG:#]c,t~e\0^֟!/NуK/Rf]8qUaa{MgMߛ|;/셡o6'{fMJE=h7jq QڒFJ[D)ٞh=]D܈h0QQ۽r-|}3'e'/z5II5LdT,-,t5*XQQE|kq-`v@#TĀ -/뗟uٝB27c"σx>0If[\\Rctp[!{䜮%tuJе= ˙,e׉`@Y`6zew*IB>sg|wT )'^`4t}98Crv'9fh .sXĖ@Fй!3]":φ҈]#J[Y\O%t}9tu~)/7z~6Io xyJe  CB!c%ŕ`{r3\BG̙qFwA.`ctoUd{<,:ƠyyLYH h^%!cELbc\V}e!?jR -""4JMlmC|ޞG(9Șy *05Ý'jJGbKsw^A 3>j ¦Gӱ{a 2%jyyQs=;wE`_ÂmH~ 8x9)BCI5퓶o 광LNh =hOBmD,Ӛ*@Ъ -., wDr˓c_b~ZX%"fg+(13^qۏ~.@wѓw'N94m"C>p oRV@\'hHP'[_~93e퓤S+zzeI"Lll"nj,| ؠ[s!=DΒڢj6ѝbFDsXc&XyKyղU2G\5GoOAsjW?Twg^a7ȰQԟCj|ȁ}s`rR&.1-\nm7= -T2 s`V -!FLEmLX8瘖:'m>9w WQA]sؼ%q7)`R&BӞ -i])&|A_9ܙ4=AݧƇu\nM[f+"$-e4sTP1XƳMx;ddDMͬVt<廔H|7aލՉy1}("w24bt 1 Ԓ[WI i+q$f䞨߰guÚnPInYi;G"П}IÈf` b)mJ>w2Nxv6r5#wF4B@L#.氖۞}{X ئ%iVu#og,bQ@hVswf/lU`M(Hq# /8;. -#Z;aUK.|@y<y,dBf h["$Ԅf޼1*XyyewU2Qsd{}K]>ꚥׯ]C׭gdKl?4rpe`|_#";0ESmj<;‹wfW1>n&`fa\{۝3,Q@]RtwZ3zSzr ycg֧_y{EƀZu/['i7|cq8&;+P'F:bGX*%iλHA#$aC;=ȷ<SК=Mw>[m%,έ |n_Baf=m&eĵ^HM€iF^43?o= 3u~ܳ1{tNR-ĕzTڎ;aC Sgu-llF$M\Bp -W]ފU)0 ~DEz@ߎ@8GNltqYK[LAFulh{Q ЊY稵yV[DO>f}񍼯Ӥrw_0tE<J֦YMEV[X#?|9}ngsz#f0jSQ=^vgu1QRvg{{~98r/ddgv#$5g nP#܋Fegݰ}9nɯX?o92fzo@Atcn늨ᮓ1"!N\70WPk[=2\yBM޲3u=`B\F흞B0:zJDžR W a1}Yߠn]tMu_e*2mJص;KYĵ&i!A~bs>:١$d}y8gIQ%MjwcU~b} -U@ -h[Q7޴Ͷ4SelJ&-\TySҲ 3]mtz/.o"a='f``\Q"&؆[20^#q>93Ao:@4=(7<:.moo0aZZ{dWg?, 22^%Ƨb< XPOA\ WoB3a80Z"rRMLhOxP[oW +U) /N虽3_k=`KtHņլ@'Ap<U 9\wTP[FhdFBAڵ} ҤIDtC6_stW \rc1'nk`flIszbkBD,lTʥ&ߐYeqWa6RWNڜ ]Qgx>R|w\ :4nᐗG  -zہQcHh11=cO^ٳ@5Va1?lQ) 9 = =^5GP<2*>J!*deIlul;8Ȁ mi#)< -,A!喱^6Lu(ƫsqlBnBڜ -i3Ub+W3(JhB.Rr]\A'@+aKyl~z~ -QHNdV }V3`%bk:)UA_@X=;BrVGtW=]\'HjԝqXsd9q F_ևۘaԮasr 􃕅s`cSOBL$\\4%/쌵O7;Rlh< z;ӽ7ǻNmu楌qSY$`e,4̞Byϋ?z(bjJR}_? b<8c6C}K y|N,"w{W -TP3,ĦX"cI`%W _焴BP%m ..}6Fkۋq-ӆ@&O7!52V`ڬ-_sxYsPof@S&Ŷx9 >qd_RP:&U!̣Y8qko y柝籷l؞ 32z:Z{ڀHq "?amMb얀n_fY@&Wq >ueӏ y%m>1/sB+Ժxj_ƂO>)*Ͽ@:ĕ ZFWu\>3F,€tlڂm)NoO\·U mQؒ7cM2jþNHXDl7HÌmAXB8Ol4KѷRz.7pPq#avD06^7/lW[0:`:R@ :JtIF?}3a9j51oog~ SE ۳ܰMyVj6ǺNlo;oX Ws~rvW\Iv뉵 ~zEٷ -y P] Ҡ e/hX%:R噁xpɴ!dV$ +^oH}?36(&ɵsKWcZ-a}'8Z/ =ZIo\cݧ*ՐSirG% ?c> toD~5QUo6 /VޣnMs~;hZUg?9 |Ocs~1 -j9+8:o#$t,}Uؗ.FU1x7Q-90^屲C{|`c3F+iڲxM1sI/αEE_M eG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#͎9lva#G9rȑfG6;rّ#`&Vw쿉R -΂QG/ 4,4[s V S)pX^g/\:v ';?7>:Vcf3NB-wBҿH9Ok YfZEk] N ~cSĔq%%\i\ z>0c@'=9Jg6@݊.P24GIU ZCTɐRd׹ S4Z#2LqLMnNYI@i& U9'q9ヵ?e`*fOL˧f%ۓ9LApZZܓ޸|!/:yWrBAoMOؙ^xv1 9x=}`|hLV0Z.&m$bI@O;O$ 8DLOȘx¥ldTEm+5a%/Fքܲ9r1q!'61 Yq0'Yl*>OIp!0F)+9Q#+'6wk谖H >oM0!%,L¦,LdD*qe :%YyԤhQ7!ֆƤ() 6&P@,!m"M)m17IٓбFgBj9XTgr|3(qՁEXޞK` -7Yb&f1/D <\L/$2U@znz0m6)Õ{A]9r?oJ쭋dl@QJKH ˋaQ=Sec$LlM/SflUڌ n>,vI[GtPM -k(1#ӱQ_ơ$. gwGc@%&,иBGltl̄U^%ǹ20u>[ bHmX{fJSrQ`^iU$5PrWHl ꈵ.)4۝ҌɒgV=dΌԒ1 I+mqSf8acRDL8_ u M_ YjfOPKQ%I-cߔmj'd .1^3ZbJr]Bm8LlEޘ-?11L;F, /QR|w'DԦaqA~:.HXh -u+n 5&Vא`Q@NV]TjlITKKlk9ݻ@k͓A^*}Ӿ)䕸朄819Js\bl }yPەuGNHDlG8<ol}n޷ɉam02&3mAf%-txFΤ3{`,MetE-}jGUlŀOkBO V #Z$fb:>.jhTOi *\p+} /&,,Tbc |~fJ9Xz BJBվC>sv6mMI/aA&8UXKi6Lx=4P:TqD&Uv(XlS1{&`S$/|Y@L 㖸ؼgc:r ,$|/W̲P82ڮ˻w07qui&Iz︮lt'8S$bf,A,Yd%[33YL޿;C.U֜{^[9b2~_al+;'jrn$`e6[̭dzkQ 9(amO6&XE&K)"|,c3ףcWI?CZI-癡yJ|WA i[[k]c}}yH䴍a­a][nSсi7AILo/.=fQ`hL@Uu3]t;Sr3Sy3U{ӯaU0J7ww#;&9ឪZ<7ڎS6G*.vX|ۼCkuBLЌ 5{5S@9іIwl,|„0͓!}}6cB&ry+agƬi̽Z'sC<4..;U`GY" ZB

dBʲ^s|jb_O- ͯ"֏>Rr7wN$9H^ LYQ=93[q}e #bws=w1? g'%GI Ef.tzdy&O{Wxzr-Tp>m}w;K+As`|7GQW,wS_j%=$YsmYG?}23jw, 1y{=EHrO.U7+:6{"SrS냥'9Vj.v.'`aJBt=Ϣ䆴,hvQȲ51OpS=j/g=#fDMB^l Ɔ8gĬ h in_F)q9`DʄZ_hi>5!5d$ld:oj!E /x,KEtA8d8FH}E`w^$Ml`/^ -nK% x(bG¶a0;+EQ}LIC"0qҋ(Q>c?{үȃ%5%'f᳢6(jc"qz>ŲO"Z߅u}]WsUČj`CUV^]xw ( -y$y({&nbocoT܈QWC M:=b V1t}W}vk}t`1 yڈŽke^@u+I5dhȥq3'iVӊw}(EH3]q٫¦F蘰3dofAP!$èk gB͒,kːB$i5I%@&8fo<`<*JWK+\.;-IXς< )A8lK| fk ̈<24'h`V%r0ʯ X`Eu+YS%9Ïh^@oOaD?jGBa, -_bs8_|N [Ygv搌$$l -bIi!ʣ"ȫgl+ ia<^Dmocga#Q3N*}rfg -|=bArW(F;g).+!7,xdS6KI7);{+bѷ},︠z{_6( ;Xq&tg}/ hEݳĴњ+䈲^U91RkfgEk}uORS}48C|qbomWuWF "Z 8u])]Doي1&)Aߋ&LQ}\ST 4} 5Q3eg=3̪F"ygUFaXN &܍K%'J9уJ>.cJ`&9]ḷn+IKCk~6 X+ԂK.aH IXEZ$ >e9OK qY KM655KdmYˋYl7cSvAV.%c{T4d^WjQKӘ Q+*kfafVyX6? C&X22W*:){}1Ss854uw \&h|'lOfny5w!KhayN@"'j{U TA}05t>|cxy=YǍƀBz˯yVѹ ?ԜA@ [$UZW -A4BZ ,499F1g-MIi{RP>ނZZ85Qh"JZ<,46\~fcHxMCWV)Yn%B^qk{ w78C.V\hĀ.N=X  -%x42 -;]{=^x7Qp7Uz>@ltB.]/nA`>x/(hP&lx:67tDumn> 6jix -iԐZʋCfxV6SKv:*fv랂ʀ] Kw풺G-bk -"\HXa \MQ' jE4V:V&xkcԔUcpw_5\bgn`l0Y$`ĭ<.j$dj\cjD#`Ōo̭`zڐ61_< -y!ɠ+l \/0k$:bYk0N.4^PC+-oֶޘ[=Iˌun%>Ω([ݪgnӁIw*kㄤY1{S<7Ą+f45h$T5 Y1+%A_'xؼL0c3Akt5MD'aaAؽ95Zz{̵t=z5 -YQTKYnr_!ʣ7c4<<QLݱ5b'CA 9fFo)8A <pgߕvM+s |.'+Qy:Ru5K,X! |'q^§+/.sOs<:;zzpm!pb5d^f0= Wqk{WS|OY/!9j5cW5[ӣihrx0!ua5?+cfv"RXAGb'9O<\ND*pAu2յ!Z2qOMjj ̀\L -\vꛃdCS! ᆜ|1qAܥDll|lM -ŢCŪp ]YY #r-Q#RI^MX'F-aC]C*mY$ -4z5F\kxoVB+Nx<;BUȉ|'Ѯ@ִJ/+TV>_w[g˅8/p9l3:>ͭf+t*Yӳui69fdQZjR߲3/iJ,!3W I>9C)y -z|T)YJ\w>}u<~'288h]QJ&}˛$]waΣ=eFԯ%mubuA99C^a>٧ ;Pvc@%Zs&6>#fT^i~]x$W~ZJ&Y' ꙕ;#!5Вmyֻ؀dP9@Ϊ@<5Q=ܧj|9}uinފk.az?DKL l !8ԌRZr85ۯGOROw7Mx -z r,jA`jIR׼>-/p -GZ #ձ3ԬQ^aK}_a)bV>t8_ff,b Da]{sWtNF,B^DY_޳ WMcoj|4lg܈/V$`k YZFσ&6 e(dVݱ5OnWz5_.dl|31r5h5"G-mR*N;w#O%!*5M%'d&iAivW,rM1r2pt=$`>"ňe".uvc瞡:GifaH%"^1R{ʛƒ i`mMvduҸN⛡fugbV@Y}3agot%oxR׉*!ٯٙPvU5IwP9ԵwysNۺ7ϱ&YG+Ayf}:zÆF]=S{ӧ=+HQKJ6Mc_%$"f\H!/\uw [^ R8-cc40# -߫r<62PࠄQc9T☹-%lBr cgV&:B'$Pz.67  ,b[ a.scnV HC^۞Ѳq~ӱ# z𬆧a c044?whYZvG^sOc -Q+b% %f1#f=`d*죈E ̋Մ|띕|}g,@75Ǿd 1YoN x㳁KpQ#sFjlV́z"{Ђ:F$cG=QFgz 5 ~c XP|,pYCtL-a 9%332w#=>ijVH%em7h3]. d,_έMw s AYa-0UtK]`Qr{8ǫ7Hq G4R,x71%ju aXK/EUL*yծVoBPVR0+:).gF+D䙪 98k@ͮɩ9aX$'fBr_O-#צm=n]cWܫ}66LEL9QS -Po~c4lj숂ׇӳ9dF cZ!=6ӥgxU"N,-Ek]#d-;j cȱؤȞZVA4 9;R#Bӫ!q໸4tȫçoL4X¹ =ꪛɂ})#䢈_%G 21$N9`k윮U3&|XБ 0q@'lV]N߻[p*nj+9mW1u~@- llPK) e!#rwޝ{ 2 h%Li+ab&+_x&1c>m ϑلU(}4&g}Ƿ/:L^-bȣ`ڭiFO/lkMȖ~S[w.$n񛫓D`"jɩէ|.n]HstL.j%bTlht=iy8(n젙K m/տ a:f#A!,pΒ:&je {kk % a0jf|HM7X%(xǛ] ؚ* Y1:6KH]J7Zv7fА0a# ưGB0JweO#6Э&o\G!_OI *Yql$k܌Z鯹蜢"!bjJ ϯMX.[r샭1#{FL\#\897\9D߈EP ~5Kam}[P^Ce7"r\JF.y|lTT)%,"AXlw^ؘ%uȚBcL jQ=ƣ!t{ϼ]5 j.ڡ*.mڒ3K#;ahh*IYc%ǝk!9-۞F1vwlLL:ldV j?ky\SN/,7Q-M"Ѥ Y`joh|oI,>(hd%ne"LY;7Rz|iWqw)#^UcGO|ѥRiFv6YŒE0ַk3)'< -yB۠EZy^1ˣlx,{Yn- 18v?d/& -13>U}£LC}|ᮝCj֫&gmL\ 阕5Y :sosp! 7aD -5Ra9xSz<,`<%Y 9,akJXZ6IݮMY8d_p4>k}kx_? -yA5a㳐5n' ֖5ao\dٿѪJONL~7.VK:0 2Ћ=]}ˋKtLmO3 [sI&&l| cK)lkX 3QJ| -=d퍹ޖ_NhҘYqBoa*06OM-]M,L>\C]TԶ9#_/b;U|Om:vU>Eށ݁<5p#HoNOR dŷ$/ _@ns7#YS!.ry6rmzECMd֘M"lηD{F#&JCI<40i}?#9ا -p\AH gm=AKLEA61z!b?UJV'؅^m}Y{K, &'Elyi[oo+C~Kuc#fV펕Rcv!w03Q~- 1=3ѫV 4?S-Q$qdߋ],EsASpn_/L|2d3LDǬO-C)$t(\34EMquezԸd&p/A#`ufhy;a#!ϯ&#!cǽ!C+dSE/ aBF s\G54Zdskc)>->ţ#GD^\F8٥M1ϝE>G(YȚBڹ[ hP.%+fbbf.mgA[>I,:bP#;u˲4h3gYǍasc(bz [Kc+@q`Ae1]c]7= ۇöȰH?FlHɩ12x /nS]p"h.pY&"ͲF:hn~jF|Hpṛ^iNRO6!2I!?ꌛyԄQ6ʂH>1m`F`>OMa8hK¹1JgEԔk(⢜A-0EFG a}JFO(A ȺW{4>'jT-E5|bX˩Ei~ =K]RmOBjR{RP6'()I apy Zӊv bN*XhegÔbJ*DLyO<&7=朤#0C*jCW{(/E1 -*rk?.S!+ɹ5)'j$ 쀖U6JDQh@I)2N&:GQ$DN 1 V=20 Ⱥr޶}7fdka5ن2_+f hvd]vכ8hzlr cabr<^%"n@ [*k/~sl?ؐVc3Zק{61nDŽbsQ2aˉ_2i4tR~ģw#z*jOMX |Բx2mT^XPoQ|Ⱦ6$y&kg+.|̾c5;$[C8Ǽ/ 1J -bs0b}>q&1`qŅ Buç eD2w:ycU2"drXa X؛DEE֥"a" yQ8߁ }7 lQٸEHp!91`&llR^ԷE]B/w8=f0.Q CP6*"FrA@- wEC>4/ysq;0J]қrN(5ůij+K3~Frg 4Σl W_XW{9\_EE>~\-9FcDw9FN^\t'Xy;Gy߯v GYw*E˞ brHM+A]{g[äFGu43c` s9J~ͺ>֜.?2z/T2Fj. \tϐS -B_Itn R/q SR"JnuHI -̠oy'.F/x7JRFPN%_BMqz[):=+Ei,o5DWfUa%zC>յSU3!ͯA֮Š舎܋1A~"nBNMB#~xd9{گ0j185A3ELv krr rg힤Eߍ.Bk6k/n g .224%30MNX훠y9 ^k_TjrNw31Yz^PũFLVTPn9! ;~wdyHK/dea.\ .!ue }ӫb`~XZ! ֫l,nνŸ_|GŸn,?ڋC~{A1}{nޙN Q=90ae!lQ~U#?EQ~(=2pXѪΩ[ϷFxe1c}TwFߝ3AK]6z٫O[%&-)  YE$k/;(FɦW'5-]鳕ڳH̿=s5.uNjaŕ}a988{ǨiqZ]pͥckʎlή 2]z&`U=ſn \Vy! \8c748pijzDǪX]|)M"nXˮN؅`[-g9gGhiGKqWپ4$1Jz!'mc=oSBWo+|#@ֆvNQ;[};9 ԃl򘣗pc]wVًn{Vul5"I ؉?o:2sسʯ` !}4J*0zx{} ,詽և晦Ar~Mǽ 諺}Ƨ?yt,1߯\܊>-K{!}riAjg֧<!r_NEjuDOu/b.kh{Y|xk}1J1  9uB}Y=k}:}f#a@)մbOAHEdm/[̅>bsw/g'9Pث[ +kN;iJ-w1,&Ͻ$^X|a9j7K~ʃmiQf#mt{=mёq٣ƅ_W zr•W%׺s6wb/[_ ~tZVX+fM~g2@ՙwWGus~ff›+O +EY(E_WZ_"]7!,ZP>''o n8Iw.Qg߂,YW2J76Z8n.نc!ƑUڇj{Uydh{0bUVs 1^B7xYzpF؟>.=`RO+h{@ũJʆJ~ ȩ15-VS_N,CZx].c-ǵ ̕Q.#c!6&gj},9:"C{ڞ~E]gI-/b2\Ӵ]gag{ S{A핇'\gy039-d/v.|=k-NՐw۟M?2S]Cn5kys{7Ex[}n=I17$b̽:flؐOScSs7GD{um72:+tW\Pyr򸱣Bz?RF`JDurʷ)kgߡ~3KZBgnzE+={ EZ 7f0*N(5kiksm}qvUQ]{r&z!;í"GrW5#0WSS67zpWVk؞X?Qekxo{Jޘ9|<- -|$+x){$kC{W=Pgn});QAځ`[/]z?IN1NM2<= -w׹ _R4ly7gWz(5UM?V&[f"5[{EcGQ`~msϪx:?%*:n9K -&hmIލϦEwa֞QU馒SI )c<ĤUVTZ|S} .oTwTQq*^x^ҫ_MGLO*& =+^/$\|_u䠮GuC]c7iz܇Κߌה G Z~<#(-1I;̯pDgLtw:L7[{կͥ++O5g}9D)^g/FY>bmqϱ7FV0r6k/Ͽ-EZ'];~Q/5+*uw>o!np+/a}(H#>RJuz㤹pߴ?zU%}FN9R+셹5'V>`/,ucV_sw?k= >{kctgxYS ɉa%1:?~qj//o W0.ɲSRr1HOWH~nxGߖvKޥ\~sisn}_z1Ju@0A4<:GKRҟ'_:ї )>Şd3%Iz ui=撹iרӦUQ<2ְl=py>fME{TC%N|e=dmK~Ms#/ʮz?TeG)I 9=FBnh~r齯oQ ei#& +WcmXyWt<l{5-.uWݛ{Wރ{Eݓ#z\qτ ޒ ,Hߜ5ǕSi|F=c2ml-o}\qQ֭/( !fs[a6'ŏkQO >)y?oRҾ3tR7zpنg~<.:yx 0$c$۳״5vde ls}YuXSn.٧k,\wcS*O,\7NZ1iq֏0k,ؔ msnN}Gߓ_tV!?$˳]|uYP}k~o&.G3u}Wh1 n?g/hDm-=w찲).܅YF1;oqrV \&77*ji^1)]&ݘU}j=GU 0ڤ0cY~FƬ0˥77V?2s_n:qcv!U<-기p;CQ-,!e=Wv汿X(jN1>-Nۻnm0%9DJֶ4,;5,Yb?\_>;.o.8mq5-uJᔬavc/G8gԿܪN>k?6䢝*ґ$}+\F\?%w!e(}ix}IGX.=NzJVPp,RZakkkl/:0.LDVT} ,=OYMp lo~~K= }r7U'6Ib(Bw tO;&8ר#>zۊkJo T݄lk|> 8dDvo#ܽk(%G5vPY/VH/s 5Jڛm{Zunhy%؋G1{M[ p^ e?+.wמdl r,UG M s5zA[Wc4WS2mf83WՉcz 7m]iY[4;3E}w#Y)w?n} eV$4%C]fCuS{ Rw=v`M֕-%?RE.c;WJ2,]g[|^X#R )uk̃_ )D4`bU[^]Wm6ә{KiBKiK,@$w+AΝyp8gȑ -z`C.%Yj{2I|o G -yԐq2M6X?QsNs3p3[`/#D'<&?sOPn%bc =QE[b=C&/f>V)V_+)9W},*Nj Ub꧋[y/ܓܓ!t<.?ҥ&#KZ,=tH"vm5x/՞g[ce[elbXy Ӎ>BW#'Yֻ˂؉~ 4m2f0yQ/.}jɥv &8b}Yy}CkADcN 0)xoTo g9v-eQ3 -:!gJZ_\SV"*"M ;^PzOs061>#qћVܷk[h5)bS pw$h{<$](9[A!Ȼg;Y/ӈ$?ˀ[#QnMvS o/wA>껠)7vXy3$;骘sI_x 8X-%en cZxrВ7=?Ɉڍ{/2F7!mT_v_I 5<"vJO}X($61.wMW3Gɩ3Uٷ'Hhw'׺oOhaW|U #":K@ͨ(;b[Hn;N]AE>:d PsKP1[}CL($)YK7CD Ҝ2LzOia)N%f r2xS9,I^.x_=X"Gt ð0 -+y7Ha$T@eW136- ZnϼU;й;ĸSԌ{*nf1fpfL?E⠝W#V &hRUa[nvSFJ?-E˿t Rܵ)zӅ] (rma؅_K4$* ^ ҡa­R2,ŁG*pcuf9.SJ4?l3=J -o -LsZX6i[Mr8AL FD;b_ d8Xk.k8^VU3Yo wF/tkSwdMJ~Nt-uºSW`~mS?uV1q)^ъwܸSSX?}c} -qbCVǰɁ|S: /&pTqc.?7cc|;$R9ih/ }Gf$"fc^hj;,QiF9gR~,s\&]"h3x`oTĚ&Q6htjg9*4It+8֩;o  H;Rb}e^ =׺O J ZR;,tyIBֹmUEҵAjJ7.taJƽ~;>˺4z8F\1TN>Xa\ZܖWlk~s(6GF@xNJwɸ}ĩ2JBK %7Z7c}]L]UMYmt灱*Ks #AN5:soB_.9\0p$ IN%|2`NOIec -CC--dm$FHc/-I+ȹy6˳P׿;oHiyRJE,sOs\KƄl¶:^&pqJ,fV ͸8_M{~.;`sիRZ@@[&¶>.w<_/y9/^b^E^i>&obznQ zQ:S]4c] - -3M+u+*o7Ō k<*_i jhԷA\Z'UL(~:׀ 74# -2-v_dW\oZ2J0Y _,="__a7E  92DwPhbC{~4յ&!mzӟXT:v}L.~GE=QXz`(}нgAO cwH~;Yԟ,IEQwHjQ&{#tԝNT%8OObcciRcNb?}>(YI7ʀjYL/YEucl2ىR!ߎZ.r~(1fLInji\Yo^xz(-PA̫$_iж&yPC/,551*n/|qUvm DV]o*μP|5нAD5B)i}xY]2̤ Aڼg"bG[]eRFi셖VZRDDy8<؈-#J -1MC:u6~[AC(fZZRvQyy$ͩo|zr ߮t9k}Zf!=@>(;"|SDxul]MY* P -o Tc>T%)~s$$>&<)l—?HIq {pXZذs5q 5oPE1w];,h@@Atb/XM>MN3*ɉlWΜ=|) n 3iT@V5"6LJK V9&ޭ۔-}V JӢVt>/~a j5;2VвY؍'KhiJa¨HP+Aw.=vtEП>w(74Xky ξQJ #P0#Q>RExш=-N?MI=Y7@%r߂B=r!۠3O"1a~_fkM$tb#J^ $ K&=΂]vХ3N@}XR'5~m\Pw&ɯZQ[mh&xyJfſz z{p!0WϟvųSC_mIf y8'^ v0'rp ^ -:P5b^7Wё"g\ -zv(]P_=uЕ<~t8^53꒦~c ZUCO%~Օл~n;w.p{Μ*Dں埼z -Mv2_&筌3 0ym1Vœ!*E]IEd o=q?r tXK@|' a'1w3K!K*ԣV22V')| -wt"Ek/.s{UГ[wA_~8Iͺ/B:ajr]FMpJǪK=u9#u?qa *b޽z l?\ż~y{:)~g˃x]7W71Bw5(UD^_B?z - -p|v -%t [_OuȰ~r#P{0*HEggљ"^ݸ z٫WA<=y^~Wnq={Jƃ>2&%`eyYFL_quw5(􍢄_?u ?@~  @Ac^>YUpmas070av§!~ }WP>_~,{PBP(:-ٓ@77.=yP'Dz;?p(e{.ݳe,CC/ߜ!d 5ҫo_OyJ -x e /~[_],:0g7^ zw57LrzvQ·)kKrL7K;&4)dGn{yq0C[w@_׀OBD\ո4uGڔVvu>bx+= >XWu7Э3g=} Xˤ7/O*>kf)cĀq!x-?|ށ"3{ȹܿ%I ھND}GZ>[+4OUʫPAvD-tàBa~[MhsJ.֯4"8& 6=<&)<5%ů R׆p񫽐W[R&jq cMDP}|w[T'E`G\ȕ?ᙧ@O_b:ΥĠϧᘷF~b7%zG*4I(1?.R.sq٨b>]_C> #%}? };. %wSOK`vU4;,WïW׹f|+jh0w23p Pěo {]żz -]~ A?eOpifYcLSJbc\P>7܀VujHA ]tqٕS)~@^]PjX dJɍN"'nenV+2r[cy'{[*&L30[pBVEdFyHJoB~~m0(6OEx o6āZ$4 -oJ3@C/%nu $bJn btVDﰌsizx+q3N J/`=,[u#um`Aа0תLuE UNZ]Edc@ߢ@Q '?z&(ܔ?jAlWʁ5L]([Z9@Y.QfZoxЧ+m͡.h32UK) ڕKB]߮jLlĎ1u9@&k ÍPm'#r<%X^,5Vʷ(^9ˡ[YlqzMMҷո^FZ gT\)qACX7_ _hMUU4슦幧ݛ3\U!Z|p{4T]MUt7;Z2 1I@R!inH㲃ՑSuy ٬"rfɎ }c^jyfĕ1dĪa62CFe[(fC@ugLZ[/]YdTZ4TUuuͶNlsg{1eMVuÇ1Ȭ3[=¦6.PS#|5"j囧~AXYj- {tGI[#jr+kD=5CeR#e:깢>^fLU|s2|k6cBE1#Ѓ &lɺ3D<7L2̚kiK:~aѲj7U[U<0.jK1)*],D3fADI\%DZ>("z`w_~m׉ݺGmVU$ v&q7 _{lkCSLtM䪜f=aEŪpmxm}CwAXgTrRN].uCY* 2Ǣ@h -ɥm5k7z7Tz0)jq_&E(= u糎 שc"ݛ6!}OGGW8 aJuYK)6<_EUz()h,LG:e쐝{ZrYJ+7$_^yRSrDٟiA - hn.#dX嘤M *iacU+u㬰gDZrmr|GEq(;ww%ő,oV53WohXfd$Шm - -lE;Է8T_@;Wd^140SSMH5Tngs_R?kтvo [<!5Mo1e^}]]C:&Yo"t4kV\x'6v4qY *,fەJGّѪ)7[*.Ӣl*\M+&IEQd7$̅>7G۟oiXP$1, ]{;he̴^ꂆ{|Эl -zME7N"# -L?&𝬱9\bU6+82dZo+0dSP;bVȷhUN')i.-.۫%k[fqQɛCEqlܡ9 gɥ|& !`C&*mI)c\3Q4Um@(>X"Wޜ eW5۵L$p.Ds3\ *;JsI7$@ .,%Ut -b$z& M*٥Qؔ92`ڝvgZ`\G v Cŕ_aam14"'yXxTUպ"rMwUt|.Z6neT}=Qw'p3|Ggxt,wZ ^kRPJιƁjQP -YFgF:CEE{u8Fkb}͎֭@8:jH|5F;TVj9,84_joZ**c2LIMth){\[E}sDfD`"Lqzw]]F:]11m} >N ]S27(;7t;xEbq%FG(@,W \9vzoh\rE%B-;"ם1XEN:1_l -3[[2N]2L 2qsmYp8W۾gip*xQ6, pXU1L E75 V@;}=U$p$,9|9mkfSGyn5bӶ+CrZIDH'^誈պvNC;-p]4t8hoq- [ QDLUa?koo׶Cn[ncYzawOӰQN~طȋ[CkG*a#Xc{[}a9,9[۶Pg".u?^,x|<k\a:Wt]J_8GA9Hx Z>ݡ=,Oow@yKdKڦ)+= -sM˺ a =+ͲK>¶$YXsr8+jU{M|3,ujkiԣWkeֱPi-܊9-{Ra:ہXtI냰sKomS!اB{۔ -ywֆ .p9@ޖ8Y.~'f|{Hۂ)g@FqKMerjoӯU'_2Ivhx~_6 *gc\j&̣վg&qY,Pav1\rCIL#bX2rc x$حd]3M}-i|TPb3j|EG6<E'j! +=%JjI;ymw -|P}}h3^W2x.76 tIFCL -lݟcjrUr*)e)rMM:%A|τV {5f!$'mA5 qT٪IN &C/QQ"C >4TW3w"5\Hx;Y b`S,6.'xs+F2ng2=&-Hz1Y?W -. fSbMRbG`@G㒶E]1\PZ4MsV!6 -h3N *ɬ(lt88Z%Ő˽iak#oja#[7{[+-5)W#ᦡȝsߋEI ܆NoKÀU7nM`6'NMucqSB/6B>7}b7{KXDQĮ V'1)sTwSC5c_+$s误]1*1DՌ==~RhUjdu -Pr \(2ҭc۴5}{ tUJp\0SAJrj& N5VR3,GM̴Kk=y/=eoVZK_=v|h)7۔u:Tm)үIڡ["EBύ"hSN(vΐRrW˂ -`i~Y+Js34C5+B}5 ">DD!agُ E|%|;\LwGBcs1`/h+ 1KE rR㒞rsÏ\URP_G.&=k[}d3DZk}\s zw8-lmћA]1£7G :!yEK(|=3MW~c^Տ 21Ou1 衞zZ*d_G,>БJjBYെ[; YC"m838[tY΀1q{&pϰYp4pNPVoKVmCM]ŰNrR|zjgC wI#o¨I~Sq? :&Tb8v&l¿jeg@'A -ty -:y7f,Ϻ{KU{Un::4tCE(Y>xcN_nrd$.4fh{{e7}#84K0Ԧe?* _'\Ϻ}-RBWnK`It/'~.r+ĸنҧ11pCc7`׻Jso^F s2oS^بaܻY gt5~/[>^9Zg"&*Wr"}JݳEB*iY\*AZn >^*Zxk/ybezUIxn#H7 1q-kD4âϮA".#j_G?Ϸ<%g[hG( -I72_:Qiq,̫O{*?pVjLqCt891G/?NQҮ0dԜ^܀x8%'Ĥ7w(}]u@SCuqpЏ&3a1S6BwG,%okүOc(ɑm4g?Rs:q9!NCz瞡A7zgqZKRnC(5gW{{Ra|N:'bN1 JGE/*}$ߜf]C~<5{{r~cWT^(+Rw99g~n-wͰf9 %&$8PE\g_xhiTSrh õ!%k.2 v-fV.mu(qp}*663cW:Kk-cq5[|s6}k v1,@eXäX߳^ y4GZ~PI qTGDiV_s.᣽*..&pwsvǶ:|㞊xu]UI>ߖt(h8h[Ӹ]1.~w|m?K6V6Qh#Jk]@/=M2vFڒ=Q; 4Dg"i<$99R!OĨ7r_9'0:6ǒƩ4\x,gm j[ lKCuOq{*Rk - ],˿օ|j>9NA&?~x\Z2͏xWs<бvRR2Ɗ\1*BE2:4P]?ALI~ur*_rw$&FifCF!8qeMy7oG -wF -_X G1Nы*멈8-&E_o3bT'\Zh-|2)O h 694^F#LP7?B[%?wh:߫_,{Pb=Ӥ|CG;e#Kj$mQ RX&61n!;M->\C KٕkE~MR|TQ3{o,~U1QC7 +X_ιپ[[a1Cd?+PRg -X }cֳԦx}u+oJ5+ta Gz"{h9 qiiBM@WlGAʛnĤji֖q{/iz)ye63Z9)ۡߣ l]i7q. y|OZٛ,?(I9VN?z\&D*Ⱥ&hIư3 Qr$GI.YE~1ˣ8rg O}w\j_C79-6,*y=T`5Or&h2\XlgKQȉƢ/'hIϏ)9 ww _~y~2rBcd- b\, {ǁ-/ƉfP_Os^ `BuЍȕn‡kU!g:*0 BWB!v= 1Pad#Rw$pv$^y ת;C.k~4θД"[eRC;[ͣkB[oy{ZJ ]ÊwjTʪ :~ͱ(? #=<8f5o-گf|˄EU-0I(?G:ݟe߷2,E^7f&)坫9XbQ}KLLvLSJ*=/[@,yݑ1LѴ=f[el&vw#B%03]c"5-6 XWZO0N% fخbmc|b3RSA`(5ͱX̷?5 -(RC= ?ok?>h昭=\Ԃ~']Dy44{{QvEh(64AJ]Yj[nI_ZhJ}=(yuAcPc_f\^P?W%<0.5\iH *ɩg93oĔ[QJ)INKTt!'yqy %2\G%xfyz\E ^轻ڼ?L&uNq\+1`{  -wuTQC "u ~h-%sv|眽 -zGHY"9|W o'c$G6رMyhcwt)1(o~*cJ&hsXb\#*i:?J;5tOSs̟c2Q"$*afQքM됬 -hDl(cW䎅5L:jbudľI)QQLmVQ0Ay|<9*?8MaJ~5Ns9t{(NC:ky_l+#moշsM8>^/҄kkK.ARKY!51Oھ54k'; -yuY"R3؆va1u}wITvYq Nŭ35 blp>4wݲ:YTP IIDEL[0]aV#^ IKwb;֦Z_lNcJ5vMKڔlJZh;>zpXBS03 ]t7)9 zM2 /N>Z\\럂'Tn/m}:('7.*/kշvu(cLyL-/cK}O] O\+Jl2;:rLk - ЖưU6ّk{6Jٜ-*U) Zb_NiH ;f&.e@| -rmXKo7vH5vO5:0HXn}>ӑW0@Nh2Gr[єl:utoˍn5@2]cM#RReLl]`N\= '6(q6\= =P~y}Zm|gFD2~Uвl=7*-"Jt _c 4X9cG``ozogrLсAٸ-%% G9rFa$Ȳ_w8`84_y,9❁%:ڞgے4hD-H;ZZkT ό(!i%P3e~Y\cGZЌm89i>ZAl*xOf "UyG!;E k$N Ogrꯍ/:zٛs20XG(<%jŨWVԼQlMgm5SG\ӡUgv̏( - z`r/;zl]6aNqP`CYGtV^YL'qg䜲 )Eц;qÝx  pæHkgCJ3>;&2k0x+kؒ{xgVgAˮIhRHEl,(H-}}f {[{31;G;z.1v0IGԎUԒ}@Lw$m-"5¢K; -lӾk ~&$[E WAoU?T(=GLw+{w]RL.9Q2?Jq=0 -R^Z}+K~[_tnynUT E]3qBݣ}u{Ƒ8bf@ϳᗐjr~oJS7ۅW6GZo!oϬ 3 ,ea r[i5a0!LʇU6؎P)Cchn3sksl\fG_C.S|3jg_C "ǡ?ʰ.XM$z*Y չcd<쮠kר !ɅWz;/|t:-y{IQ `#RX`v5ޒM6k2\Yx$2eK޵HhLËw <ƮC5Ӑ - ض緖XP3>nYz0-e{59XAE{ɑ8{J9tH{dcp>GGvAE0PQ#k|jk`= 2rwPyX޳ avM7Zil=<СLF`oeepJ/2~Ku~߂ Yk[O p󭍉{ٚQ)&p[;{KLiڑrw箉<sYQjRxPS%"0W7Q%)^|gl^@dF~w+.;MŸþ>'!^52vO;{eQ-I㓠!@m91ӱ5HOh-aH[{dsqlg]vQiCwˣ7?]]1n2+_s<\lNLX +H!0l۔6=-|O] WR_jI1w,p@ 4O`rd4 .k 8,7E|,>a˷AfHW=Qkbա`rvlŴ8Czt,=p"a -$arD=58 ʍzɥ1lR<9Nr9D_F(Y*yD'Yt6q.%wr132L^rh~Ĺe`힁 -;p؎IHZx6y1Nྛ-9IA=>G\5E8Ȧp}4& -H{N -2+5@?׮O /Q-7Wk_Ԝkz{\=<<]+U=xccnT@5pIHV[/ݽͅIk8:L8ټ#;tY|v`_C۞CA3㎒|#0C(>2w꓀_y&yj$l| o]3ռkR7~}lƂv4m) -Bo`فքrW,wzcEp#oc R~}m lmS3f3W]dm1i_04HbJb -TozutWzQt~SStѶ1K?se,s5%T<4< \骾mA3vq jL_vT! -*PE{]dɱ?/S3G"}/LLuKƍϿ=0x|wmt[ĴLGʐs @YPV:~J'{7cϵ>\=g`ZIc7"*: }kb{W;ҡ9Z̘jyC Ca 8Ėtl즂Rca,U&=|cATtrXzMܞWwW>k1@Ciߘ.o%?H@ˈ*D_ ±B~֋INl]{ ?kV/:~oQLft _oc =$kS 6sOm{>"ԬMڒ@Ru#Ѐؖ*-}-&fKhw_9xć۞q[V"~fsg9TWCm>$}=+: HV{Zے*.|sC5 -L_xn_恴-Yg'/SV:E>H 2#`/4xUd՞alG*y.W[ + ܱ -ړcʷ&rFm7`?J!9!9x#<ȌɈQ*/BT] EqCEDSL ͍;"O`h@ZEJ베Ůxh&öoL3CoN ~ۘ'ZU翘—?嶺mX6'0RؔJbI(2[s$˿0[CW.D׾睟g3њ haȫRΊ/n)Sodxgvs5qόT 8ؖgv{g`Q}5~;V}~p'@ -5?I_zjnMRCtDKdsʖwɾؘw , 2x}\ڒOg9aiG_tYx#,)SW<8"kNVYyC:̦8iWA(,+-¶{ -F!Pw*_3:m]ޞH)0yH"4{[Cky)$'/32N\#2 l>0F6&GdEM}G!)LLܡEHUzq_ϧHE^@st7_7޲^_nӪ+JFɅ%J@UwӍ$^Sپa) nc]Zz[_n/>6Q!3ZDؖ_"#O$8Tqt} '$Cm 7pTf@/:ҧ쨠yܚG_m_zEA{yZ{Og% ZB/1g-`fuҠd13/>M+}2)Ӑ a4$MRl:N/+ /**JA g'OA;)ukc b$`[huM"j;nx&ًs5ϿX^Xݘg'×FRO\trD+ސ> -9F2¯a1c6n:;~-23Yݯ{ {hFmovQ1-uu5#6EXgmJ?dwC2\_yq+vOgI?QK}59g0?(?xDv;I]s쟶;^%}v6=phXRQc잁GV+T𕽷No[ƷҗYxm̖*rY=袥躆|QJN8Ut5&5h`,$%^+ny!1V|?,iH#rtC=JbK@ӞUCJȼ-–M fGdY͓JCլS;} 0f꼱A@BZi9|=MO9D xح)j.c4"RxjX-l¯&T-cnO)} zh#BM >\ºsȒkɰ -_9ݑyƑv)XY3VTI֜vrW{Y@N2T2R.i#/ -X&ЕO&<so~]:c\\—K^A']8=U|e=?|-z„k_E'67WsgM\z)n{kz5=;+w#$,gx=K(y <+uob@<ݘ9*2e 0gSȓ3ޯ\r_iґ?;߻*zbGUԴ+wrjXYE@oST5ZG(+DJ7}mO$](ї_ò.~2|wvVooV:Y##uK -}'Vl̮Ej`8$Y,>.i9ּ5xkV]02~`YDv#_@ -~ -p*/x{+n6aYKꊧ>&dO5ՋP{ƞ1 $ih1y?{o[{u/$S*xUb%",TxD@FX{|U,CnJ_@xjC%~k -TF,ѓOi?E5X:FG6&u[*2T{'W#BP*cz\_S+'}`AؒυMgT5_=[n1_88ᖂ_WM-Sa)2>{%\r;"JBI` .ؐQkjzㆵ,Wh\ώ5t}gSό&: ,OD@3qٺo)_q+~9 {wFɬ̼wWc`]0p0zÍ>ҾY\κʧ?ۑAAFHFdO-M7 kn˙?ZT;9)kV`XhKj^ #%qjG/H^M'g[A61 7ے1ٔБ]Ɩ,3qd,W*E O7=6nyŕËurBd~'Gx`c 2-AXȏF'хQ.׷IqEBw -;Ӟ!6 ,| a{: }@*0N#&1%)dDLM~`M zvL !-D聍ٳp:&j_CnѲ+̠rPJϺGn#3E[ jBՖաZHg_)3a9:CmlIܱp^ )w(pW^O wt+*FO+sst"a{Wmt S7iVQg:l@h.'BOVyvowK_=hxgK *(%JwpW˯0K(:;Z貜V~iSEO?jS{6LB_0kޜv7\wc3zNm3yn)NRTt ռ>Qw79Xqm'jN0j~{̗߻!r\odyJ/*^$Oj))勼W?mwSg0u6nZ /JI5?=*Ж6̟%\_ }wrJA)J|l+vW6F/wAlNUr6=+&z^PFp=YAO #%^-qѴgyFOѱЖLYH|d6}X%BNtB` 0М]5=<ϑsxG LZpAؚf8mA1hN fiM_Ga3c\`Vܚm\gevVH-m=cMSin77uf\5 P)`P6}` >z_”I԰ `*wHls;ph,DXPXY;yda`-TOܷ066+kA9Y!4hlv'0"oPO'IAسuq˽͙G־[ NmW"iU}ۣ7|mOBK -igi~o0#O5tPD˄[jt¶r,.? A+9i_f|7_Y L~2 -۞*m/ ]O}\N@F^ qu#ݥƮvU f* knŦh;,=]5iChn~2ͺ@)$$Mpa>K%U㔽'@>^Yڏc SSĜ_]$ORH&㼎[~34t3n~6 z{O;fڞ;{VN!3ĒMG+ v:{8:h R׺nG8aw=%Xfx֗jJoapeMr$Ÿn:UBǁYwg1&ތrM ޝR2(w7`i*L( xGM07 lRe[̡R%]"cTm~ﱨ{ -`RS*n- "6v6lMԲRSoUmζx -ʐCϭf!zOyorC -xFD8Imt֟/[枬h.&w^PT:@-$6mͦNjCЛSJVzZӻǟ2+^QtTͽUQ953κ[uCdpνSԂ4SP#ɿfpvWܛg?ny}Er=# Sa ;-/QЫh1O3VXvG_n5{'k,S9|)*}.YkDuT͝-w^R~GԄC=Cgc3pX{F24Cm+IwӸwy{gݫoP(5tbl̔^bZaYgEw7g!SyxFL);#  -tNHlM1ܛQq{c[wU X7~mjzx4) N%j,`CɧljV%BO' 19dG?4x -]][{A)%g_=!GO=S)dʎ*?ة*nB9+=57Wc= -+ِ8Z}iÀFu/"c6#LG䙆&Jlil -ӚW/Liv]H15GscP[wȜ_VG:^{ĵ'xfI)BWF*i +I'6^瞉fh)X-a-eLG -JՖVgnPP=P%m-K=S (媜S3(A登ko,~QKX>w󜓌"(@?wNr T{)I[ҀT|mI`{+9\w}g홄Xp~}ZǪ[K쟔סetmkŚ: Qu}k߻X-<m jCJ,1OK|b͐][桽-"uQݭπ[晇ecqSGT':Ud&`"[|[y8),y~"&bMؑ ,5dW7P͵@6 JzS<6H?))wPaT+t4h$9\$n*Ā˯qʇx}n۳8٘'\Z?(,-0ji5td`=#8Gn-zzMlv̑KBz.u{ i5AlKqM> ʠi{zdyP*vK.)&[¯~0>6m˨ -J}H\L yZ9$c7Gpァ%7EBᦄZ%gÈ rA]U;+oO5>V چmk󜚛 -^@G44URudk)ZaS=kSJSC;3v2~`6lkP{+FkЗyd -hybɉ>1xU=^nX-9+TT~1si^9^DJ{(ޥOXZƤcssofSvR@l k{ůc#-s**utU}a K%LEP)hu~%+ڧY^% ;x]=| -tvZE?JZhFA>y ,Ȉȑ!3s kR3rd=3ySsQ`= ڐ6xurI@i\`ԭsè:M/Zx -&㋂2zcZ"NWŁDo5ψi^<KښEưѱ2M)Ti2/-#7;3~v*I5*~Kܠ2 в`>%.BA>%<'`y XyL#K)-##6 -U0@nx({t _:HؘmH9`tY_w`Ƨ>)4{[Gi6uV蘰XomzdɻvR֒k!"Q̬wP*]='C;C󣺶Yo&4ĺ="*B0Q-j`jr\c Pv¡-Ss1&Q5&^4lxacdGv.1LTxXOڐ -㱱v RFgZH,֖X59*9ű49j6l0^U%BeXMm5s臫{v0?Iv -ZX -j¢tL^}:, --9|X%'ToiE4΄BцFV}Q 7 B3sՀk5ӫ|:r -h/ $'ՎnwQ;%%d $>ڞlx6 O19!53h=NR. N k?qL`̶-y+Ґk4D@1~]ڋ7KMl,Cʢ>5O-vT!NS6a`ǽ 5۸mҳ1y\sD|X Xe!5̂Gt*4[MtigC=)Gٛ=3 m`ٰ+rjK'(%3䪳kOHؔ@lcGxӒc@|.Pk3:?{IAr[Zګ~ -!BP ~5|`?Yx!EgTTPT@R\[Eͯgn̷VA^h ]V dϓw[?D,&AۦNap𭰰)dKÆo 1[U G_W0.} - i!Y"s&K)興8mD]quMED;k©]4PJr}XhɺI\PY@l<޶I*(F:`da˔6m-Cm=|T_Dl"5Gx]skmAluM7{U1] Υ~`T``p_:ʨchlimst8>]Aze%T&Yͺ1Zv> ->7PZ&)塢V_u,"{ 7 FA=:jBڨو}@/[c٘]зccQrju%5\T7hB&>k)޵ -vV mv66O ucbPLlcеi14VtRi̜0;'TwJZ,ڻc V `^h dM*|몄{b} !E oOXWp] "iZZdmjxMy)0*EO%ʡJxnR% "S:`Gtøw cuE/է7 |ZZKLG-70`zմ|Rl\ģ"q7H' Â2kOjϧ v22erÎ}^ؙCشٵ fI_WAƪbDCtc4_#ǚ%|}XmAg¶mleݧ&5ࡗ;?u&uaqȇ;=LR.gie!kdo.c\rrwo2tuBȿ-2yAodxhkF˳ᮜ>NtdtOZoic&n@<@F`+_.A\N8[!7,M>mZb{k -E1eq| WVs|\!,K4A USy iq-_QQA6D秨&A~Hl]߇̮=1] -ҝbw "4v39<}<ڊF7u W!aaL(5Z!Rf2Fs4 g},BRAɹO/zkJ҆^A*iߚj]r0SUw\{4_^i_hޝmWo/[kǵ2.lv7I;AZ_mk!B[)Oif+\"7-U7@' -#zB -Pi?EbMM+/۔|}?g'+T57%N RgGD"ݐF.Z,DA5_{؉!3?R䯘8#xC>A»^r;evx6!2/,Na9TmZf՘IY(VJ:eK~D;hIrf9Ak/S<>e;u7{tlkYS[삦ld恜j}jYh sT% -Vbjgy%́Rΐ7/|VK> -tI:2Ln_R'KN?C~!ƪa(Djъ_ޗ#7 CIx|s#-V -OPGOcLr ]{ONݺ{,lӰ}1?ZA4ʻ*%bS}s_P@ּJ% $->_akN.0`5kOttȯs>C*jfɚ8mc\޴˩(3! O]>e]{8Sgoݗ97n8:8:^ObK~s+.񢯩'}h{\נ 2EL%ttMmUW%J'2EZW(Yoo 1Q iº2Ⱥ/% -*q>^bO9'E9?D&p -rx}/i<g/dh K&j2Y-g -EVuxv#PN9  9FK1 pw^Dk}H/:8 ~J{,-*viiRP<(ŕmP^)Y@P,/ѤW0^Zfۍ1I׽R=|y5|Zc^[GڔVifeD:f-@O(k~J+#kI€yp9\BעGn$!*n6&ͷUyS״I(1M頖} ?{ĸQr?z\Ǚtli7b5%j2#5UŢ/euƕd`s*D{hl ~ /ŏ `#7G΅?:y~H4B -߷ՈҖ+Xe5:j@sY:Jz[8z'6_n~ykቕ?EPnҨoLNڒ)w zH-ڥ`#/}Rk`,w_S|[wPo?$gWk*5) 7aLIKJS1MXA!V<G=ÍO'dA}'7pf-G߲].rE9+~]ÇZGH -,)OSX2IxRjwK!.~(뱙ew3Pmϳ gT[>Bhֵ<(~\R5;-mʂ.=V"J^,՟v keO]Qrq]rjSѺMK9 ~1rb )홇Q:wE<7O8uxEwZ\r*_]wsΒBY`&ϰ=\XR>SҴj!$ŧLx3IE:gMb0lf4WO(ZRd`ǢjfIښi^i8W&p\ Ls9R6.1) ^/,K*k|gMrnڒ6=ȈHvav{P^YďQ"J;ob^8AlF}QHmn -3 -`{Z6:RG[eCbݥojT5jU@KO|ㄯ3=LHz +t- kFJ᪾ߔn8WmW)EԶ֞$-Wv6k^%opOɌ81XU!IUY# 3JIYVcOWKR1K>ڢ.8F'S]&E2ukeO:Rڒ7n7({F5RY/>ݍQ (1Y-bJdNMWxzaYu?Eo'E - N1R?&*5q4к ݛ(X5qzID+5zbɝGo=H5[\ɕg%Yw]ε+Zʸ:+Cvj-m#*xc QQ*7 -h|#^֦wK2!E'vZL=*e\.VpT^3)i=k(6у -ċI:^Q:U鹄H,3Yg֩BK[a!AЈ~txyclb 4LpU6>SHa?C3-k2%kQXWEd;*yU-.v9.M5ey_߮0YYӃUIE3"EyI+Z+jD./@;s]X}4^׸g(.\3V$CCyٮ87TcWfcMp\ (n눗4Djk-8 ?Z3s-c5pt@Κqnb&KX rp=

ě4LJ@#QTy%m$Kv` )#:T94V!tqXX5u+W ݲe-"-ԋi꾺q{wfW]lmć9sU vG&mqY[Pe8;-yF%5 G5kClȩbi*`w8mtբ^KCjjۀ9(6͢p_UyA" {J[dy:RB^}UD=76>6 a3`|213RY`wB,>AYYNWۦy؃3kuRt -:NE&:dQH757Y]52dmîvX6L|(;wEYTt]]:mi3 -ÜM1J\,\>9oKʽڍ?-!YPkZvpzA_kKSu"F^V5mbʱK2tMRm&ϕWZNZMU-Vm N+, -'>ʛ -q tP!蕪ECLDDTj@Vmp*A&=o ]/)ʺYkvj&+Xj~^tbBVWEPU ݦćd$)'b*q6XRSGiV [֔ 6 W%L7TE;C3rhdY(=Ѧ))PM|(-{2C-E+sYNKYQvҶ!|`Q2">bO;R21p'&l_K5=2lLfRds 0-bD(&̘"u^M4nX+)v!\Y|>Sy9 <3e&ʑhbk ]0r5iu[AZ U7|푲-*JC# td,;z_$5ߔ#c/(~w[8ۃ:WNJoH‚C=|qdf6GA)"ZR,_0D}=В2ZPsŬ%'cJ˸XR":?6*2,v\5ԌSK1aUɄ2_,q;:.bItqjOؕiFJ+m8 -ʦA׹SMoy3 JU$x6ϥVmaGU"[&J_.&3,̟ 20'צafGjz&Z6|NF137ǚzWM˺rhiyd'93 p-4zJiOF -endstream endobj 314 0 obj <>stream -?ZL}oWӷ}%-y"& |Tgr)%-bCS=5@NjB>_{8%ڛtGqWb|ԑaf:1@GRMZm{"(1gc#v1+"\eMg|ƚWem)jKR=טh%b;y U)5VSwkm?.Peؕ^`Qs8BG+R IQ7o'fn{}ldjjucA -c%NWsD;RD P J$Cc#}bu;ue1ŴRUݐbu )tcdC}t0RDG^C؝j⾑\UL4f(G/k;Z<qZ*ئ, VlEQv)iW)+䗋).L,hUQ]CI>SQ}9_VcRз=9!.FٕU{] QѳZHKLkU?%/ܑ~/߫osmk/J<3Gf|tQ$ƤIiW3W͕ -T\̐q1%\N -wa;CP916tK/ U5eΗWO-|]O=`L4,}py]}5 eUu>o]!WvE!SHڂÜ}z8XF.>.b=~>ۆr,}7TоX7 2WGݷEܚNz3@H[ -lF?eCh T{; -^85&N ړdMvG GzZց%+ dkЋouo&^w;OuB?cnp!{R|TUңaZBorJȭgʄ˃]+4D̓ەm)&d]2h,|8V{g1;&)J^Pa}c} 6$℧X^dܟUUz&t=x]'GZt)YW3t]u)q>4sha!7w{j"g- an 6 fWN!(c)핵;̣qvPYE!F}/e004&ٖvG<qPQġ8 kbbw\GNY6qCؔ=Os5q:? Ʃ^u&_NUTՌ.֏ږB=vfn[=5K[/;T;3=CzA{0s#.w:c{b![JU-# *9c~+٘tl[0"R\r6SZm.+f[*6ؐA}W>o+!'y5J\ `{=k}[+c˝(7)DlIu]73툏JnVbդ#9uGOǥ~7ƒ 5>xzgOFiYbO ΦȻ/׵ЛWL-d%;SA'HdžM)e1\mꃵ>\l/=raGB ]b%RLЦ{v9c[Hot nxϧn>bTL^\݋w >|>D]mCq}/gy@GZj/&.G1%7%;QAX_W!v)u ́ !e[N)i2 -2;I Ą=53gUb4/T|+Jq]|5 z%+)۳^e|4f'koSM½5h Y| Ayݬ=%9QOț"|wlJj{``"T}- mo H# 'sLDֲ Eqk4'kGmi. -}yY(.gC>PEn X(ƸRC|'yQ\y.1zѶޛ<]?+m;Vᩙ6I#!4|a&f͵f9pIW3OWv8J_H{u'%k){*bԮms3F!$δc<'^A 'pgk/oUH -Z#,t]lR\஬(ڗ4so6ފ@ 0JVJo=-nOۑ!Hnw{b _=J:KSq6ƀn+ (1οP`BI_GA#^2 gMIƇ⯷D1l -jX s0Vt<kyoI@JHDc+񑁜,}mI~n<6E?(&f}ՅS/EY=W}SG -ƥm gR덩" x 5K{>cP\lS^!>B0W6E0hԦ߶ɺ; -  f[cUfF:Yt>o!j7P ku1=V5:u'l$jYX7٘-{0ݘTbut\ 2C[˃1.|]R`UCMaܾ04sc:>5Nxad^퉑k%D/P [q1WU-D_/Kp_[2SC~~җ>XhCQ簸OM%}W{|_k˾ޛK?ݐh "r?,X{s k^lv#w帰rZ/P!N*Dc'Y ,(l kYJR c dVϿПei;eȀ;{J:2,=>SiZRnr -CڐJ3|[!Alp^Og+si6wzIz w[}YNv1XviGLey.:RRpa:hGZثDKsk]mƳFL+19!+m) 5p؁P2o 7 xu*t=Xb%ԄԉWZ=261>l!Tmژ;Ҁ&kf]sZAĩ |D}G]Y6t"}j^4LK}j-uО3POmȽxFXh'|{!öP~UCF>aEB -3eԗ7.95 'ZV.cQy}n6 1bO#@kvdq] |m<ۚzy9U|W{>GʈG}H}%B/ZSUO$]I!Z!z~Au7z&Į^)UA=-{~)͆nn`V=]H|蒐gnBv~=3T -[Rlо #z -=@ fP賣gqt!Yn9ε7W?-`Q$+bUı;Su[NWNȧ΢Z -"7!Es=P :jU:]e(0Ґ*.[Ct!N&&=#ζg~_}2L4CNll}9s Ogjӟ-f M7ӭyNRUN7 g}k };הഫ$D%/%۫]ؘ?'K쮢0r&R=ݙ FVYIdծǧ"{cRx`Ow%k!GkLM)nv3v4F' -c/M 1!pWI?1q;C59~G`q!ĜٻU 5D'n "f^/;. Nڈ{"l(pڎ8Pjb .p[O{:X;dEZXPlqeK9dd)^j(ijZ8 -u3̷\59+c)@, ӭ1Qړi=%)۔½6Cum2ۀtҗ=3jwNe]]eVHVg=ĝD)2Td=-Еf?"mih&*.,v5S'M1r맯C}VUÝۉɿj6Vﭢ؄χaO/O@ 7OcY{ >+=`w0&jn=ꎪ4XFYj\XC 1!N3]U[c-*$Nؒv|2\{}-9KXۮ81 mΤfs_/,J6#jG^ٖ -BM$K"§ -R{+L6AF|aa6dc5YFOd6ɱ򢠅|w)#쥈nGI/Xe 1'⊿M UF>hJpޒCZ}p?D_y`ߗ*OSxa2ח8ٝqqБÌ4.?ohqlоpA@Ͷ'^Ns\82slCԤN+P%kq{Ld;X7ڠ,=5!j{뮌9U#'%Gijf FЋu11ڮ.rތW=*YW>LZP: -'#3r# -#8[FlBT'%pya梏ut腙ؒaD[0=!zSFO$ݽ=DK x.gz.zc-襤_OtܝJp[*|b/*hyy Yݾ=hWy㭨0 'g<.rVt0K]!<6y hi1S_MB]u|R癅?,_e-t?w_3\&dĦ~"͔РztZծ\s7,T^oˉ{t}d`{YeOtV9Mƾ<Ã̅L^x̩;qPz.>`۰!TW[JNJ?w.hi‹6+'3N L0)AUJ[yVE՞< -F$ocD<ًQ3^ S2Ebhjo?j+MɈ_yEJjfr7[A|:H ~x')Vk&]2GZ piU -YME*2<&_H|zPsjxˉ}08sm1(%mOI\\Ksg¯ݵ&3dkRl'Xmә.#EH aWGFZM -ܯu0LJ:p r>h[aqvmM遮R{LHI_]6%)}^Er]$jr{+E m Y0.RB'>sfx;/X"1|dox;jv@;Q ϣt3C|=5- @^ _(y>ln*4 †^LY'clgnPBnYX+؉V5)5T\p8ʁi RBP;OM|_hi7:'>w_ {<4m*T } -,$ّ4(>l;:oDE)$b$Nyk`TߧE, Jg M->?6Al6jC#>=cHɜ}Vu]W4l² 6`M:{o/z_[*)X`el*I#@mK3}Qw3>p4 w^~ԗj+qkzf~3!WgH՜x{`7܋rNԚ;*3xC/PD€۵`#{OF^|e9.IǺeԵ~7B's`_;gFv;T&wnN}`* ծ!$C}P3#+Wy5 ԑ09lEŞЎCM &.:2/,1Ac͢#Km31T;Ր3NneB R kns-u:i6# (: `o7 vl. 3% CMQq.sB9Er93bvɶwƸgSm9o^TnkmM3ubfQN HQM ->. ;Pc,6q'F:bYmTОWYʧW5}% &XO˙邻tC]ͬ%'e{홺wyn{l$p>S^t/9ߏǹXD}!ly}CcE ~Vy)t}}ad|Wmo$$/֟XZ+S" (I3p:s1%^/.t=mOF2eR3X]rw5TM9y(*$D?2Ō^BK⃉'A]Ux'&y6#cMHҔv|w/Q]so"U>QgJjlPKChcEcYu {Dʺb,đt_B\- -婏Le1_k1g\__vxF ;R:xseS!jxL@=*=)/{S%/e9[_la XWh8v+m98Xï gZ2/?n*zTȟ\KkC˅fm~2?zuCN =lYՕr5yF#q('!8[騠!zg -Zd^*k{jV$-YkRF$X{tiٟ_kyo@\VZf腗 "|M<ǃ[]CM֊ł-sW[J@]?7sXa\N#EC(3͉=h/@TV}2ƄhWs-ϲkyP1[r6xcfufCU]R;&j rkq)5EvFOcԈ 1>H_}N~ߏ  2U01H?62^/YERTXm+mfycB4ى& i}ؑny3QB}pz + -{÷PMI꣱FmsM*2^o 7s]vϻ -LԪjn)Ox_05e+i5i-cE8M>v*qvcuɁ:5O T쾧CEl ! BM1 }OkrL,vlh0 Sͩ/wԳr=WW6 ;Qt(uL0=teYFM,[#f;ԋ1xr^FKYCq*ؔuQ((-dGk/ș':R(&ܮ^fX*w ]ӽn+7pU;RqSܓ)tI/O?ž_[Iⲋys߈M3?D\,elmμJ:R±v. ޕz6t[aW/-%>tb f#@X8557f|oʃn BƆZʪ9ٔVEE+ow0(aMV -Vj -^)d]Bn]r脻"=Ĩ/+"/_W\GL7>Qž|oz6LO:v-3?,&/v8o+ >K2JCCc][O4bWn]9k]J5סv†o+~uOf^lI| \䒄hu]BǞ$HO r\{T&E8&y9D㟈w -ϷA>M|D/.pܘz)HOʲJ!}s]t/&l2 b՘)&Cϥf ӭ!x]F E5O'&#qc- , B: <ے|E<2Qq:q?՝SUUvc%s[EV =2_~#ev1^LUѓIa -bs }ޑ#kwrve!9l3d.1 KJ9tGǾȦ(km7Ӛr[wĆ뺸oW %5=Tr4 G g櫹ȄĽalȞZRBz=`-x:VVSS6e0mQ책W&'ZҜqGZڑ|UjcwT,2q,()~UZ9DY,A{fVN쾊@a>yw~'%ƚr1;궱&z?1PEn!^IYo!GS=V?ԔtUYn_ 4C]q@UVp3©7\}gҊyqQbq)V<`0#%Q4e,udQ*vx]0lw|1SZ,̴GϕU~zDIIAjD薁]C!~U\1<މ9F̹0ҭ.3\|e@Qxg8 x8߫.5QON913\,-Y^lk֫*\́9.@c^-J}\lzяȐ1eAX;уbfآZȄK,?~j_)]. eɞ) &kc6)0ORJfح1[ٕ=?(<'}X/siT{1RCj~k{qY͗o-ܧ ,x7ϙ׍o ?/WU|j>tgsRr<">ά͸(G>:3лkj ;ƫw hm-a?}5Wk/#؍yAO60sa!-qm}~u q:bwbiF>/yMzw@Eϭ>*Q^9ƶ~_t]5G"g;^t U}Ձ+o[-~rªۂQ+V^~yȈV - z}7kޗ г_IfdVFh}7蓮_aW^/o+x˯)\nyiM@59t[4ysXɞB*tq#/F/=o7-h} P6'I׶No\1yP3Zϱ)W=/{ݭ$4+OJ*zs(&U>o1}Ki'TثQ=64-l.ũQ@T#% \4oq~sY q]#q=csLouΓf’Z)/as -~m,5<*x~ ;kwYUp O%,bGxѼ=FS}u۷T\p<4>bcw\B^"y_nlMv)ep iRfC#mNusHIV~ki2 5CF -Y[Ss=abĎFB/jHg|}${1D0>;@i$UŒAm -ZjKGLw8o_#N#*p768=kc 3bjkUЀO}sx&aqV&r.>;fa}*zq`8dZbeP)*EI:jg>04 ,LZ'W<͗'^7]y˶Q~QPݯa13_dʛ]2JSVP-Bm;UxcNnr[7DRL(uO-N.8^~C6(_~ů*ؔYuXWSk._lMZ 1鸉ӛ+/GU_@n؊}PΤM̎Rb.F<]}K:sjmy&!bs괖A^_yV֛|I #Ҩݕ4zx/ܹ̔1 ? V]uY>twmY -(!-zB;.6:4fE9efn8Cgs./[{{)\_+ĭĸפK[c3zO<=m7+~ -ty=x 'tƈp%گ$fl,|anݪh֒Pwng^WQ>q 7 %`w]2_ 3N&b[+Y_kXs} aHMnڞ%7DެxӃ-?$U6#=Q+&voE ȽwvSV 螲y!,`EkP_Cq?n:"TTʐѐ;PD67;@ -$<=$+}3ʌ^H,8\J8A;RšNߞlK_OlLp\ ѵ73yJWsGf5Y?b6giSA 2>lyV|<}tz!4W~Z^oPik|Ԫ^0?cԥ"jz;4(dDC=4ٞO%y#*f^w +?[ْ29ȝ^jkK"eGtĎqӻfz뎗G-xc~W e3x7}g7[ݚ:d@ʀZ316hyjU,h)N?{tPC\;SzձzԎYMcv6hY6F.iWY/71{6Ē 9ZM½ﭲپ9dM ]J>@M\l*ǡX'UoNJҍɮq.a"*A_ߘF97}HBn;);nrwJh[rNhLlT fy^g`ߛ5 Ӿo -]0V.:fڜpybkU|os&K@㴬ZͿ`v} ۄVN˶@(8k -1;*.@Xetak󬮠^O8JNҚV-jE\KK-DMk1zxѸ:;> Sn4n-R\Ç||xp~&\LٹXPGZS6!)mbT\J]yv(8oPwD,<[ĉYBMT/ m8iGi+QH'HPaݞ8ٞS?N|V֦┞̘ĜG -y"7 1=1( -)Q=!l 7NƍZz#e\Q"` tt\GnjMI3ϺGv\"a)dŵ|L(F4GBzzW%`n(EuꈁڙJ1ɤ똃KZ9|82h>jSƁXxx)5 0+d" ?l|ҖR~륷%a5ж/UռGY]c:ig7 Ƙ - $i`-AM.oJfC!h{66mUԚ)m!&1bX\LYXq#;5$Blp׽0d|uHIYy AJ@{&s %LlX@Ya+%V:4rm -蝮h3c:)9ҢzLDŒ+|@˦L1r?n<Ou{]hsmUqC!ޠ C?|4T߁"YiZmh{?: _J(1bs{rs׽/K-  C®BЛ2iI={{qw忏i谌sa!F2&ZKdb\Om͗ouh(b?{kQQV1-ou|ur}Q9krzc*bmVz>Ӊ &oa6WBzsB}~/|.Vf8 -_`{oM)LЃ]0qd{X᳗?wg8r)DY'rIIPc#fB\,$8h{ڑ<қ榭iJ%9jt󗀑ܬ&a]|E?2lMM N ?FucKo96&f@ǍʨTQ9w~& nJ^|k3) vz%(b#SYŨ -w%c4gL\d -sIsi94"Z܍H707HiI Y-q=#e"2V% -iɿ #`< p! ׯ]2Ou_lqE9fcԬG8E1ZVB]H~&4|dsHh_6~WZO{ 8k=j ( hg;/_Jhr 0goIW~jX-ۘ$ V~:%,[4 t@R88 -ܵU@HxȰڸ՗ _f`:m(aGt|d`Yhĕ.@+1V_9P4/S矒䥬Rp Q=ˬ kĠjr'Wm?5zS뽆@.)=w -vDnNPo5Bt*dxvKZ6L4xnay~A:cm)ھVɭI@ii \4ˤyX~Mv&4c.I1WM9'PNZ_BOjZ}_(^u^|[#OY2r/nXD3d输OS W3&Zw$'-t$\Pl0Q{?e, W4ov2Q!No wQ7xo?W~#-H$qAA/4ZVxu| D@I,{^!woA,Ą ?d`R=-g/Z݀z} -z4q1rl\&7.vTo_w?0=Ǫ)NƨsW҅Lɔy-i&֦BJ`O/a0n37xה˾$tfU* |V3p;e26V_!dtHR}3[qpI_w6T搖֜41i36ޫ;> ko T|\UŽաgQ-.1kMZcC>k| [}g|Yw;wX~aS? <8zL}Ijh $|L{RlL]*lNzϛltʍZv٧@ŬQ2?2rzsf #gKFV%1Q`=/I;6&vo6|3SZzoǥ'7_"D`e)7z^ZusFO툫=o]_e54I=ދ{CwR[kZy;ӌf%,=j!k&5,xXCTீpUA%˞7FQs,;)`H'Į.@]X}w9"V0-w}lklU@-p'բC*b}̄,\z^Jq=]\~<5{6i&\ L &,ukSK)Գ{'Qg}KyR]A_aA}y8oAŗ]WZb[lQ瑥 l]U(f^]}}pGviwea!NܚWE\Zj8-uK6̜/xҜKI M #1jaV&h⣃jF -wiIa\Ϻ+}@χ t;(p3|VWaYX eBB -j%d-\dAԺF+ B}97q@|r:8W1jj]RL,vi7ɿ_PLC:_6skS']O+? ʹM+ 1=' $Q.@LԪ՞J@#f>:/> *I (]_F0?<7Y7ƚ.EY~g ')V=[({윇G6SIAk~k1WPsvY5A*)I72&e!D_|s h7@Qj ~}U}&_~ḵ{#JlO4ٞ1=I. )X]IOP&x_JʾZxE|yujbUJ; 㟁_kj)B*\"vu*0Ey<GYoݾth]7t 1#gĵ'KyF}T'Tx?UȰQ0jcPM54|\<478PJB݅_ww VVo΂e -uNF)u[o%׼_˒FW%B숪]Y ZboS:|;L1Ho6ǻc[}K6Ʈ -d)v(B@AO\_]7x5rN4 Z~Ewq[ ~^)lB,TN$۞VGܜ@e*isC*j #Y/9G7>zƤEbjPQjZjc",ʆwS@;ؼ HDu?^_`˂He!ݹ16EyxAM9=_]adIgSQ#1 -+gd2׶)#nY,",,LO8@U<'|W˿)17/ "Y@j&ew7o< :᩿SK?ـ7$LߋFS%dzDq3掫ϯ_mN~Rwy>y…?D׹K'O^CUS`nt 'ap7kuHopC`_ܹ[K>y -8yrv48?~^{:$ㄲsO_IQQLM$ԸVB -9V{@莛9'#eUGUʸRv3clJ!3&%eZ*Bàn)ݛSWq|YtX'tu9mb;?M༠/0COc3PC쵄^R YZ1lJ9}A,xω -_S*֚r40j]TC\H]{K8}Iu9 SS!m2:'!ƅzPVF1F]yh\ZjDID^@[~qx%ؙ׭߅"CsV/FՌݙ2 -9º~VP%#|X@e`<褙ޕHE̚yPbZvGHͨYi3me퇍Y3`vb~.lNJg5IxA-6"Ge6<"QaQ~/S3N.>m&n V%ĊT2|N!#cbR6&•EtCj@+|+P+V0n4`6ZkBGIP$p>vXh٘o̒b6>nm -5:4(Z[T)#:k"3f19eSS = ƔHin59 y mR.!fT sF"/8-^m>kUg1 93 -Q؏ˏ㇔ -_Ԑ#:jЏ|r6 ;D^ZxZ놯:|iZG($̔U@H@M2>4zrN-iA,0;y|8ml`̖ٚ3{rVFWY 5+k&JKRK@,XCHD]:G + cz)9eq3n00!- ʅ L_{?e~z6Ԕ(V6kc,9 QRSŌf"lBZL7r6f_ԛ Y!bBM>_KظHhgeI~e`R6Jk‡M)ijY5Ӈ v%d攱t՜OY|q̺]_Ï"`n]}?r&jˎS/w#zXQ!rfj3)37&oq:CY $u̶Wݘ-Q$4!pb" D5֘26v+s f\tH =v{t7M.#?8 TK9ZMt{u Xϑŗ=Jz#5f78s`L҈UwiG5QJ́oiX==#w$8n]!8\qWW'g*ǬAƎm_vx`R$\Y~:S~lK긽y~7G oaG_vl@MC~&BUˆ-`V4q"!Sv!ckp%eGus +ǬۿO8W*Qw92*2zVoaSf>6kH =&{~N&fQv,X\ ́qiym6Ը- qc䕵/7б;UN̓?Y:`Q 17P1s ҍ]XV(k~e|MϩTBŐ<+xK%Ԗ7_:iz鷖^ߡ56~̮̙X)0ɾo}@ C@ILy較G9[S]Gj{73Hhx `DKo5~r@4ZVVobhZJI#gs~1)Q߉uI3I.XҜMD(uQ@Bl8`btcZr .VP{}bF|MnxvsRAҐ1!7]ؘ4?z⌋]K _.WX33F:e,9D##d!zF b6:` m cQ{Y~Es!`D֠R Ḏ j\<@2fauAx6Bju,2fòN5j7:Pbi1P{VG2 뱓}'@u)#ЀvFϟlByDKP/&ɕYà$#jfoXԆgȕ )ewnޯ7s ?zRrU -50w*چ*JNWJ`YHp%cIm߹W3cK8F'5ܞOq9'3=հILՀӰ) #c4g&%Ԗm%xьA@͘$̔AHHp&;E݂pc=`4NF55e*ۓf>9,f$RG"JoR6RS}:nŭ^0x|jgK-,Zw,m` y|f ]="nGPCOh{ >-eeFrmh҃:juo<)2.f_Dd..`|:TqݟMuO7қ&޵ oB >dh[Oޛ/氻X,T'$2%"j -pT+ZC%ϢHi5;?q;Ρ w&sޡNl{|cmg]y6 'a&bzjホx]D˸e aSf0e-2P@k ejBoZ1 9TnĕΔHd^N ̋[JN۾Si\I$aQ5˄PsӰ39jm,dC m"RZ>Hzu9nhi&M0313,ے,!c̲,̶d1Zv\}?uٲ4}sΥ!_o'ͿaB.KFJmGAQ;éW~\M j8xU)EOg_qd]uʡB@6.y -8Gq9l(0{dc@e}9l@UXC앓 -j`i\ #p2|;@|D:,?Qq\vc~SESpQR2KB@9>5SG 3Y HyGK~"iz*rԴRyɒP2I=t, %U^{WB_FysxP7 ->~cW352vb]Nvk 3Q0ǣEۧnjgY`N'Z2t(gFx#0Gb`hQR qS*:%'EMޙfZ聢uڮmy=_0ԕc4wE|KM@~1 -ۂf :!;3z|&Đ9\cTJôD k06} -߃iӥn `WZ -x^鄜bcxg tgց"CpΡcCZh펁 hKz䘵󰆅Ϲ5}w9c&"PN y58Y3AH 9?`9d颇kCW344w$zkgk̐O(~vOŹҍAR |P2jrT})&!nv+J6گC`d~p/fȀ  -5Azb>xz!;lAZ3YG@cX7M S֯<2ޫ:^U^&+jlrn[/h[&aL3Je. %-h`a|J:.kżƯTEǫvxEP?ޥ!RRW:Bj$ --WVj>gmN"b7 x7 M>CeCp<6 'fZҴ?/~s0-kZ-xh'zCh9dQbh/n 1=оKib$9>l.9^VW uxx]jdlĮW5^!,c,]WbrO9L 2fy*0_WI$.-P2%=1|73cO bBAPn !cwྶ+xe\<1u -9y:Ux;VOp6Scm/`|xAFs O=JLGG)2g_>PX f -Z'hE{37>gs;Gq֫9@FAx8CKS'SVFb7fqӒshhɒySޡJ!/Sܳ**9h0gqد U/%%:lYrz[*vx(ug>7K5tK9:jwJgM>)=>JK -+:lW+9b9wa= -/. (Fo(~{8wPZdw0\""#٫bO( h$5|r@3qqr1õ :Yp 9.uQӯ~}8) Vҏ}ec4 -k5豍!9P ."WLF73!+<FYy3 `&cyNJVYq%lޏ8j!Ւ%Q13s,P8TʖFojۿXX..w8$^l'#O kݺ:"__W"t6\!x wj?tFxct ض,gZT."RzFB\{Q(%>sMg`ka&U02_#`[ځ'W:^p'k|^wQ\i@L]ݶa޸yPn\J xWEJɩ(<ɇ$Ѳ盽)#שQӜ #{m>MMeaA r5AvE9j}nuJi>%|; ˛|R: :ؑq-$B<95;RQn5)0?+L -}l*\SGچnY;^to~MxkAŕ j̱ϭl+:`ҥ@Gq(N6ue[A{YjD7N<謃G[x!>3Դ"49iwh`RdJthfP]nFFWG)8^zueViU2yQWPa" U"cvF~;%!yu,|RU!sk2˖Pπ.B= U|QjK621nhhqʿ"~2 n=txVE q'10-WX"95T|=C>ӯ%BvJؗ^}p&da&6c`mJTlV6!R~Y;\)o J,ТZop aR)E.n Ajٲwyb:bw')5I7FbNHNڙH֛v_UrZ 1 -7MԲZ| 8C:#%"4#wo?ɹ;3O)<1$1#'de,k&u$XmAאrbWI/Hk$y ͡ħ'^MAo೎t*ZSƂ-jfRWˢJ~gEAP -]2v=5E8gY04]j̭!sr`Kr?hhգb]2R_C,^R|zB[GC{Ӧ~کiqj>L5A…u̲Z䒓ol -/UOc33}:t±XxH*PɇJLSgMBzw&5B3 /BbE! | wqPoL@A£{RwgK_H1EQoExMjKGKսGVE Aje;qeni+#נV|q{L,@ o K|wdtȩ$Ζ<еes< \Q_fo ]N,r:fm-!3 ChQʩ$$@-U\*^5? liO<5u˧  lu -е|w3ri} 쐎IY" *:@  -0ߓQ>%}e\-S=IToW;SN(,O, 0 8SsY69-ȗR}wG&`6{XdT,̯njl66K -j8䰉CI99i fVXjy>g,s'˂r,.XX iG,`Aӊٌ>Z /x0q.eiֵi0V9&.cں#SM[H/;C9/ϕuX|\ԸMQk,`"Rʩf6ɥ&gzuLђd+ .S&Bv`Z[& >K?,iWY=^,"~Q? \RAgm#^n-ds=,WkK -M&i +Bq?r'R>~PK!荚%.+dgBU7Kr|Cu^Nč gWbJ BtU>plW\9\6GʆΧ|ZQ>)`?:d}*r -7|ϋ9p&{@.؛Av"_p9'*-򺀾:x :,#[A6~1@ל I(l̃@OwA PIv=d|WI h5!\//6d_*_ aUV59i -ܪdaP[2Z~@U^R5N>eoh5l3Gޛe01N[-谁VӋzA,qXx |ݑI BliOk~P3ǫ4W?Zry.-)k#z&hFkL&`JD 6\|ܩr(wTjy 9hCJM݀\̯|b !&ztlZxӻD;͸ Pc=lo:V?ި?Z=ިsE!pnК(r)A 2RKf&qx'K6TN!eWZԧA{( o0&>kh.Wv{}fm`Be _-A<ߦf6 -xd!;aa*lԄ-BɉX\phO[!\z*c{πZv=ؘbEbMϑ6/ -h,h:Ӓ^51%T[]q(*6EzTlIkȵ=]MkPYgqs$[&bM -sok-d##=ilw>E˴넼#sU[hbP Xp.)@@-m Y6J*2.jro76%ұ*JQ̑S<3Q^bSߛ!@IqhY!70|G* ʫ5+T -r#x;3fcW0lW5&% MrX>ȥ _ŀ#kVW&=##FbUAtyr])5ۧmG݆(t"\w/0A*/wyλ({-\H[S99okԴM #[xf4Z^|,2p :E[uw\쁚 -Eb\?<?aĭ!؁N9F )" yk5N^ơs/K,U.9 VJ:g@6+ hip>⒱Jr*`[:7pA!P=I,rUxMXX {R:Uc};2I=@6/?\v 7CIu,TKGVl`cv߹@ )Edy 9ߣBF!/ zd/QY\Z-:φA UA>ǦyUeL}dҼjZ>4S!}e]X|(=^b*ttFpOT_nx ւ ݟ0O.{;z7`3jT 25my-g`m02g!9r\[@vi0q1?"ukk%QUMp(ҧК\bB) -v;Y bΤtt"BuqShEjxM|!n DE`olr4"`X 1`r^ -!<IT66NzL ~2,ԏ%ee"{;*QR=x5ˎ,|t$kT^Su0j({ ء iz4?]7aၱP|Fa%LlRL-^([8В yVj@ 6<4v))6EqS3݀y>11<%$9a:{{l1òG@nCjyeAFN PsHATsp~ =^!#gՌJ%~k{0bꡜ7C -w#Oecsz:Rќ81סМr>X/gE\ - - :7z(6Ka3<|FL2J|jrWI:ĺG0U -BGO ~=&գ B~x'Qs g?;EA B9\˧{5K -`1aA!3l48Ļ^H.dRC8#߆ tDxg`Yx$!`Du΄sugpE>DaGHO Haفd/>^G@C+ @8fjI%'jҭʊ -b9? -XgTOO-+NZGԼT&g"zt$ri?L; cB+]eaKC-K(T2W4U"&Bt䒠x -"ulfmU%-K]WGukI~9߫#=sp>CEph ;;#eOqo6zPsd>~gƼ*_xu;RPK j(>0KNHrI)>57a8َʭ|Z!-cRju'%pѶۃiYz81fg%D;d'k?дlʾ;^ǹ,~WAwPg> !pj$?@=ScV锰 yn9.6tNd`Zc6Y P -ޱkjSOq ROLLtHK/y%{shнк -4,h!#>럀 s7ذ>j`0?,tOIHΖqQa uuAG6@Rx -5%h|/9Z &2,` d<x``>/yZb⎖?W XzO,ژ$ŹUunr9\(`bჀX'Lqxkz81 8&egq^&ί§TBihɿTK+WA;䤴åևm3w_@jw)Ss]臶)B`C&>CY]Yli;w tϺM'!;fp1>99OǿWMPpRZ8>rm (^xy`#Uᓷ'Jo>rl[AHNwGIQYljqا x摯G~>+#gOޭu#昅ۃ7s.fё~%%D.)!i ryܯ |pot{(}Ρ&%92%f@C4h?-|O,=2ґ_C^ $I3%:5xl[.UbUJp+^%1Bk2B(9>KJ\7x?~BIdȠw/ -RbGJ?ü7CJpQ3iNW.u˘ »1s<6&dd(^%1pv69 x=!.&@s9i(y,z -\ j)rlSI-sEplf}:R^piufcr s|NUYxak#e\@?ݲx0CN ,a^8g)٠wAe/l@ρȡrC&fcR>vwۛ$ w0xr0 8_x6x|]2W Z;mzgyqkoOenQ"LK #!J:[s0}5x3~n%E#' 16 uMC%5~]?V:7;J__fq|msUlGmnaaeܐUj"%اI>̿WpmH1\.͞;a5ⷠ ?Rx <hKʆЄLT=bYm׌M;Z:~C> G >琒Z:-ej*USF7-r` ``ykb#n?01 -$-`7[r{38i^צg'Dooa,]If/m[5tsKm+ z`7e]˭7ʞn폒m؝~؍a=xC$ⱹ0髭 ޼+[7Ƒ/&ʞ[A_&IS!c횯O Jz+KQM:[GpJ0_xP_ }>j \\@@< 69_οjn9XpRz'>QBk~8F<@=^loƺW~joGwVJ/h~g.^?jf_m}Cy?;?[S}ѯ=g6i^3ogӄ (-ا;cą@,p+#W{M^vî2~4]F_ȿjlB9`[C觖+Ιr'p~%fGӋ򚚃)vj -h39-GEHϗ>ȻҚ!pCmsލ)rF@ϣΒS`V:ϩkN COqO-=Ž06]4.n.Msc&b~6NKMrƙkG}{ڬJn_*^)k=gK9}ȼY|o}/ AkJ;H[_5$kHXrX|j#?bai.StcFO5CSE(;cC;èW9>>,<mc_>{UrXR[xw0#u`=('G,},I_}FV IR.g[ȇ;mz -oX -hR~VUԖvpyV&إېGvru9N?ۏ~SzҒ{a\0.`ܝXU -rL:yaJqiMUOramS>8 ch+sLP?Fڃtb;z?፡1:pLARzW*J^.$7 [) %7u ?I)_ҾgIV.++wo -4W!뜥* oZ>bh<!jsogM j zJ`坁KSkٗØQ.5m}iM]w دgϿ͹^[s{incOI 2'G~>~ل(k۳ Ro6bij3(+RN$)ΰ GsNyx[In9>5Ԥ,!};}N ZU}}8)t~}9r첦2'$㴥hPY .ԽAjJ澥q?1!nV-5j{z{hzOuKk֯ӊ-gVⓍ>˕v-cCSS%UMYQُcC"E.H2NMI>HɣQAji.`*.''X_ _}ϸIn5kz'^ح9W^>x(2&ZI{+km{ſ/D*<ȖO Z'FK)./"vg-H^E>44ƾֽϿ; 򌶒s_UE{)*؅vcm?딮b 8"5'zqVw#-pUg1}(?^ĭ%]j>DU=RA^DI~&%8LH<5ˌj뽰g냹FQ^UEՑ_̼4~ KsOӋMXUyEBW)sv{6;:[s6u3&EWtM[) Ֆmy骲.zfT\8dn 7/z7.jΨ*Ni+sH)}ۦқz3E⊾~Xހ(lkp>+1L}ܷD~fi>S(m6Ij9vԧ*I◓(\~z'jqqZG<^,MW3nO? p3N=YocJ3)+.+_ _Kz)1?o6 [J޸aj>'~яy?mN FH z)n `c>ԃF̓ ~XqJF% -\= 'a|k܁yo*}FW)qybS.YG)rUѧtuR ~c#$>q7un=9>|?fX_Y3_)CK4 -S|]h쑩ࢩ1r{mc cVLlb[Z/ bʹ?1?6cbNoсLWWg`}UW;l(@up0BHOQR =4D},Lbgɣl9Ap1#^Գ]9-iPjiɸKs.#vQ/E=Ծ/NI=ώ.xK:`X]uҏ3=[)&js ɗ௷Gj/g5է`cMge{3"ȨוY?bW}1㗃bxE&|{j7/UPqf˴~|iV񗺨Qԟ Mg-MEw,TZU_0Uy紕Yg miZoIϘ-K8҈%ۋ\|.L5DmC_ccro~?O_E36g<{sNQyv/.ԋʒ7_6E&kj/: ZpIQC7g:ro1"~ǥt5ir&y:]ȗ{cug⼛#[۽eÒfyI> Sx1_w ^l V/mhi%'*JXSSk/n)iVvkt}zW$}'mH|-HEU1Z¿ӫWA?^>'&1̋݌nÕ+%eY:IogI_N`&}?HI9?ʸ({Usg|Zo~)XH ,mٿN'_icNzY_6*{ 2P\"Q׳O|ѓ`OA^u56vN;mhȹ0K>A׈x9W{ݱbv&X{#ȗʺ_>_~6n!J}?Yfv]>}y Hߋ~ah/0$w®o_)h3u ]i+rcj!ë(펈CR5!G 1zgci"'ɫ`,Fuu̟uyO[Z'xуw0Je昛W4Y?ҿd};N8Ԅ}5()7_nsh*Ҿ=+^j:AKK7(9eO*c.2S\#/OQ]yykoBZy3@|3}݇};HXxU".y| -䪗GƊJȼS8$.>rΒ&ԳYII>E^wi2/{O[!L>ц~">(HF'&ïP< -zc?֞|Q[ӥ}r>0|vq}m?/%}5zE'*kr/{U3So9gd8-hlxYFoڍ?no pP1jd-F/!sCM~R1bs|@>K;}~s s -Q]1Vb捺~wwH5b7#|7gy9gO<*k*ʹcdS+G=KuOOch̺3L}}A,7{yev[PSY9!ŧs*.ɾP_V ͝iRS#Xm.^?.-ިgYͿSzy;@K8N /M~?e~ص}@8FȠvqk}::9(yMQƛ3.W%_0]w1K Wv♓0[ -.~ -|9zjw JR!RxLm^mS5OaJ9CŃq;ukAܙr!ׇ=ǟMs_~ؑP{c!R<ߖiNYh{ij)^rgR05˝qԛC"G^ZU)gc7/6/AGO}d󙺢}Ĩzd9qw[PЋ]*PIޗr>.s=sb7xo.~3{4p+U}pcWSUWVĽ1JGqQ+fu샕8p -6w8н ;՞;;}[r~_ϼ\&ڦ.%=Z`% rMۀlu.z u/)F?wgm*>!Hn6S~;U3}F_nNGF~6/ɿc}jJGF=,v_1w]O,ݙ %L -J #EQufqvܹ Nm{_RiD~7΍i;DNc wsYFXὝYT̡LL?+gl s,(̿W7^o "&Qj6mS靭j9>C8btu@UbU6 Xg9ۚYgͰSL9ҪsSS)*|w֍xkH;kl}u>ܟ('m12ͥw7p R$ha#BU/oDZ \ Љ|jf|=z7ZoiLMŀGcȵsCW_ԦwIyXR?WN?fZ-$#njr*.|D(R?"oˮo #g {I\KhzkAsis晹* F(io?ը6Eu洀`(mn˻қy11AT֊ Hnue]&fHh{K4u_} $Fݵ5PzDG-ħȝAjuNܓpzy>rLqKGl]ϰ)W[ȍ!n\eEPXC|_Zn'FmMM}؅j/s7\_.b#: Z2~1ݴMq=gںô'Y祢F4LU!¨/#]e_7\tg@Y81ū`84]SŕvVTN(=INo&[ ,ۚW_<4hy›@Nq w&xPg56&VFh#;US3 -0ࣕZ}'mObgV% ymߒ54oћ垲g( a̫>ģLC*bhJ -.Xlt]2!* ](ie1FKUY֔Kvqq5ɗtYO tnwjʿQUծO]lC?Ilu>fJydBHp` ;/'9_Oc~V7^ݟ, aZt-wo#ZzmS(륮+äh,8xLliɺn͸2^{0nyEK_ӺTޜa<$riE1FP򇑺t&Гn#qd>ko\ xV9n+}g5LL8NV7N~HW<1*J"/G,Uv`iԃ5N\-؛-xs;h#;y$[:|cCMӞͰPb H yuD\2׀@z}0WW25/ʓ]k-jfg. S'ZˍTko%bUTDN)gtqN??oxfQ-G_Fnݺ{SJ)qw7=w! ya\d>#sr!.!6so,qVQ˝YKyK͜Fjf3~0r\rm JzW{JTGK&{gk{Aߔz 9|j.fWt[D+ͼdp=9,D ~m@&ΰٚ-*l2FK8XQ1 ^o/}ə"t7$ŒiNpe; ->l#ft%&Xui蘽i:j{4xcB[޳7k˭~Vl#|j3滹BtKgAT(*)#U"Vqc|~խ&`ZoV:qBXdž,•̢Jzc&i{:ݐt=Ks^kz$BgVmLLhwcwY+2ڲHlެ~{UчK_S}iNEδD>N}G0+}FPz{;2/GR_ݽrtqߙ@o_:pJGF5Ǥ\`R -bN܈{;U|:Ɂ!o#K/ OÁ}aFNOu6۱wAQm,ϸUI!_Q,.lr'&hc6Ɋ{Ȋ+UEIa!G ?}8ˆ -=I9|<#]? x~~e`wUI.Ѝ yt9P;G)I Aoܳd@eĂ -YuӍ1B[#, Q&e7t]BÅ}R0!oJcRGz(,)\TILfk1.9iWQ=>C7 n -7M0 -̈́@M5~^~v8݉_~z|<[GIq?.{Y.%ܡb"@>oS7p%ճp6%1k䕂KWx?W$ݑOGpQ'`aO`NN>|'agcNnJΦ7Ƙ+}َO#p}+oC~odَFb<7;$)9tīǮ;]$s~~?6B9T Ms싽9 -eWvX\d3cܕAB/CK8#Ȏ\N?y)W%;}_ˬ ,L0X|9I: -y@O^ݻzto[gπei.O9grzra8=Hr‡*/rRORG|?= Vo_=ez -|tYPOnNqfE\6?)D>l&]@Os N SsD% xs@{ -;𗟏3|l|;]IʳYqv̈DU5Tsy":H;7Ao󧠏;0'W@Qo_ .vD8#B?!V߉*FV֐?*聝 *$ -<'Է7@^>=| w22p|z2EЙN<z1GO^Rr="@*2O *ΠNy zx>go_}ƹz]`uP rF ,唼— !uy >T!Q 㢎~x6(kЋ79>:o@Μ=t4yqWP;bR:|u<׆lh#uQQwBC$~E~zwt Ѝӧzw♳^>{|$s#WvcܳkikXimCImJS}%z u% /~Û_] 07n\zw=7tbeU-R+4ijʫ݄Hc)Tۉ j%܀$~uA~^:A\ PO耠qO~r %\7UG^`CEmq%,a2Ͱ׆nrd5^ƎF_GDdFhд)< z1cNJ.pG]L{e=죘qu,nwa5k+*=#ހDr#G~ 8 P·GIPX~>tK̆ Mmʛ66YG^P"͘#\ȓN\Ŷ@s}=UMʄtm*!6**|S,3)x)$cC'PM;=L[/ -G;s ž>rWʂxk*i;2J޶QnKF͊5 !b7=~5[Wn,Rqe==Q~]p'򼺬|3 vwR2Ԁ:Rn= NU%ci<Ӂ_bo By{u1W֔>Q%䳾 Miƺ˿W(/[V,2"eoNPR:!,cԿZaq$īᖖ̱:<үQ'hbp*%Cܜm &٪: Ѫo55Ŧ)B&B\RF -hE!2R6Ķp__[ l&FX3Ϣꑻgza{a̳P;4|&Z:dSNY!Dk4卬ٱ*@u'M6QE>u&[+cũJCc==x$("ly>1D`MIsLC&`u:pWUBQFec/#C;<bf<l&115 Q3ҷIu6uuI^I8.FR[9tĭ \YG[e@JIN6 -;];27]֘L4 \CEL3Pt0]sNy=bKm9ĩoڙ:djOژhbhlc6+^#YE -OzUL=%PvU9w*.iUpuuEZۑ$ҕ1l&4EL[rc/+ySgLjl: -4X`#7e9Ц`-2.9]b5[T-ݫUY-}v17[U#6eܛ1 \ƿ527X:V%1צab}qzD{bс -w(E&=OR *~:,; S2r֜Z,fCz_!qGTηs\ ]Z`mUt]lwd4SWۺԇah{4 "TKT ܴGsXI^ɫŸVQahML*Y0 ޟ2]zfsF[GRVάNPkPEu%A[2ֻ$ N J!oIP?aiw4յ[2rEJH*.;CGoCqQaiL2wwoajR,nS+\>`+-9 N!s }UsmSIwj=˵?]Ya 4bi,ˀ- FaP)_bs_K8WOEγNAtf3 z36 -y4Z4ݘ}[Sxi#SJIdLUq:ʋаQ#E' Ш%bwSZ+2D?$cR -b]+0Ӛ`KTx~Q2*ƪL]Hq);_meF -"HkV gwPsԵ66Y)y_6ԗ0RØm:r}@{$"_b?l,ڣ~k:*|]pcվ_sftMME'I[ccflH;&F$v)X1iN5) - I7*-"c[EZda#͢`Xm)6uUDNݙ_m 3IHWsn漶i֢ŧ]J*Z\$"&C'ӮIp*.X{lށW?M*[.}cuV%9,im3Q@|9tPqV9.ũfz5҃=-0n%2qmtcs(&fwuu>gds&18,C.7(=%HyS?<|<$ԂqbLeM@Bw=d) E6}"lE(Щ -tUNJwg+5+$K90FRٞԙr{椒`OK*w8a|MuCxr?l/*xm1 ݖsF&Υ!1BUw߰klvPs}=QƱѻZíz&k.W\9\;20mXm9e -$[5 -,Aj{a)?욬3d9o6Z[k(*bs/$԰Z $( sQsއ躨]whIFlK. -{QT *&ĭUj(;#9m.ЌRz[DHuabۋـXOSWpag .NQ7_W/=p<ύ*HYhu+;@NHPN5.G'U] ,ک}Z.3qNmC϶t¾ -rLCK6GQ!ƼèxMkYbWoC/{ =.q_M.R|o1~^Wd{ -{M -@M0f 9E̳v": 6!'ڦH LN)wOG'y mAEO4p k=OjFy(2PWY0ɡ[%=˸,䮚ߖ MbTڎ\oW3wAsHN58".9Z<fYE!cgm\"fҲc<\茟u{& -щf1!@5Gٜ&lS&&`Ƽw'7!Xu p%c8Y`S$t|pTָm(l"h eN5$j荱-Kdy|E3H6 rHg\$c\5Q4Oħ[XVIkKY[r -r]A)ڞ'(ZH*6O -ڊ_z^ї3ƪ7]K$bmO ^ +DLqUXv Vwd>\4(TAX᪩h!Fi7U -FiA&alp9"76,ǠѦo )-~;Ce?¤N)/@5xd'@厨+mObJe^E||aT`*cb(,o~.BJ*Bu>|}fͻTst4x[!?cpa.5 }Т_p; -d*b} Iy3]φ6bC1P:lKNjhn#"r^h1WVJ-65@6;|h{n/dcSzj^@S_>w`i+X v1 Y/1TqWehLwu4</4BH\l-}=ېso.iIRnߏ2u64ܕU^'m|m_hb _f8" 19{.4[zEQ0c.6f?CbW -ƐƂo1\>ns֋X2׵>kE꒏s[D ;F]}-=Rx Iϰ Έ9!Ύtaw(l;ᩱ%o31_Ư/0W+Gg Uئ혰n [6O ܤ "?Qׄ9F[Fnl:>KvIQ d4 qi\Y5]=hOO,*^gYJ?-ץlO+CYET2:L61=/'m-R:ćv- gAö'Q9,btu%O'9l.zq\m֣˃Av-J‹cn 1 -oξθi}W-o &r  h><Yz0~r~%Ɩt|ֶSl!Y\)4ߔps|GBG{CmaFWQ_o,C? c'~?&"]7"%MFh䙥 'ՙo,Cf 2ζ"dlSv$zs$4\Ӡ+jr9Z6bu41jDF%%V>GyVؗ)r1ty %놚~k!F,amQB}dԮ^P֗ I\gh]2!Ed5zkWܚn ng^RSKg.e]lNgIb0.V_]` KA=R^ܬ/{WnK|JanоRbhHk,{{s4|wҗ>:׳(*jR_ƫ#Z4XDR19N. \n{eɽ}nXFyp8.1B$(+s7}]p9N Xŋ0]t4 gl -:Xޔ0Œ}\v!wg i@*蘮WAqB5vC谧]`Tޢ[ş$ :;hD"= `y֓x4zs(Iwd%!cAZa8/ӑГİs+Ă湂ysw٫<:t=ݐ [B_~ږqW#LøwY,\oK[nMoIP:|hY]+. \^r6Ʌ^<j}ױZ!f[P[=yO, -Zyمj&8%8@SƊ?XEsV')\p.=<- mt`aHק?-6p2 UP/kyO=hzq6|1 1B0~fvv$_E'lKPsnYEyO_tSFQ5'{Z<\nIՓxs8vUԎG[ $U{N'h͞Y6RIk8GC 9GGm!M"XUsNn}}45*sy+; hI>ݢԕ̍Qϟ|k,{1PXOԚ4 x;B/,] -F\]} MRsw$"B+ЭIlM2Di԰% Ra |fH`6VhhbTOf[)a Jk91BTِ}V.h%gη3$߱ ,fOk|?OYkÈ1l4;̲{3 92a+UQrmxO6 be?tC^ȇ=tD+"rK=ѰNAREK)y̺Ϝ'oz'yP}V/a$"fQ+b&5A/ b9ҏNSnXP"wXE?1Nα+yIFWC.J+=Eo}L} zƒx 6wLLkꇄ{{rj[BE/t_lK?M%Ns9ke}Ҟ6=.{cd2/Fg*kvմ -0|]]5/o??+ƙHXPlvNؤ^W_GŸTkMɥ[cH0&;de,n"٥%Cbo1Mp .-2աE4t܎rM1&nsw}WhlCdXIx ILyԍ r -έ#և] tj?NN3I -aӕ>lo_ uꚪg:`Z>֣~t dl gK W{R^hk3_|v4%`S\yU:eLpjrOp80 q.eST,xr_ٗ~| ٩tl<@#jL] 3WGV_SpoWk๎tw9a6Oۅ }<#VЙVL3\g4,ϙڮ#}h2|ǚ!8gVJQjVX$;e?4朌Yx;_ hON &R.r/1MV ->*g nĭ ö!\ԭzURdDL9.- o \oGhbF.rC\8ۃ/QwW % McoIyOGxIډqy@ և!e -h% NbUŮ EA|gFXpe[I8;v6R@z+)5o4ۜ}g)Jo7$huOV̩MڮeUm9>MXA\S=]YL#'X߱Vbk1oI.ږb{qƆO˝C &axm9okiQ -z6`6y -&D4 mRrL#n𗕶+И)VN -]3U}-tSB_WUcv1m - -ri'o*~essd̞bf}@aȯEN06n~5;We*ElS Z,~kdE_;X7 -j-c{A _3td?@06<[hB}r -N)FdzܬgiO589I#[DPJ <\ugVұ03l$.٣b`A9"[5\†]jW3c'Y -~Ft*MY曳 ;A{:O(&EFYŰpDy:\pyk9*٢"H;v$fW/Y'4#Cţ5յV? - A'\hD^R -#j /գcև m˝۶)B5E']Uۑ6bwP5`]z$Vn1Y^<ƚaX7=Fxu;mmA~c/əafӞ.b.M_{gB'u.|o>陮j?\:gXd ٖr]6Ρc-sS=]m]CN-cWzA hoS)#bz(Xh) wvguMpSJs]PYmW0KaV -qsbl+BN}}5+Q)["pR_Gcs)\ꪈ\t0SY#åȐ&iydib_6Vrݸ;j.zGMi2ޛy+k\r)8(A]ZaCBl 8.1AJMӶƔ{m raƃ1zҝT̥ b幆1\|;:ơR:ԭcSvjaYA)0~1U%uL5;`,"|A[js>Ү>"ƿ<9SdcmTMN0/t_R\n{>JHU 3->Wڥ? -ToroQa[K.~ZN^-%mp<(kayasX(BEwQ7@. z@,yv5@l2\*⪼7K ]A)f[DH7YA/Eo ]@/J)u%˩1z=˯nS;*̦m٘VIv )˫to-6=s׆i=Ы)Hꮁڝ|,杣P\jtyǣa{ZaP1V is7em@sDRwYiz[ֆ0 -kZt+Sgf`*^ 1Q\yRs]'򂌗v]xˠ[}oô3vf:zJ[Zb-!] $!Mp:ʳyoX+ -wNug2U-2uIh{8[xQ^"xK4iai\qh޶zbEN #lVN\%_"g1 J_U{a)gNF' ݈J5Rx- k_+߬G jgmB'G@;vr㆞}c6Cc[kEg߀w'|QQ~UۜCgs'~e3%/, 1K9)ro6So=0?#m _VU>[3U_oY(U3l ð/W?Oh>Mj6Mn9a떦~p:{/ [EOu<ӯˡ1 -jCGKѳ"=S)u΄$@,P_h~yWoiIS8*)#{o&&\]"m}'«;!A47-UkL5;jAnrR2퀏iϳ 92vN 2)i~F W{C5AuƸ:PESj,|Ml 0k#tȦ6v|є񽧣?+D$̩̺O;w4Q_M,iVVt~INHsIP Skb Փb`T(Ѝ)}h͹ -uҚZPl9!hd7虽Q26▖ٴK*ȹkVںR`"b;$M>#Ԇm PRLWfwq?p~VQ>۸ 6D}q򂪚 -S3=Gq|g/x\ кj99%3zx؄t,ޏq* my7F> - IjJ:n;lzXQ}8y ->ID9H܅ׅ[6xꊶ!baU!^4sz.xEC+Zy%״Zo!ISeW,E҇3=z. 4*4ޏcOn?,`SCecZ56n?ׁ]U&ZAu܂{.A};SPL6ukt@A2)d@$okX7rH9jvRǿ학_Ś5+bN&; GqnTɆ_lx@I_|#vGeK*'6dD'좎\w(R~{{ϽИ_4 {᭻)4ϨOwO_V8~J..+#Gh6W'4n~/D? ؏ITٞ2]\w|ve-mbLe8{b,f"Ս>\BnI[ftֶm%6ډ 6vEYCQ6uXS&C6:ȵ^ -|Y 4*(idtAJ{q htq $ nįN,TKztTyT$s0qɻ#u-4n}]yI+2nHYWg1'3 -]h:)zl敇=+!e# tQ{^8hEL#guM{K0O޲20_&[TK3$WVÃjHɜA%BeYiٛ}' XX@˿Џ_~BctF  ~ՠ@KΦس*Tƺ9#Ȼk}{m+yyUu6}TorGrNJݮXiu/z@g% KaizE7cؒo.>`Xfǎ/)NvW> endobj 76 0 obj <> endobj 138 0 obj <> endobj 200 0 obj <> endobj 210 0 obj [/View/Design] endobj 211 0 obj <>>> endobj 148 0 obj [/View/Design] endobj 149 0 obj <>>> endobj 86 0 obj [/View/Design] endobj 87 0 obj <>>> endobj 24 0 obj [/View/Design] endobj 25 0 obj <>>> endobj 263 0 obj [262 0 R] endobj 315 0 obj <> endobj xref -0 316 -0000000004 65535 f -0000000016 00000 n -0000000210 00000 n -0000066316 00000 n -0000000005 00000 f -0000000006 00000 f -0000000007 00000 f -0000000008 00000 f -0000000009 00000 f -0000000010 00000 f -0000000011 00000 f -0000000012 00000 f -0000000014 00000 f -0001828151 00000 n -0000000016 00000 f -0000066368 00000 n -0000000017 00000 f -0000000018 00000 f -0000000019 00000 f -0000000020 00000 f -0000000021 00000 f -0000000022 00000 f -0000000023 00000 f -0000000026 00000 f -0001828793 00000 n -0001828824 00000 n -0000000027 00000 f -0000000028 00000 f -0000000029 00000 f -0000000030 00000 f -0000000031 00000 f -0000000032 00000 f -0000000033 00000 f -0000000034 00000 f -0000000035 00000 f -0000000036 00000 f -0000000037 00000 f -0000000038 00000 f -0000000039 00000 f -0000000040 00000 f -0000000041 00000 f -0000000042 00000 f -0000000043 00000 f -0000000044 00000 f -0000000045 00000 f -0000000046 00000 f -0000000047 00000 f -0000000048 00000 f -0000000049 00000 f -0000000050 00000 f -0000000051 00000 f -0000000052 00000 f -0000000053 00000 f -0000000054 00000 f -0000000055 00000 f -0000000056 00000 f -0000000057 00000 f -0000000058 00000 f -0000000059 00000 f -0000000060 00000 f -0000000061 00000 f -0000000062 00000 f -0000000063 00000 f -0000000064 00000 f -0000000065 00000 f -0000000066 00000 f -0000000067 00000 f -0000000068 00000 f -0000000069 00000 f -0000000070 00000 f -0000000071 00000 f -0000000072 00000 f -0000000073 00000 f -0000000074 00000 f -0000000075 00000 f -0000000077 00000 f -0001828222 00000 n -0000000078 00000 f -0000000079 00000 f -0000000080 00000 f -0000000081 00000 f -0000000082 00000 f -0000000083 00000 f -0000000084 00000 f -0000000085 00000 f -0000000088 00000 f -0001828677 00000 n -0001828708 00000 n -0000000089 00000 f -0000000090 00000 f -0000000091 00000 f -0000000092 00000 f -0000000093 00000 f -0000000094 00000 f -0000000095 00000 f -0000000096 00000 f -0000000097 00000 f -0000000098 00000 f -0000000099 00000 f -0000000100 00000 f -0000000101 00000 f -0000000102 00000 f -0000000103 00000 f -0000000104 00000 f -0000000105 00000 f -0000000106 00000 f -0000000107 00000 f -0000000108 00000 f -0000000109 00000 f -0000000110 00000 f -0000000111 00000 f -0000000112 00000 f -0000000113 00000 f -0000000114 00000 f -0000000115 00000 f -0000000116 00000 f -0000000117 00000 f -0000000118 00000 f -0000000119 00000 f -0000000120 00000 f -0000000121 00000 f -0000000122 00000 f -0000000123 00000 f -0000000124 00000 f -0000000125 00000 f -0000000126 00000 f -0000000127 00000 f -0000000128 00000 f -0000000129 00000 f -0000000130 00000 f -0000000131 00000 f -0000000132 00000 f -0000000133 00000 f -0000000134 00000 f -0000000135 00000 f -0000000136 00000 f -0000000137 00000 f -0000000139 00000 f -0001828293 00000 n -0000000140 00000 f -0000000141 00000 f -0000000142 00000 f -0000000143 00000 f -0000000144 00000 f -0000000145 00000 f -0000000146 00000 f -0000000147 00000 f -0000000150 00000 f -0001828559 00000 n -0001828591 00000 n -0000000151 00000 f -0000000152 00000 f -0000000153 00000 f -0000000154 00000 f -0000000155 00000 f -0000000156 00000 f -0000000157 00000 f -0000000158 00000 f -0000000159 00000 f -0000000160 00000 f -0000000161 00000 f -0000000162 00000 f -0000000163 00000 f -0000000164 00000 f -0000000165 00000 f -0000000166 00000 f -0000000167 00000 f -0000000168 00000 f -0000000169 00000 f -0000000170 00000 f -0000000171 00000 f -0000000172 00000 f -0000000173 00000 f -0000000174 00000 f -0000000175 00000 f -0000000176 00000 f -0000000177 00000 f -0000000178 00000 f -0000000179 00000 f -0000000180 00000 f -0000000181 00000 f -0000000182 00000 f -0000000183 00000 f -0000000184 00000 f -0000000185 00000 f -0000000186 00000 f -0000000187 00000 f -0000000188 00000 f -0000000189 00000 f -0000000190 00000 f -0000000191 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0001828367 00000 n -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0001828441 00000 n -0001828473 00000 n -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000000000 00000 f -0000072536 00000 n -0000072925 00000 n -0000073416 00000 n -0000073802 00000 n -0000074179 00000 n -0000074549 00000 n -0000074930 00000 n -0000075334 00000 n -0000072344 00000 n -0001828909 00000 n -0000066906 00000 n -0000631782 00000 n -0000239061 00000 n -0000239098 00000 n -0000238947 00000 n -0000070752 00000 n -0000071779 00000 n -0000071829 00000 n -0000072418 00000 n -0000072450 00000 n -0000214038 00000 n -0000190472 00000 n -0000167819 00000 n -0000152383 00000 n -0000135928 00000 n -0000114829 00000 n -0000091719 00000 n -0000075728 00000 n -0000076007 00000 n -0000091990 00000 n -0000115093 00000 n -0000136189 00000 n -0000152663 00000 n -0000168077 00000 n -0000190744 00000 n -0000214290 00000 n -0000241947 00000 n -0000239260 00000 n -0000239297 00000 n -0000631858 00000 n -0000632462 00000 n -0000634092 00000 n -0000644175 00000 n -0000709765 00000 n -0000775355 00000 n -0000840945 00000 n -0000906535 00000 n -0000972125 00000 n -0001037715 00000 n -0001103305 00000 n -0001168895 00000 n -0001234485 00000 n -0001300075 00000 n -0001365665 00000 n -0001369021 00000 n -0001434611 00000 n -0001500201 00000 n -0001565791 00000 n -0001631381 00000 n -0001696971 00000 n -0001762561 00000 n -0001828936 00000 n -trailer -<<585392D59D30AD49AFE28BD05B83168A>]>> -startxref -1829123 -%%EOF diff --git a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png new file mode 100644 index 0000000000..bddfed4cf8 Binary files /dev/null and b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png differ diff --git a/browsers/edge/images/load-default-new-tab-page-sm.png b/browsers/edge/images/load-default-new-tab-page-sm.png new file mode 100644 index 0000000000..66a5cc830f Binary files /dev/null and b/browsers/edge/images/load-default-new-tab-page-sm.png differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png index ec794911b7..ea96e6f845 100644 Binary files a/browsers/edge/images/microsoft-edge-kiosk-mode.png and b/browsers/edge/images/microsoft-edge-kiosk-mode.png differ diff --git a/browsers/edge/images/multi-app-kiosk-mode.PNG b/browsers/edge/images/multi-app-kiosk-mode.PNG deleted file mode 100644 index fd924f92b0..0000000000 Binary files a/browsers/edge/images/multi-app-kiosk-mode.PNG and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png index 51dfd7258a..823309be3e 100644 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png index b786cfb3bb..a287ebb8fd 100644 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png index 875f1a8ce6..365bddf96a 100644 Binary files a/browsers/edge/images/prelaunch-edge-only-sm.png and b/browsers/edge/images/prelaunch-edge-only-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png index 89e1152ec6..975a745f3f 100644 Binary files a/browsers/edge/images/prelaunch-edge-only.png and b/browsers/edge/images/prelaunch-edge-only.png differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png index 5ee58403f1..32089d3fce 100644 Binary files a/browsers/edge/images/preload-tabs-only-sm.png and b/browsers/edge/images/preload-tabs-only-sm.png differ diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png index da42bc5a0f..01181d6b82 100644 Binary files a/browsers/edge/images/preload-tabs-only.png and b/browsers/edge/images/preload-tabs-only.png differ diff --git a/browsers/edge/images/single-app-kiosk-mode.PNG b/browsers/edge/images/single-app-kiosk-mode.PNG deleted file mode 100644 index a939973c62..0000000000 Binary files a/browsers/edge/images/single-app-kiosk-mode.PNG and /dev/null differ diff --git a/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png new file mode 100644 index 0000000000..b32638a4bc Binary files /dev/null and b/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png differ diff --git a/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png new file mode 100644 index 0000000000..fb787943a9 Binary files /dev/null and b/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png differ diff --git a/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png b/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png new file mode 100644 index 0000000000..8b9618e502 Binary files /dev/null and b/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png index 8a9b11ff19..99c2e9bf12 100644 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png differ diff --git a/browsers/edge/images/users-choose-new-tab-page-sm.png b/browsers/edge/images/users-choose-new-tab-page-sm.png new file mode 100644 index 0000000000..9373069370 Binary files /dev/null and b/browsers/edge/images/users-choose-new-tab-page-sm.png differ diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md index a4176410a8..5afbcd58cf 100644 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -7,9 +15,10 @@ ### Supported values + |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Hide the Address bar drop-down list and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | |Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | | --- diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index a00ce21139..de6d5efb1c 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled |0 |0 |Prevented/not allowed | -|Enabled
**(default)** |1 |1 |Allowed | +|Disabled |0 |0 |Prevented | +|Enabled **(default)** |1 |1 |Allowed | --- ### ADMX info and settings @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Addons +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons - **Value name:** FlashPlayerEnabled - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md index 8e2a7e60bd..3ac05ab8ed 100644 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -1,14 +1,23 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)* +>*Default setting: Disabled or not configured (Prevented)* [!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] ### Supported values + |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | | +|Disabled or not configured **(default)** |0 |0 |Prevented. Users can configure the _Clear browsing data_ option in Settings. | | |Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) | --- @@ -27,8 +36,8 @@ - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit - **Data type:** Integer -#### *Registry -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy +#### Registry +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Privacy - **Value name:** ClearBrowsingHistoryOnExit - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index 325293262e..faa1c01113 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | --- @@ -33,6 +41,6 @@ ### Related topics -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) -

+[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] +

diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md index a175001e68..f17b466d84 100644 --- a/browsers/edge/includes/allow-cortana-include.md +++ b/browsers/edge/includes/allow-cortana-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed. | | --- diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md index 919b4a9968..bca58d082a 100644 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Enabled (Allowed)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed | | --- diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md index 1018a1cdd6..7383e53f8c 100644 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured* diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index 96da415a28..d60fcace05 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1802 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* [!INCLUDE [allow-extended-telemetry-for-books-tab-shortdesc](../shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md)] @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Depending on the device configuration, Microsoft Edge gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Gathers both basic and additional diagnostic data. | | +|Disabled or not configured
**(default)** |0 |0 |Gather and send only basic diagnostic data. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | | --- ### ADMX info and settings @@ -27,9 +35,9 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary - **Value name:** EnableExtendedBooksTelemetry - **Value type:** REG_DWORD -
\ No newline at end of file +
diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md index 95895b9817..7f6176c7d0 100644 --- a/browsers/edge/includes/allow-extensions-include.md +++ b/browsers/edge/includes/allow-extensions-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled |0 |0 |Prevented/not allowed | +|Disabled |0 |0 |Prevented | |Enabled or not configured
**(default)** |1 |1 |Allowed | --- @@ -27,13 +35,12 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Extensions - **Value name:** ExtensionsEnabled - **Value type:** REG_DWORD ### Related topics -[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
\ No newline at end of file diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md index b7fc715298..e695b988c5 100644 --- a/browsers/edge/includes/allow-full-screen-include.md +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* @@ -10,7 +18,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed | | --- @@ -29,7 +37,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main - **Value name:** AllowFullScreenMode - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md index 727ded18a6..c8a3a7384d 100644 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -10,7 +18,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -29,7 +37,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** AllowInPrivate - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md index aabd2fb773..345c148e03 100644 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation - **Value name:** MSCompatibilityMode - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md index 4721684c1f..88b4ced471 100644 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -1,7 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] @@ -10,12 +17,9 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- -### Configuration options - -For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). ### ADMX info and settings @@ -33,7 +37,7 @@ For more details about configuring the prelaunch and preload options, see [Prela - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ - **Value name:** AllowPrelaunch - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md index e6bea96847..602922964a 100644 --- a/browsers/edge/includes/allow-printing-include.md +++ b/browsers/edge/includes/allow-printing-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** AllowPrinting - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md index f9d38d178e..34ae9c3ab8 100644 --- a/browsers/edge/includes/allow-saving-history-include.md +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] @@ -9,14 +17,14 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- ### ADMX info and settings #### ADMX info -- **GP English name:** Allow saving history +- **GP English name:** Allow Saving History - **GP name:** AllowSavingHistory - **GP path:** Windows Components/Microsoft Edge - **GP ADMX file name:** MicrosoftEdge.admx @@ -28,7 +36,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** AllowSavingHistory - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md index 70eb67b646..0ac6521325 100644 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,14 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- -### Configuration options - -For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). - ### ADMX info and settings ##### ADMX info @@ -32,7 +36,7 @@ For more details about configuring the search engine, see [Search engine customi #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Protected - **Value name:** AllowSearchEngineCustomization - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md index 16ea570af7..dfe00b4fb4 100644 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -1,16 +1,28 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1803*
>*Default setting: Disabled or not configured (Not allowed)* [!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + + ### Supported values |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder.| | +|Disabled or not configured
**(default)** |0 |0 |Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account.| | --- +![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) + ### ADMX info and settings #### ADMX info @@ -26,8 +38,12 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary - **Value name:** UseSharedFolderForBooks - **Value type:** REG_DWORD +### Related policies + +**Allow a Windows app to share application data between users:** [!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] +

diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md index 0ad2b3c542..4ca5fcad6b 100644 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (Allowed)* [!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured |0 |0 |Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed. | | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions - **Value name:** AllowSideloadingOfExtensions - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md index b80f9ce8b6..4bef6e6c00 100644 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10, version 1802*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1802*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] @@ -8,18 +16,14 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Enabled or not configured
**(default)** |0 |0 |Allowed. Preload Start and New tab pages. | | -|Disabled |1 |1 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New Tab pages. | | --- -### Configuration options - -For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). - ### ADMX info and settings #### ADMX info -- **GP English name:** Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed +- **GP English name:** Allow Microsoft Edge to load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed - **GP name:** AllowTabPreloading - **GP path:** Windows Components/Microsoft Edge - **GP ADMX file name:** MicrosoftEdge.admx diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index ac8e6d2951..65b23105e2 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Default New tab page loads)* +>*Supported versions: Microsoft Edge on Windows 10*
+>*Default setting: Enabled (Default New Tab page loads)* [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] @@ -10,9 +18,9 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Not configured |Blank |Blank |Users can choose what loads on the New tab page. | -|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. | -|Enabled **(default)** |1 |1 |Load the default New tab page. | +|Not configured |Blank |Blank |Users can choose what loads on the New Tab page. | +|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from changing it. | +|Enabled **(default)** |1 |1 |Load the default New Tab page. | --- ### ADMX info and settings @@ -30,8 +38,11 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI - **Value name:** AllowWebContentOnNewTabPage - **Value type:** REG_DWORD +### Related policies +[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] +

\ No newline at end of file diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md index d5f292b182..573e9af1b5 100644 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured* @@ -28,7 +36,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** AlwaysEnableBooksLibrary - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md deleted file mode 100644 index 4a64abb65c..0000000000 --- a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md +++ /dev/null @@ -1 +0,0 @@ -[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md index f49aa45f71..40a6b9efc4 100644 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)* +>*Default setting: Disabled or not configured (Prevented)* [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] @@ -8,25 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |0 |0 |Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | --- - -### Configuration options - -| **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** | -| --- | --- | --- | --- | -| Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. | -| Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. | -| Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. | -| Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. | -| Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. | -| Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. | ---- - - - ### ADMX info and settings #### ADMX info - **GP English name:** Configure additional search engines @@ -42,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch - **Value name:** ConfigureAdditionalSearchEngines - **Value type:** REG_SZ @@ -55,7 +48,7 @@ ### Related topics -- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md index c1a93a7712..c9c70e7638 100644 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Does not load content automatically)* [!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled |0 |0 |Load and run Adobe Flash content automatically. | | -|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content and require action from the user. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Security - **Value name:** FlashClickToRunMode - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-allow-flash-url-list-include.md b/browsers/edge/includes/configure-allow-flash-url-list-include.md deleted file mode 100644 index 1f13125cd7..0000000000 --- a/browsers/edge/includes/configure-allow-flash-url-list-include.md +++ /dev/null @@ -1,36 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting:* - -[!INCLUDE [configure-allow-flash-for-url-list-shortdesc](../shortdesc/configure-allow-flash-for-url-list-shortdesc.md)] - -### Supported values - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -![Most restricted value](../images/check-gn.png) - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -

\ No newline at end of file diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md index 5d4adef785..2be0fe1b32 100644 --- a/browsers/edge/includes/configure-autofill-include.md +++ b/browsers/edge/includes/configure-autofill-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured* +>*Default setting: Not configured (Blank)* [!INCLUDE [configure-autofill-shortdesc](../shortdesc/configure-autofill-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured
**(default)** | Blank |Blank |Users can choose to use AutoFill. | | +|Not configured
**(default)** | Blank |Blank |Users can choose to use Autofill. | | |Disabled | 0 | no | Prevented. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |yes | Allowed. | | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** Use FormSuggest - **Value type:** REG_SZ diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 669ba4bf75..b5f8421fd3 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -1,11 +1,30 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (No data collected or sent)* [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] + +>[!IMPORTANT] +>For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. +> +>You can find these policies in the following location of the Group Policy Editor: +> +>**Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** +>
  • Allow Telemetry = Enabled and set to _Enhanced_
  • Configure the Commercial ID = String of the Commercial ID
  • Configure collection of browsing data for Microsoft 365 Analytics = _Enabled_
+ + ### Supported values + |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |No data collected or sent |![Most restricted value](../images/check-gn.png) | @@ -14,9 +33,6 @@ |Enabled |3 |3 |Send both intranet and Internet history | | --- ->[!IMPORTANT] ->For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID. - ### ADMX info and settings #### ADMX info @@ -34,13 +50,13 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection +- **Path:** HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection - **Value name:** MicrosoftEdgeDataOptIn - **Value type:** REG_DWORD ### Related policies -- Allow Telemetry: Determine the highest level of Windows diagnostic data sent to Microsoft. When you enable this policy, users can change their Telemetry Settings but prevent users from choosing a higher level than configured. +- Allow Telemetry: Allows Microsoft to run diagnostics on the device and troubleshoot. The default setting for Allow Telemetry is set to _Enhanced_ (2 for MDM). - Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. -
\ No newline at end of file +
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md index f89816f8d8..58fd49a1a7 100644 --- a/browsers/edge/includes/configure-cookies-include.md +++ b/browsers/edge/includes/configure-cookies-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allow all cookies from all sites)* @@ -8,9 +16,9 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Enabled |0 |0 |Block all cookies from all sites |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Block only coddies from third party websites | | -|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites | | +|Enabled |0 |0 |Block all cookies from all sites. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Block only coddies from third party websites. | | +|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites. | | --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md index 95011f3a6b..92430f3f95 100644 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Do not send tracking information)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Not configured
**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | | -|Disabled |1 |1 |Never send tracking information. | | +|Disabled |0 |0 |Never send tracking information. | | |Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** DoNotTrack - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index 44539d481e..e628013a54 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: 5 minutes* [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] @@ -28,7 +36,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode - **Value name:**ConfigureKioskResetAfterIdleTimeout - **Value type:** REG_DWORD @@ -36,7 +44,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br ### Related policies -[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] +[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index 9d99e69788..10b23c7c4b 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -1,3 +1,5 @@ + + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured* @@ -10,7 +12,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | -|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see the [Instructions](#instructions) section below. | +|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | --- ### ADMX info and settings @@ -29,7 +31,7 @@ - **Data type:** String #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode - **Value name:** SiteList - **Value type:** REG_SZ @@ -50,66 +52,6 @@ - [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11. -### Scenarios - -Certain sites or web apps still use ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology, which Microsoft Edge does not support. If you have web sites or web apps that still use this technology and need IE11 to run, you must use Enterprise Mode and the Enterprise Mode Site List to address common compatibility issues with legacy apps. Enterprise Mode is a compatibility -mode that runs on Internet Explorer 11 and Microsoft Edge on Windows 10 devices. - -### Instructions - - -You build your Enterprise Mode list with the Enterprise Mode Site List Manager and apply it with Group Policy. - -To turn it on for IE 11, you enable [Use the Enterprise Mode IE website list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list), -which is the equivalent to this Microsoft Edge policy. - ->[!NOTE] ->We recommend that you store and download your website list from a secure web server (https://), to help protect against data tampering. After the list is downloaded, it is stored locally on your user's computer so if the centralized file location is unavailable, they can still use Enterprise Mode. - -- [Step 1. Turn on Enterprise Mode](#step-1-turn-on-enterprise-mode) -- [Step 2. (Optional) Import your Enterprise Mode Site List](#step-2-optional-import-your-enterprise-mode-site-list) -- [Step 3. Add sites to your list](#step-3-add-sites-to-your-list) -- [Step 4. Send all intranet sites to Internet Explorer 11](#step-5-send-all-intranet-sites-to-internet-explorer-11) - -#### Step 1. Turn on Enterprise Mode - -[!INCLUDE [turn-on-enterprise-mode-and-use-a-site-list](../../enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md)] - -#### Step 2. (Optional) Import your Enterprise Mode Site List - -[!INCLUDE [import-into-the-enterprise-mode-site-list-mgr-include](../../includes/import-into-the-enterprise-mode-site-list-mgr-include.md)] - -#### Step 3. Add sites to your list - -1. In the Enterprise Mode Site List Manager, click **Add**. - -2. In the **URL** box, type or paste the URL for the website experiencing compatibility problems, like *\*.com or *\*.com/*\*.

You do not need to include the `http://` or `https://` designation. The tool automatically tries both versions during validation. - -3. In the **Notes about URL**, enter any comments about the website.

Administrators can only see comments while they are in this tool. - -4. Click in the **Open in IE** column next to the URL that should open in IE11.

The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, Enterprise Mode is automatically selected. - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

If your site passes validation, it is added to the global compatibility list. If the site fails to pass validation, an error message displays explaining the problem. You can either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your Group Policy setting. - -#### Step 4. Send all intranet sites to Internet Explorer 11 - -Enabling the Send all intranet sites to Internet Explorer 11 policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser. - -1. In Group Policy Editor, navigate to:

**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** - -2. Click **Enabled** and then refresh the policy and then vew the affected sites in Microsoft Edge.

A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab. - -### Troubleshooting - -- If an XML already exists, make sure it is syntactically correct. - -- If an update or delete operation failed, check if the entry already exists in the site list. - -- If a user is not able to sign in, the account might not have access. Check if the account is marked as active. - -- Check if the Enterprise Mode Site List is loaded correctly by browsing to "about:compat" in both Microsoft Edge and Internet Explorer. Deselect the Microsoft Compatibility List to see your custom entries.

\ No newline at end of file diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md index 1b797ebb79..79a2362f93 100644 --- a/browsers/edge/includes/configure-favorites-bar-include.md +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, new major release*
->*Default setting: Not configured (Hidden)* +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* [!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] @@ -8,11 +16,13 @@ ### Supported values + |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Not configured
**(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | -|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | -|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | +|Disabled |0 |0 |Hidden on all pages.

  • Favorites Bar toggle (in Settings) = **Off** and disabled preventing users from making changes
  • Show bar/Hide bar option (in the context menu) = hidden
| +|Enabled |1 |1 |Shown on all pages.
  • Favorites Bar toggle (in Settings) = **On** and disabled preventing users from making changes
  • Show bar/Hide bar option (in the context menu) = hidden
| + --- ### ADMX info and settings @@ -29,7 +39,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main - **Value name:** ConfigureFavoritesBar - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md index 4b4862fef7..5287150eea 100644 --- a/browsers/edge/includes/configure-favorites-include.md +++ b/browsers/edge/includes/configure-favorites-include.md @@ -1,4 +1,12 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy in place of Configure Favorites. +>Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead.
\ No newline at end of file diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index c6362b39dc..a1e6e8a087 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Show home button and load the Start page)* @@ -11,22 +19,19 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Disabled or not configured
**(default)** |0 |0 |Show home button and load the Start page. | -|Enabled |1 |1 |Show home button and load the New tab page. | -|Enabled |2 |2 |Show home button and load the custom URL defined in the Set Home button URL policy. | -|Enabled |3 |3 |Hide home button. | +|Enabled |1 |1 |Show the home button and load the New Tab page. | +|Enabled |2 |2 |Show the home button and load the custom URL defined in the Set Home Button URL policy. | +|Enabled |3 |3 |Hide the home button. | --- -### Configuration options - -For more details about configuring the different Home button options, see [Home button](../group-policies/home-button-gp.md). >[!TIP] ->If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home button** policy or **Set Home button URL** policy.
  3. Disable the **Unlock Home Button** policy.
+>If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
### ADMX info and settings #### ADMX info -- **GP English name:** Configure Home button +- **GP English name:** Configure Home Button - **GP name:** ConfigureHomeButton - **GP element:** ConfigureHomeButtonDropdown - **GP path:** Windows Components/Microsoft Edge @@ -39,15 +44,15 @@ For more details about configuring the different Home button options, see [Home - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings - **Value name:** ConfigureHomeButton - **Value type:** REG_DWORD ### Related policies -- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] -- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
\ No newline at end of file diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md deleted file mode 100644 index c04c0d0150..0000000000 --- a/browsers/edge/includes/configure-inprivate-include.md +++ /dev/null @@ -1,32 +0,0 @@ -## Configure InPrivate - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index 034fd5b55e..6c5f7a83e8 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Not configured* [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] @@ -12,7 +20,7 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o | | | |---|---| |(0) Default or not configured |
  • If it’s a single app, Microsoft Edge runs InPrivate full screen for digital signage or interactive displays.
  • If it’s one of many apps, Microsoft Edge runs as normal.
| -|(1) Enabled |
  • If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.

    **_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.

  • If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
| +|(1) Enabled |
  • If it’s a single app, it runs InPrivate with a tailored experience for kiosks and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy.

    **_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.

  • If it’s one of many apps, it runs InPrivate with multi-tabs for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
| --- ![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png) @@ -32,12 +40,12 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode - **Value name:** ConfigureKioskMode - **Value type:** REG_SZ ### Related policies -[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] +[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] ### Related topics diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index 95da8a5fbd..de594145f7 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,29 +1,33 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (A specific page or pages)* [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] **Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. -**Version 1810:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

### Supported values |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -|Enabled |0 |0 |Loads the Start page. | -|Enabled |1 |1 |Load the New tab page. | +|Enabled |0 |0 |Load the Start page. | +|Enabled |1 |1 |Load the New Tab page. | |Enabled |2 |2 |Load the previous pages. | |Enabled
**(default)** |3 |3 |Load a specific page or pages. | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages](../group-policies/start-pages-gp.md). - >[!TIP] >If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
@@ -44,7 +48,7 @@ For more details about configuring the Start pages, see [Start pages](../group-p - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings - **Value name:** ConfigureOpenEdgeWith - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md index 01ab2e2bea..a85cf78561 100644 --- a/browsers/edge/includes/configure-password-manager-include.md +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Allowed/users can change the setting)* @@ -14,9 +22,8 @@ --- Verify not allowed/disabled settings: -1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…). -2. Click **Settings** and select **View Advanced settings**. -3. Verify the settings **Save Password** is toggled off or on and is greyed out. +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the settings **Save Password** is toggled off or on and is greyed out. ### ADMX info and settings #### ADMX info @@ -32,7 +39,7 @@ Verify not allowed/disabled settings: - **Data type:** Integer #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Main +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main - **Value name:** FormSuggest Passwords - **Value type:** REG_SZ diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md index 0b63fbd96e..1022f7d518 100644 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled (Turned off)* @@ -9,8 +17,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | | -|Disabled
**(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | | -|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | +|Disabled
**(default)** |0 |0 |Turned off. Allow pop-up windows to open. | | +|Enabled |1 |1 |Turned on. Prevent pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -27,7 +35,7 @@ - **Data type:** Integer ### Registry -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** AllowPopups - **Value type:** REG_SZ diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md index 5ee81ccabb..fd026a1630 100644 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Not configured* +>*Default setting: Not configured (Blank)* [!INCLUDE [configure-search-suggestions-in-address-bar-shortdesc](../shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | | -|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed. Show the search suggestions. | | --- @@ -27,7 +35,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes - **Value name:** ShowSearchSuggestionsGlobal - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 9a3c3c9861..20e1b93215 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Blank or not configured (Load pages specified in App settings)* @@ -9,13 +17,9 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. | -|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1810:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | +|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages](../group-policies/start-pages-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Configure Start pages @@ -40,7 +44,7 @@ For more details about configuring the Start pages, see [Start pages](../group-p - [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] -- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index 2baca3bc94..cece4ab0bc 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Turned on)* @@ -8,15 +16,14 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | | +|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen. | | |Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | | |Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) | --- -To verify Windows Defender SmartScreen is turned off (disabled): -1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap the ellipses (**...**). -2. Click **Settings** and select **View Advanced Settings**. -3. At the bottom, verify that **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) +To verify Windows Defender SmartScreen is turned off (disabled): +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) ### ADMX info and settings diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md index 9ebf113025..5b64733d8f 100644 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Start pages are not editable)* @@ -8,14 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured |0 |0 |Lockdown Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) | +|Not configured |0 |0 |Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages](../group-policies/start-pages-gp.md). - ### ADMX info and settings #### ADMX info @@ -42,10 +46,10 @@ For more details about configuring the Start pages, see [Start pages](../group-p ### Related Policies - [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] -- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] ### Related topics -[!INCLUDE [browser-extension-policy-shortdesc-include](browser-extension-policy-shortdesc-include.md)] +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md deleted file mode 100644 index b1fc2dd88c..0000000000 --- a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md +++ /dev/null @@ -1,31 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 87c355b74f..03f9746a15 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allowed/turned on)* [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)] @@ -9,43 +17,36 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | -|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the Sync your Settings option. | +|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. | --- -### Configuration options - -For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). - - - ### ADMX info and settings #### ADMX info - **GP English name:** Do not sync browser settings -- **GP name:** DoNotSyncBrowserSetting +- **GP name:** DisableWebBrowserSettingSync - **GP path:** Windows Components/Sync your settings - **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSetting](../available-policies.md#do-not-sync-browser-settings) +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSetting +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\Policies\Microsoft\Windows\SettingSync +- **Path:** HKLM\\Software\Policies\Microsoft\Windows\SettingSync - **Value name:** DisableWebBrowserSettingSyncUserOverride -- **Value type:** REG_DWORD - +- **Value ### Related policies -[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] +[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] ### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices)

-

\ No newline at end of file +
diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index 8bd1b9e20f..e572ce631a 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured (Turned on)* +>*Default setting: Disabled or not configured (Allowed/turned on)* [!INCLUDE [do-not-sync-shortdesc](../shortdesc/do-not-sync-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | | -|Enabled |2 |2 |Prevented/turned off. Disables the Sync your Settings toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) | +|Enabled |2 |2 |Prevented/turned off. Disables the _Sync your Settings_ toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -17,7 +25,7 @@ - **GP English name:** Do not sync - **GP name:** AllowSyncMySettings - **GP path:** Windows Components/Sync your settings -- **GP ADMX file name:** MicrosoftEdge.admx +- **GP ADMX file name:** SettingSync.admx #### MDM settings - **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) @@ -30,8 +38,8 @@ - **Value name:** DisableSettingSyn - **Value type:** REG_DWORD -### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed. +### Related topics +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed.
\ No newline at end of file diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md deleted file mode 100644 index 3f6b0aa3ce..0000000000 --- a/browsers/edge/includes/edge-respects-applocker-lists-include.md +++ /dev/null @@ -1,22 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -| | | -|---|---| -|ADMX info |
  • **GP English name:**
  • **GP name:**
  • **GP path:** Windows Components/Microsoft Edge
  • **GP ADMX file name:** MicrosoftEdge.admx
| -|MDM settings |
  • **MDM name:** Browser/[]()
  • **Supported devices:** Desktop and Mobile
  • **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
  • **Data type:** Integer
| -|Registry |
  • **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\
  • **Value name:**
  • **Value type:** REG_DWORD
| ---- - - ---- \ No newline at end of file diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md index f724a38af6..29285e2d27 100644 --- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + [Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md index ed4e9b1019..d3d116dc84 100644 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured* @@ -5,3 +13,7 @@ By default, all sites open the currently active browser. With this policy, you c >[!NOTE] >If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. + +You can find the group policy settings in the following location of the Group Policy Editor: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md index e9e73eb750..cd98f1a8c3 100644 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Turned off/not syncing)* @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing. | | -|Enabled |1 |1 |Turned on/syncing. |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing | | +|Enabled |1 |1 |Turned on/syncing |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md index c0590648fa..7884bbe03b 100644 --- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -1 +1,9 @@ -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md index a2f7492948..b7cb5483d1 100644 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured (Allowed)* @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed. | | -|Enabled |1 |1 |Prevents users from access the about:flags page. |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |0 |0 |Allowed | | +|Enabled |1 |1 |Prevented |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md index e547317eb3..511434ab4e 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)* diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md index e57bb9f213..01a87fe00e 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)* diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md index 052ef6499e..edc6eb48d8 100644 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed/turned off)* [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md index 4bbb97f4b0..9807f5b9ce 100644 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured (Allowed/not locked down)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | | +|Disabled or not configured
**(default)** |0 |0 |Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | |Enabled |1 |1 |Prevented/locked down. |![Most restricted value](../images/check-gn.png) | --- diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md index 61192efbcf..09f5a55707 100644 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed. Microsoft Edge loads the welcome page. | | +|Disabled or not configured
**(default)** |0 |0 |Allowed. Load the First Run webpage. | | |Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | --- diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md index 844e72d227..39a929269e 100644 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Collect and send)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | | -|Enabled |1 |1 |Do not collect. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Do not collect data. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md index 4b5e20e3cb..bd72138fb1 100644 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index dad8213fef..12aad63505 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed)* [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] @@ -10,9 +18,11 @@ |Group Policy |Description | |---|---| |Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | --- + + ### ADMX info and settings #### ADMX info - **GP English name:** Prevent turning off required extensions @@ -21,13 +31,13 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](../new-policies.md#prevent-turning-off-required-extensions) +- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions - **Data type:** String #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Extensions +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions - **Value name:** PreventTurningOffRequiredExtensions - **Value type:** REG_SZ diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md index 7da4682d47..d6d9abf40f 100644 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Prevented/turned off)* [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] @@ -7,26 +15,22 @@ ### Supported values |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. | -|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | +|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. | +|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | --- -### Configuration options - -For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Prevent users from turning on browser syncing - **GP name:** PreventUsersFromTurningOnBrowserSyncing -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx +- **GP path:** Windows Components/Sync your settings +- **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing) +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing +- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing - **Data type:** String @@ -34,7 +38,7 @@ For more details about configuring the browser syncing options, see [Sync browse [Do not sync browser settings](../available-policies.md#do-not-sync-browser-settings): [!INCLUDE [do-not-sync-browser-settings-shortdesc](../shortdesc/do-not-sync-browser-settings-shortdesc.md)]. ### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices) +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices)

\ No newline at end of file diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 7601beff81..cc5617a248 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,9 +1,18 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Customizable)* [!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + >[!IMPORTANT] >Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. @@ -11,8 +20,8 @@ |Group Policy |Description |Most restricted | |---|---|:---:| -|Disabled or not configured
**(default)** |Default list of favorites not defined in Microsoft Edge. In this case, the Favorites list is customizable, such as adding folders, or adding and removing favorites. | | -|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=http://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:\Users\\Documents\URLs.html
|![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=http://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -30,7 +39,7 @@ - **Data type:** String #### Registry settings -- **Path:** HLKM\Software\Policies\Microsoft\MicrosoftEdge\Favorites +- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites - **Value name:** ConfiguredFavorites - **Value type:** REG_SZ diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md index e550bc4e57..2f7d7dab86 100644 --- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 1155d908d3..fa61ceaac2 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured* @@ -5,7 +13,7 @@ [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)] >[!TIP] ->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. Allowed values. +>Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager. ### Supported values @@ -13,7 +21,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enabled**, refresh the policy, and then view the affected sites in Microsoft Edge.

    A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | --- @@ -31,7 +39,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main - **Value name:** SendIntranetTraffictoInternetExplorer - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index de82b057b7..68c6521ad8 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Not configured (Defined in App settings)* @@ -8,24 +16,11 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured
**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](#allow-search-engine-customization-include) policy, users cannot make changes. | | -|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | | -|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +|Not configured
**(default)** |Blank |Blank |Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | +|Disabled |0 |0 |Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | +|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | --- -### Configuration options - -| **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** | -| --- | --- | --- | --- | -| Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. | -| Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. | -| Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. | -| Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. | -| Enabled | Disabled | Disabled or not configured (default) | Set the default search engine preventing users from making changes. | -| Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. | ---- - -![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) ### ADMX info and settings @@ -43,7 +38,7 @@ - **Data type:** Integer #### Registry settings -- **Path:** HLKM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch +- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\OpenSearch - **Value name:** SetDefaultSearchEngine - **Value type:** REG_SZ @@ -55,7 +50,7 @@ ### Related topics -- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] - [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md index 26f674b19d..5fbf5227ad 100644 --- a/browsers/edge/includes/set-home-button-url-include.md +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)* [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] @@ -8,19 +16,14 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. | -|Enabled - String |String |String |Load a custom URL for the home button. You must also enable the [Configure Home button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.

Enter a URL in string format, for example, https://www.msn.com. | +|Disabled or not configured
**(default)** |Blank |Blank |Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | +|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. | --- -### Configuration options - -For more details about configuring the different Home button options, see [Home button](../group-policies/home-button-gp.md). - - ### ADMX info and settings #### ADMX info -- **GP English name:** Set Home button URL +- **GP English name:** Set Home Button URL - **GP name:** SetHomeButtonURL - **GP element:** SetHomeButtonURLPrompt - **GP path:** Windows Components/Microsoft Edge @@ -39,8 +42,8 @@ For more details about configuring the different Home button options, see [Home ### Related policies -- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] -- [Unlock Home button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index ffd31bd264..d558c67cf7 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)* [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Load the default New tab page. | -|Enabled - String |String |String |Prevent users from changing the New tab page.

Enter a URL in string format, for example, https://www.msn.com. | +|Disabled or not configured
**(default)** |Blank |Blank |Load the default New Tab page. | +|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| --- ### ADMX info and settings diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md index d6cdf4b94a..8b851708f3 100644 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -1,18 +1,27 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
>*Default setting: Disabled or not configured (No additional message)* [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + ### Supported values |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |No additional message displays. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | | -|Enabled |2 |2 |Show an additional message with a "Keep going in Microsoft Edge" link to allow users to open the site in Microsoft Edge. | | +|Enabled |2 |2 |Show an additional message with a _Keep going in Microsoft Edge_ link to allow users to open the site in Microsoft Edge. | | --- ### ADMX info and settings diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md index 91a7a446e4..6ca46698db 100644 --- a/browsers/edge/includes/unlock-home-button-include.md +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Home button is locked)* [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] @@ -8,15 +16,10 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Lock down the home button to prevent users from making changes to the home button settings. | -|Enabled |1 |1 |Let users make changes. | +|Disabled or not configured
**(default)** |0 |0 |Locked, preventing users from making changes. | +|Enabled |1 |1 |Unlocked, letting users make changes. | --- - -### Configuration options - -For more details about configuring the different Home button options, see [Home button](../group-policies/home-button-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Unlock Home Button @@ -37,9 +40,9 @@ For more details about configuring the different Home button options, see [Home ### Related policies -- [Configure Home button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] -- [Set Home button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]

\ No newline at end of file diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml new file mode 100644 index 0000000000..5798e4ee62 --- /dev/null +++ b/browsers/edge/index.yml @@ -0,0 +1,163 @@ +### YamlMime:YamlDocument + +documentType: LandingData + +title: Microsoft Edge Group Policy configuration options + +metadata: + + document_id: + + title: Microsoft Edge Group Policy configuration options + + description: + + text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + + keywords: Microsoft Edge, Windows 10 + + ms.localizationpriority: high + + author: shortpatti + + ms.author: pashort + + ms.date: 08/09/2018 + + ms.topic: article + + ms.devlang: na + +sections: + +- title: + +- items: + + - type: markdown + + text: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. + +- items: + + - type: list + + style: cards + + className: cardsE + + columns: 3 + + items: + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/change-history-for-microsoft-edge + + html:

Learn more about the latest group policies and features added to Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_whats-new.svg + + title: What's new + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge + + html:

Learn about the system requirements and language support for Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_overview.svg + + title: System requirements and supported languages + + - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare + + html:

Learn about the supported features & functionality in each Windows edition.

+ + image: + + src: https://docs.microsoft.com/media/common/i_config-tools.svg + + title: Compare Windows 10 Editions + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + + html:

Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.

+ + image: + + src: https://docs.microsoft.com/media/common/i_security-management.svg + + title: Security & protection + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + + html:

Learch how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Interoperability & enterprise guidance + + - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index + + html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: Group policies & configuration options + +- items: + + - type: list + + style: cards + + className: cardsL + + items: + + - title: Microsoft Edge resources + + html:

Minimum system requirements

+ +

Supported languages

+ +

Document change history

+ +

Compare Windows 10 Editions

+ +

Microsoft Edge Dev blog

+ +

Microsoft Edge Dev on Twitter

+ +

Microsoft Edge changelog

+ +

Measuring the impact of Microsoft Edge

+ + - title: IE11 resources + + html:

Deploy Internet Explorer 11 (IE11) - IT Pros

+ +

Internet Explorer Administration Kit 11 (IEAK 11)

+ +

Download Internet Explorer 11

+ + - title: Additional resources + + html:

Group Policy and the Group Policy Management Console (GPMC)

+ +

Group Policy and the Local Group Policy Editor

+ +

Group Policy and the Advanced Group Policy Management (AGPM)

+ +

Group Policy and Windows PowerShell

+ + + + + + diff --git a/browsers/edge/microsoft-browser-extension-policy-include.md b/browsers/edge/microsoft-browser-extension-policy-include.md deleted file mode 100644 index 03aabcbbff..0000000000 --- a/browsers/edge/microsoft-browser-extension-policy-include.md +++ /dev/null @@ -1 +0,0 @@ -[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy) \ No newline at end of file diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index 59299f93a9..d5a7390752 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,18 +1,22 @@ --- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros) -description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. +title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. author: shortpatti ms.author: pashort ms.prod: edge ms.mktglfcycl: general ms.sitesec: library ms.localizationpriority: medium -ms.date: 09/19/2017 +ms.date: 10/02/2018 --- -# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +# Frequently Asked Questions (FAQs) for IT Pros ->Applies to: Windows 10, Windows 10 Mobile +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +**Q: What is the size of the local storage for Microsoft Edge overall and per domain?** + +**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total. **Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?** @@ -27,7 +31,7 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth **Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?** -**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. **Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?** @@ -35,17 +39,19 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth **Q: How do I customize Microsoft Edge and related settings for my organization?** -**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies) for a list of available policies for Microsoft Edge. +**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations. **Q: Is Adobe Flash supported in Microsoft Edge?** -**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with [Click-to-Run for Flash](https://blogs.windows.com/msedgedev/2016/12/14/edge-flash-click-run/) in the Windows 10 Creators Update. +**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -For more information about the phasing out of Flash, read the [End of an Era – Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#85ZBy7aiVlDQHebO.97) blog post. +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). -**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** -**A:** No, ActiveX controls and BHOs such as Silverlight or Java are not supported in Microsoft Edge. The need for ActiveX controls has been significantly reduced by modern web standards, which are more interoperable across browsers. We are working on plans for an extension model based on the modern web platform in Microsoft Edge. We look forward to sharing more details on these plans soon. Not supporting legacy controls in Microsoft Edge provides many benefits including better interoperability with other modern browsers, as well as increased performance, security, and reliability. +**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** + +**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + **Q: How often will Microsoft Edge be updated?** @@ -77,5 +83,5 @@ For more information about the phasing out of Flash, read the [End of an Era – **Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?** -**A:** Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. Although we don’t have any plans to bring Microsoft Edge to Windows 7 or Windows 8.1 at this time, you can test Microsoft Edge with older versions of Internet Explorer using [free virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). +**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index a3679f369c..428657dfea 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -6,27 +6,27 @@ ms.author: pashort ms.prod: edge ms.sitesec: library title: Deploy Microsoft Edge kiosk mode -ms.localizationpriority: high -ms.date: 07/25/2018 +ms.localizationpriority: medium +ms.date: 10/02/2018 --- -# Deploy Microsoft Edge kiosk mode (Preview) +# Deploy Microsoft Edge kiosk mode ->Applies to: Microsoft Edge on Windows 10
->Preview build 17723 +>Applies to: Microsoft Edge on Windows 10, version 1809 -Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk (referred to as Microsoft Edge kiosk mode). We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. -When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. +Microsoft Edge kiosk mode works with assigned access, which lets IT administrators create a tailored browsing experience designed for kiosk devices. Assigned access prevents users from accessing the file system and running other apps from Microsoft Edge, such as the address bar or downloads. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device. -Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity. +In addition to digital/interactive signage, you can configure Microsoft Edge for public browsing either on a single and multi-app kiosk device. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality to run in full-screen mode or normal browsing of Microsoft Edge. -In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience. +Both digital/interactive signage and public browsing help protect the user’s data by running Microsoft Edge with InPrivate browsing. In single-app public browsing, there is both an ‘End Session’ button that users click to end the browsing session or that resets the session after a specified time of user inactivity. The idle timer is set to 5 minutes by default, but you can choose a value of your own. +In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). ## Microsoft Edge kiosk types -Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). +Depending on how Microsoft Edge is set up in assigned access, Microsoft Edge kiosk mode supports four types, single-app or multi-app kiosk mode with both supporting public browsing. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). ### Single-app kiosk @@ -34,29 +34,33 @@ When you set up Microsoft Edge kiosk mode in single-app assigned access, Microso The single-app Microsoft Edge kiosk mode types include: -1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station. +1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode. -2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device. + - **Digital signage** does not require user interaction and best used for a rotating advertisement or menu. - ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/SingleApp_contosoHotel_inFrame.png) + - **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station. + +2. **Public browsing** devices are publicly accessible and run a limited multi-tab version of InPrivate browsing in Microsoft Edge, which is the only app available on the device. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge.

The single-app public browsing mode is the only kiosk mode that has an ‘End Session’ button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Use the “Configure kiosk reset after idle timeout” policy to set the idle timer, which is set to 5 minutes by default, but you can provide a value of your own.

A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge. + + ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/surface_hub_single-app_browse_kiosk_inframe.png) ### Multi-app kiosk When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. The multi-app Microsoft Edge kiosk mode types include: -3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s). +3. **Public browsing** devices are publicly accessible and supports browsing the internet. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality that runs in full-screen mode.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps. - ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/Multi-app_kiosk_inFrame.png) + ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_kiosk_inframe.png) -4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. +4. **Normal mode** devices run a full-featured version of Microsoft Edge (referred to as normal browsing).

Some features may not work depending on what other apps you have configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. - ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/Normal_inFrame.png) + ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/surface_hub_multi-app_normal_kiosk_inframe.png) ## Let’s get started! -Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using: +Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using: -- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout. +- **Windows Settings.** Best for physically setting up a couple of devices as kiosks. You can configure Microsoft Edge in single-app (full-screen or public browsing as the kiosk type) and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout. - **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. @@ -69,89 +73,96 @@ Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Ed ### Prerequisites -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). -- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method. - ->[!Important] ->If you are using a local account as a kiosk account in Intune or provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. +- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge ### Use Windows Settings -Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses. +Windows Settings is the simplest and easiest way to set up one or a couple of devices because you perform these steps physically on each device. This method is ideal for small businesses. -1. In Windows Settings, select **Accounts** \> **Other people**. +When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge, in kiosk mode. -2. Under **Set up a kiosk**, select **Assigned access**. +1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**. -3. Select **Get started**. +2. On the **Set up a kiosk** page, click **Get started**. -4. Create a standard user account or choose an existing account for your kiosk. +3. Type a name to create a new account or you can choose an existing account and click **Next**. -5. Select **Next**. +4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. -6. On the **Choose a kiosk app** page, select **Microsoft Edge.** - -7. Select **Next**. - -8. Select how Microsoft Edge displays when running in kiosk mode: +5. Select how Microsoft Edge displays when running in kiosk mode: - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. - **As a public browser**, the default URL shows in a browser view with limited browser controls. -9. Select **Next**. +6. Select **Next**. -10. Enter the URL that you want to load when the kiosk launches. +7. Type the URL to load when the kiosk launches. - >[!NOTE] - >The URL sets the Home button, Start page, and New tab page. + >[!NOTE] + >The URL sets the Home button, Start page, and New Tab page. -11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value. +8. Accept the default value of **5 minutes** for the idle time or provide your own value. -12. Select **Next**, and then select **Close**. + >[!TIP] + >Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL. -13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on. +9. Click **Next**. -14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies). +10. Close the **Settings** window to save and apply your choices. -15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account. +11. Now that you have configured assigned access, selected how Microsoft Edge displays the kiosk, and set the idle timer, you can configure the group policies for Microsoft Edge kiosk mode. -**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode. + >>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + >> + >>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + - **[Configure kiosk mode](#configure-kiosk-mode)**: Configure the display mode for Microsoft Edge as a kiosk app. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. For this policy to work, you must configure assigned access; otherwise, Microsoft Edge ignores the settings in this policy. + + - **[Configure kiosk reset after idle timeout](#configure-kiosk-reset-idle-timeout)**: Change the time, in minutes, from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. For this policy to work, you must enable the Configure kiosk mode policy (InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access; otherwise, Microsoft Edge ignores this setting. + + - **[Additional policies for kiosk mode](#additional-policies-for-kiosk-mode)**: We have other new and existing policies that work with Microsoft Edge kiosk mode, such as Allow cookies, Allow printing, Configure Home button, and Configure telemetry for Microsoft 365 analytics. At this time, only a few features work in all kiosk types, for example, Unlock Home button works only in normal browsing. + +12. Once you've configured the group policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration. + +**_Congratulations!_** You’ve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured the group policies for Microsoft Edge kiosk mode. **_Next steps._** -- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. -- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge. - - 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**. - - 2. Under **Set up a kiosk**, select **Assigned access**. - - 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. +|If you want to... |Then... | +|---|---| +|Use your new kiosk |Sign into the device with the kiosk account that you selected to run Microsoft Edge kiosk mode. | +|Make changes to your kiosk such as change the display option or the URL that loads |

  1. In Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**.
  2. On the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
| +--- ### Use Microsoft Intune or other MDM service With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. +>[!IMPORTANT] +>If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. + 1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. -2. Configure the following MDM settings to control a web browser app on the kiosk device. +2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device. | | | |---|---| - | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| - | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| + | **[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| - | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| + | **[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | ---
-3. Restart the device and sign in using the kiosk app user account. -**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. +**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage and configuring group policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. **_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. @@ -159,27 +170,32 @@ With this method, you can use Microsoft Intune or other MDM services to configur With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. -1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access. +>[!IMPORTANT] +>If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. -2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor. +1. Open Windows Configuration Designer and select **Provision Kiosk devices**. -3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies: +2. Name your project, and click **Next**. + +3. [Set up a kiosk](https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app#set-up-a-kiosk-using-the-kiosk-wizard-in-windows-configuration-designer). + +4. Switch to the advanced editor and navigate to **Runtime settings \> Policies \> Browser** and set the following policies: | | | |---|---| - | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| - | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| + | **[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

  • **Single-app kiosk experience**
    • **0** - Digital signage and interactive display
    • **1** - InPrivate Public browsing
  • **Multi-app kiosk experience**
    • **0** - Normal Microsoft Edge running in assigned access
    • **1** - InPrivate public browsing with other apps
| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

  • **0** - No idle timer
  • **1-1440 (5 minutes is the default)** - Set reset on idle timer
| | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| - | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

  • **0 (default)** - Not configured. Show home button, and load the default Start page.
  • **1** - Enabled. Show home button and load New Tab page
  • **2** - Enabled. Show home button & set a specific page.
  • **3** - Enabled. Hide the home button.
| + | **[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | --- -
-4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package. -5. Click **Finish**. The wizard closes taking you back to the Customizations page. +5. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to [build the package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package#build-package). -6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package). +6. Click **Finish**.

The wizard closes and takes you back to the Customizations page. + +7. [Apply the provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package) to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). **_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode. @@ -187,7 +203,17 @@ With this method, you can use a provisioning package to configure Microsoft Edge --- + ## Relevant policies +We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. + +### Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +### Configure kiosk reset idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +### Additional policies for kiosk mode Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser). @@ -203,57 +229,57 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie | [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFullscreen](new-policies.md#allow-fullscreen-mode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | | [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowPrelaunch](new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPrinting](new-policies.md#allow-printing)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSavingHistory](new-policies.md#allow-saving-history)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSideloadingOfExtensions](new-policies.md#allow-sideloading-of-extensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowTabPreloading](new-policies.md#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowWebContentOnNewTabPage](available-policies.md#allow-web-content-on-new-tab-page)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureFavoritesBar](new-policies.md#configure-favorites-bar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureHomeButton](new-policies.md#configure-home-button)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskMode](new-policies.md#configure-kiosk-mode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [Experience/DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [Experience/PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | | [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | | [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventCertErrorOverrides](new-policies.md#prevent-certificate-error-overrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventTurningOffRequiredExtensions](new-policies.md#prevent-turning-off-required-extensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | | [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetHomeButtonURL](new-policies.md#set-home-button-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetNewTabPageURL](new-policies.md#set-new-tab-page-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | | [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [UnlockHomeButton](new-policies.md#unlock-home-button)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | | [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | --- -*\* New policy coming in the next release of Windows 10.*

+*\* New policy as of Windows 10, version 1809.*

*1) For multi-app assigned access, you must configure Internet Explorer 11.*
*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* @@ -285,14 +311,6 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie --- -## Known issues with prerelease build 17723 - -When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored. -- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode. -- **Actual behavior** – Normal Microsoft Edge launches. - ---- - ## Provide feedback or get support To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. @@ -310,7 +328,7 @@ In the following table, we show you the features available in both Microsoft Edg | Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Allow URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | | Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Configure Home button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md deleted file mode 100644 index ac0e768adf..0000000000 --- a/browsers/edge/new-policies.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. -ms.assetid: -author: shortpatti -ms.author: pashort -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -title: New Microsoft Edge Group Policies and MDM settings -ms.localizationpriority: -ms.date: 07/25/2018 ---- - -# New Microsoft Edge Group Policies and MDM settings (Preview) - -> Applies to: Microsoft Edge on Windows 10
-> Preview build 17713+ - -The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17713+. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. - -We are discontinuing the use of the **Configure Favorites** group policy. Use the **[Provision Favorites](available-policies.md#provision-favorites)** instead. - - - ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor: ->> ->>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_** -

- - - -| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** | -| --- | --- | --- | --- | -| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New | -| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New | -| [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New | -| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New | -| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New | -| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New | -| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New | -| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | New | -| [Configure Favorites Bar](#configure-favorites-bar) | New | [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | New | -| [Configure Home button](#configure-home-button) | New | [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | New | -| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | -| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | -| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | -| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSetting | New | -| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | -| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | Experience/PreventUsersFromTurningOnBrowserSyncing | New | -| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | PreventTurningOffRequiredExtensions | New | -| [Set Home button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New | -| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New | -| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated | -| [Unlock Home button](#unlock-home-button) | New | [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | New | ---- - - - - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] - -## Allow sideloading of Extensions -[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] - - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] - -## Configure Home button -[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] - -## Configure kiosk mode -[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] - -## Configure kiosk reset after idle timeout -[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] - -## Set Home button URL -[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] - -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] - -## Unlock Home button -[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] - diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md deleted file mode 100644 index 9efd0d49d7..0000000000 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -description: Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/16/2017 -ms.author: pashort -author: shortpatti ---- - -# Security enhancements for Microsoft Edge - ->Applies to: Windows 10, Windows 10 Mobile - -Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. - -## Help to protect against web-based security threats -While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking: - -- **Trickery** uses things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t. - -- **Hacking** attacks a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device. - -While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience. - -### Help against trickery -Web browsers can help defend your employees against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that they’re talking to the web site they think they’re talking to. - -#### Windows Hello -Phishing scams get people to enter passwords into a fake version of a trusted website, such as a bank. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success, since attackers are too good at faking legitimate experiences for many people to notice the difference. - -To really address this problem, we need to stop people from entering plain-text passwords into websites. So in Windows 10, we gave you [Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/) technology with asymmetric cryptography that authenticates both the person and the website. - -Microsoft Edge is the first browser to natively support Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). - -#### Microsoft SmartScreen -Microsoft SmartScreen, used in Windows 10 and both Internet Explorer 11 and Microsoft Edge, helps to defend against phishing by performing reputation checks on visited sites and blocking any sites that are thought to be phishing sites. SmartScreen also helps to defend people against being tricked into installing malicious [socially-engineered software downloads](http://operationstech.about.com/od/glossary/g/Socially-Engineered-Malware.htm and against [drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/). Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software, and may be hosted on trusted sites. - -#### Certificate Reputation system -While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](http://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, we’ve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates. - -### Help against hacking -While Microsoft Edge has done much to help defend against trickery, the browser’s “engine” has also been overhauled to resist hacking (attempts to corrupt the browser itself) including a major overhaul of the DOM representation in the browser’s memory, and the security mitigations described here. - -#### Microsoft EdgeHTML and modern web standards -Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused on modern standards that let web developers build and maintain a consistent site across all modern browsers. - -The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features: - -- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks. - -- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured. - ->[!NOTE] ->Both Microsoft Edge and Internet Explorer 11 support HSTS. - -#### All web content runs in an app container sandbox -Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins. - -Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions. - -Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure. - -#### Microsoft Edge is now a 64-bit app -The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps. - -##### 64-bit processes and Address Space Layout Randomization (ASLR) -Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. - -The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR). ASLR randomizes the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find the sensitive memory components they’re looking for. - -#### New extension model and HTML5 support -Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down. - -Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). - -#### Reduced attack surfaces -In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible. - -Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility. - -#### Code integrity and image loading restrictions -Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or being injected into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as, UNC or WebDAV) can’t be loaded. - -#### Memory corruption mitigations -Memory corruption happens most frequently to apps written in C or C++ because those languages don’t provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks happen when an attacker provides malformed input to a program and the program can’t handle it, corrupting the program’s memory state and allowing the attacker to take control of the program. - -Over the years, a broad variety of mitigations have been created around memory corruption, but even as these mitigations roll out, attackers adapt and invent new ways to attack. At the same time, we’ve responded with new memory safety defenses, mitigating the most common new forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities. - -##### Memory Garbage Collector (MemGC) mitigation -MemGC is the replacement for Memory Protector, currently turned on for both Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7 and newer operating systems. MemGC is a memory garbage collection system that helps to defend the browser from UAF vulnerabilities by taking the responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. - -##### Control Flow Guard -Ultimately, attackers use memory corruption attacks to gain control of the CPU program counter so that they can jump to any code location they want. Control Flow Guard is a Microsoft Visual Studio technology that compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only go to function entry points with known addresses. This makes attacker take-overs much more difficult by severely constraining where a memory corruption attack can jump to. - -#### Designed for security -We’ve spent countless hours reviewing, testing, and using Microsoft Edge to make sure that you’re more protected than ever before. - -##### Fuzzing/Static Analysis -We’ve devoted more than 670 machine-years to fuzz testing Microsoft Edge and Internet Explorer during product development, including monitoring for possible exceptions such as crashes or memory leaks. We’ve also generated more than 400-billion DOM manipulations from 1-billion HTML files. Because of all of this, hundreds of security issues were addressed before the product shipped. - -##### Code Review & Penetration Testing -Over 70 end-to-end security engagements reviewed all key features, helping to address security implementation and design issues before shipping. - -##### Windows REDTEAM -The Windows REDTEAM emulates the techniques and expertise of skilled, real-world attackers. Exploited Microsoft Edge vulnerabilities discovered through penetration testing can be addressed before public discovery and real-world exploits. - - - - - - - - - - diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md index ab30ba7a07..7eb5da6bd4 100644 --- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -1 +1,9 @@ -You can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads book files automatically to a common, shared folder, and prevents users from removing the book from the library. When disabled, Microsoft Edge does not use a shared folder but downloads book files to a folder for each user. For this policy to work properly, users must be signed in with a school or work account. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md index 4a49c8dc67..d970c98301 100644 --- a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md index 6c0c3cf0be..a06ece3f82 100644 --- a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md index 31127ca2d7..75e6fa71ed 100644 --- a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md index e5fd1dde74..69f981f0d4 100644 --- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md index 2857a93d27..cc694ab73b 100644 --- a/browsers/edge/shortdesc/allow-cortana-shortdesc.md +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md index b9bab04325..ef095e5733 100644 --- a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md index 1c11de47c0..1bbf337754 100644 --- a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md index 2d1f8ec802..41849af3ef 100644 --- a/browsers/edge/shortdesc/allow-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md index 0ce0f11a60..6f37d4a659 100644 --- a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md index 75def749bb..0171d9c8a5 100644 --- a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md index a56056d3e9..769d1ee379 100644 --- a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md index 58ab1f00bd..3d939db8c0 100644 --- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md index 07e8e98f42..b9e4cf691f 100644 --- a/browsers/edge/shortdesc/allow-printing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge allows users to print web content by default. With this policy though, you can configure Microsoft Edge to prevent users from printing web content. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md index bec7172c23..e37a1e9bfc 100644 --- a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md index 2b4e25a7c3..e94443a99b 100644 --- a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md index bb723ab0c6..e9e9fd0512 100644 --- a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md index 5349cf7350..b276822d74 100644 --- a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md index 911267bdb1..9c8dea176e 100644 --- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge loads the default New tab page by default. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose how the New tab page appears. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge loads the default New Tab page. Disabling this policy loads a blank page instead of the New Tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New Tab page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md new file mode 100644 index 0000000000..86ac25c632 --- /dev/null +++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md @@ -0,0 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. \ No newline at end of file diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md index 9a382427fa..a91b389923 100644 --- a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md index c68642520a..39961b4f01 100644 --- a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -1 +1,9 @@ -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md index c58d446834..d0be48cb2b 100644 --- a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md index 247308fee8..1688989ef7 100644 --- a/browsers/edge/shortdesc/configure-autofill-shortdesc.md +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -1 +1,9 @@ -By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 6a9cce12e0..32abbdf60a 100644 --- a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md index a35c4d0f31..ea5cb7e557 100644 --- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md index d3026c51e7..f9de9cd2ec 100644 --- a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md index 80383e4f0a..fd49f0e0c9 100644 --- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md index 4536456e59..0303f69e10 100644 --- a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md index d61df8e460..ae90afc8af 100644 --- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -1 +1,9 @@ -Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md index c1e1a48bab..7a0260f8ea 100644 --- a/browsers/edge/shortdesc/configure-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the Home button to load the New tab page or a URL defined in the Set Home button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md index a0e1cbf398..ea135db692 100644 --- a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -1 +1,9 @@ -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md index 4772d2d2dd..3bcba1b944 100644 --- a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md index 7383d68455..5bf099b3ca 100644 --- a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md index 63a62cfff5..0f77b004ba 100644 --- a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md index e89395a2ab..18d5e9bf38 100644 --- a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -1 +1,10 @@ -Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. + diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md index e95e652f45..f9e057b6a5 100644 --- a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md index f027fdb17e..f9b5185f3d 100644 --- a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md index 752f554dca..58dfd6be9a 100644 --- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. \ No newline at end of file diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md index 9286227f0e..e0c635c0c7 100644 --- a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md index 5e485a0200..93ecd60efe 100644 --- a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md index 1e9ac07094..5902fb6656 100644 --- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md index 71de365bde..981ef9d876 100644 --- a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 132291b931..0de9b830c6 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1 +1,10 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md index b13677be33..518f94bdea 100644 --- a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md index 135bd4f574..6330b51213 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s). \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md index 56a2ecdd15..d5eaea4a31 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md index 0d4351e0cb..156b1bb385 100644 --- a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -1 +1,9 @@ -Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md index 195318866f..78c77baf42 100644 --- a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md index 4be519322f..87d3b927ed 100644 --- a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md index f587cc839c..af24d3583b 100644 --- a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -1 +1,9 @@ -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md index e428d938ed..7875990600 100644 --- a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md index 1211a69dfa..daa02c5729 100644 --- a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index defb76bdf5..4ba3bff11a 100644 --- a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. \ No newline at end of file diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md index 7f02b200c8..e2ed5da50f 100644 --- a/browsers/edge/shortdesc/provision-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. \ No newline at end of file diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md index c5684bc753..454549bffe 100644 --- a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md index 296965ba86..79dfd220c1 100644 --- a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md index 839e07428b..c9d57f2140 100644 --- a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md index 10ad478e1b..98fcc7aef2 100644 --- a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md index 35ae30c337..9f27db97ce 100644 --- a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md index 2c796253ef..c1d657d88b 100644 --- a/browsers/edge/shortdesc/shortdesc-test.md +++ b/browsers/edge/shortdesc/shortdesc-test.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + UI settings for the home button are disabled preventing your users from making changes \ No newline at end of file diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md index 7601ad77fc..a15e780afe 100644 --- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -1 +1,8 @@ -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the “Keep going in Microsoft Edge” link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- +Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. \ No newline at end of file diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md index 62c666c475..d412d67e72 100644 --- a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -1 +1,9 @@ -By default, when you enable the Configure Home button policy or provide a URL in the Set Home button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home button or Set Home button URL policies. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. \ No newline at end of file diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md new file mode 100644 index 0000000000..b4a16608e7 --- /dev/null +++ b/browsers/edge/use-powershell-to manage-group-policy.md @@ -0,0 +1,27 @@ +--- +title: Use Windows PowerShell to manage group policy +description: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.author: pashort +author: shortpatti +--- + +# Use Windows PowerShell to manage group policy + +Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): + +- Maintain GPOs (GPO creation, removal, backup, and import) +- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) +- Set permissions on GPOs +- Modify inheritance flags on Active Directory organization units (OUs) and domains +- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) +- Create starter GPOs + + + diff --git a/browsers/edge/use-powershell-to-manage-group-policy.md b/browsers/edge/use-powershell-to-manage-group-policy.md new file mode 100644 index 0000000000..5747091d66 --- /dev/null +++ b/browsers/edge/use-powershell-to-manage-group-policy.md @@ -0,0 +1,26 @@ +--- +title: Use Windows PowerShell to manage group policy +description: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.author: pashort +author: shortpatti +--- + +# Use Windows PowerShell to manage group policy + +Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): + +- Maintain GPOs (GPO creation, removal, backup, and import) +- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) +- Set permissions on GPOs +- Modify inheritance flags on Active Directory organization units (OUs) and domains +- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) +- Create starter GPOs + + + diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md index 175646f824..3ea0832564 100644 --- a/browsers/includes/available-duel-browser-experiences-include.md +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ## Available dual-browser experiences Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md deleted file mode 100644 index 2b2516dfe2..0000000000 --- a/browsers/includes/configuration-options.md +++ /dev/null @@ -1,11 +0,0 @@ -## Configuration options -You can make changes to your deployment through the software management system you have chosen. - -### Choosing an update channel - -### Configure policies using Group Policy Editor - -### Configure policies using Registry Editor - -### Configure policies using Intune - diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md deleted file mode 100644 index e32eda17a8..0000000000 --- a/browsers/includes/control-browser-content.md +++ /dev/null @@ -1,18 +0,0 @@ -## Controlling browser content -This section explains how to control content in the browser. - -### Configure Pop-up Blocker -[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md) - -### Allow exentions -[allow-extensions-include](../edge/includes/allow-extensions-include.md) - -[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md) - -[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md) - -extensions -javascript -Tracking your browser: -- Do not track - diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md deleted file mode 100644 index 067eba3f7d..0000000000 --- a/browsers/includes/control-browsing-behavior.md +++ /dev/null @@ -1,90 +0,0 @@ - -# Control browsing behavior -This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security. - - - -## Security settings - -## Cookies - -[configure-cookies-include](../edge/includes/configure-cookies-include.md) - -## Search engine settings -...shortdesc of search engines...how admins can control the default search engine... - -### Allow address bar suggestions -[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md) - -[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md) - -[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md) - -[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md) - -[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md) - - - - -## Extensions -Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store. - - - -[Allow Extensions](../edge/available-policies.md#allow-extensions) - -[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md) - -[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md) - -## Home button settings -The Home page... - - -### Scenarios -You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup. - -### Configuration combinations - -| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** | -|---------------------------------|-------------------------|------------------------|---------------------------------| -| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. | -| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. | -| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. | -| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. | -| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. | -| Enabled (3) | N/A | N/A | Hides home button. | ---- - -[configure-home-button-include](configure-home-button-include.md) - -[set-home-button-url-include](set-home-button-url-include.md) - -[unlock-home-button-include](unlock-home-button-include.md) - -## Start page settings - -[configure-start-pages-include](configure-start-pages-include.md) - -[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md) - - - -## New Tab page settings - -[set-new-tab-url-include](set-new-tab-url-include.md) - -[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md) - - -## Exit tasks - -[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md) - - -## Kiosk mode - -[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md) - -[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md) diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md deleted file mode 100644 index 5bada8092e..0000000000 --- a/browsers/includes/customize-look-and-feel.md +++ /dev/null @@ -1,2 +0,0 @@ -## Customize the look and feel - diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index 21a3238bd5..40a63009d1 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ## Helpful information and additional resources - [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 2e8b76896b..02ad5fe86d 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. >[!IMPORTANT] diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index 5937eb6bef..f980f943ee 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ## Interoperability goals and enterprise guidance Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md index 70a66c3670..ac73cc7854 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md +++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md @@ -18,8 +18,8 @@ ms.sitesec: library ActiveX controls are small apps that let websites provide content, like videos and games, and let you interact with content, like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up to date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a security feature called _out-of-date ActiveX control blocking_. -We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. - +We'll periodically update this page with new ActiveX controls blocked by this feature. We'll typically provide one month's advance notice before adding new controls to the list. + You will receive a notification if a webpage tries to load one of the following of ActiveX control versions: **Java** @@ -37,4 +37,4 @@ You will receive a notification if a webpage tries to load one of the following | Everything below (but not including) Silverlight 5.1.50907.0 | |--------------------------------------------------------------| -For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](http://go.microsoft.com/fwlink/?LinkId=403864). \ No newline at end of file +For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index ad0704e0c4..5d13b1b04f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -2,12 +2,12 @@ ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: security -description: +description: author: shortpatti ms.author: pashort ms.manager: elizapo ms.prod: ie11 -ms.assetid: +ms.assetid: title: Internet Explorer 11 delivery through automatic updates ms.sitesec: library ms.date: 05/22/2018 @@ -30,17 +30,17 @@ Internet Explorer 11 makes browsing the web faster, easier, safer, and more reli Internet Explorer 11 only downloads and installs if it’s available for delivery through Automatic Updates; and Automatic Updates only offer Internet Explorer 11 to users with local administrator accounts. User’s without local administrator accounts won’t be prompted to install the update and will continue using their -current version of Internet Explorer. +current version of Internet Explorer. Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. >[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. +>If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. ## Internet Explorer 11 automatic upgrades -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. ## Options for blocking automatic delivery @@ -50,13 +50,13 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). -- **Use an update management solution to control update deployment.** - If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. +- **Use an update management solution to control update deployment.** + If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](http://support.microsoft.com/kb/946202). + >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). @@ -76,12 +76,12 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 3. Click **Automatic Approvals**. 4. Click the rule that automatically approves an update that is classified as - Update Rollup, and then click **Edit.** - - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + Update Rollup, and then click **Edit.** -5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. + >[!Note] + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + +5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. >[!Note] >The properties for this rule will resemble the following:

  • When an update is in Update Rollups
  • Approve the update for all computers
@@ -101,9 +101,9 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 12. Choose **Unapproved** in the **Approval**drop down box. 13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update. - + >[!Note] - >There may be multiple updates, depending on the imported language and operating system updates. + >There may be multiple updates, depending on the imported language and operating system updates. **Optional** @@ -121,7 +121,7 @@ If you need to reset your Update Rollups packages to auto-approve, do this: 6. Check the **Update Rollups** check box, and then click **OK**. -7. Click **OK** to close the **Automatic Approvals** dialog box. +7. Click **OK** to close the **Automatic Approvals** dialog box. >[!Note] >Because auto-approval rules are only evaluated when an update is first imported into WSUS, turning this rule back on after the Internet Explorer 11 update has been imported and synchronized to the server won’t cause this update to be auto-approved. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index cd31220caa..896d0512a7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration **To set the default browser as Internet Explorer 11** -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). ![set default associations group policy setting](images/setdefaultbrowsergp.png) diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md index 9809598bf3..ae241bde6a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md @@ -46,7 +46,7 @@ Wait for the message, **Blocking deployment of IE11 on the local machine. The op For answers to frequently asked questions, see [Internet Explorer 11 Blocker Toolkit: Frequently Asked Questions](https://go.microsoft.com/fwlink/p/?LinkId=314063). -## Automatic updates +## Automatic updates Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. ### Automatic delivery process @@ -56,8 +56,8 @@ Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Inter ### Internet Explorer 11 automatic upgrades -Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. - +Internet Explorer 11 is offered through Automatic Updates and Windows Update as an Important update. Users running Windows 7 SP1, who have chosen to download and install updates automatically through Windows Update, are automatically upgraded to Internet Explorer 11. + Users who were automatically upgraded to Internet Explorer 11 can decide to uninstall Internet Explorer 11. However, Internet Explorer 11 will still appear as an optional update through Windows Update. ### Options for blocking automatic delivery @@ -65,15 +65,15 @@ Users who were automatically upgraded to Internet Explorer 11 can decide to unin If you use Automatic Updates in your company, but want to stop your users from automatically getting Internet Explorer 11, do one of the following: - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - - >[!NOTE] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq). - -- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](http://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. ->[!NOTE] ->If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. - + >[!NOTE] + >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](#faq). + +- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. + +>[!NOTE] +>If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. + ### Prevent automatic installation of Internet Explorer 11 with WSUS @@ -88,7 +88,7 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** >[!NOTE] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md index 4d0aae1968..304aac3c88 100644 --- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md +++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md @@ -145,14 +145,14 @@ Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: | | | | |---------|---------|---------| -|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md index 3798a051af..59d6f5be4a 100644 --- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md +++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md @@ -7,7 +7,7 @@ author: shortpatti ms.author: pashort ms.manager: elizapo ms.prod: ie11 -ms.assetid: +ms.assetid: title: IEAK 11 - Frequently Asked Questions ms.sitesec: library ms.date: 05/10/2018 @@ -31,21 +31,21 @@ You can customize and install IEAK 11 on the following supported operating syste - Windows 7 Service Pack 1 (SP1) -- Windows Server 2008 R2 Service Pack 1 (SP1) - +- Windows Server 2008 R2 Service Pack 1 (SP1) + >[!Note] >IEAK 11 does not support building custom packages for Windows RT.   **What can I customize with IEAK 11?** -The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. +The IEAK 11 enables you to customize branding and settings for Internet Explorer 11. For PCs running Windows 7, the custom package also includes the Internet Explorer executable. >[!Note] >Internet Explorer 11 is preinstalled on PCs running Windows 8. Therefore, the executable is not included in the customized package. **Can IEAK 11 build custom Internet Explorer 11 packages in languages other than the language of the in-use IEAK 11 version?** -Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. +Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard. >[!Note] >IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md). @@ -99,19 +99,19 @@ Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center: | | | | |---------|---------|---------| -|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | -|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | -|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | -|[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | -|[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Chinese(Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) | +|[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) | +|[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | ## Additional resources [Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517) -[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) +[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244) [IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index) [IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md) diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index 21b4aa46b2..e6c5587108 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -7,7 +7,7 @@ author: shortpatti ms.author: pashort ms.manager: elizapo ms.prod: ie11 -ms.assetid: +ms.assetid: title: Internet Explorer Administration Kit (IEAK) information and downloads ms.sitesec: library ms.date: 05/10/2018 @@ -34,13 +34,13 @@ To download, choose to **Open** the download or **Save** it to your hard drive f | | | | |---------|---------|---------| -|[English](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | -|[Arabic](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | -|[Chinese (Simplified)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | -|[Chinese (Traditional)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | -|[Czech](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | -|[Danish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | -|[Dutch](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | -|[Finnish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](http://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | +|[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi) |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi) |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi) | +|[Arabic](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ar-sa/ieak.msi) |[German](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/de-de/ieak.msi) |[Polish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pl-pl/ieak.msi) | +|[Chinese (Simplified)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-cn/ieak.msi) |[Greek](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/el-gr/ieak.msi) |[Portuguese (Brazil)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-br/ieak.msi) | +|[Chinese (Traditional)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/zh-tw/ieak.msi) |[Hebrew](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/he-il/ieak.msi) |[Portuguese (Portugal)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/pt-pt/ieak.msi) | +|[Czech](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/cs-cz/ieak.msi) |[Hungarian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/hu-hu/ieak.msi) |[Russian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ru-ru/ieak.msi) | +|[Danish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/da-dk/ieak.msi) |[Italian](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/it-it/ieak.msi) |[Spanish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/es-es/ieak.msi) | +|[Dutch](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nl-nl/ieak.msi) |[Japanese](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ja-jp/ieak.msi) |[Swedish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/sv-se/ieak.msi) | +|[Finnish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fi-fi/ieak.msi) |[Korean](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/ko-kr/ieak.msi) |[Turkish](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/tr-tr/ieak.msi) | diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index c69fbd1f67..3370e6cf35 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -96,7 +96,7 @@ Support for some of the Internet Explorer settings on the wizard pages varies de Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. - **External Distribution** - You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)]. + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). - **Internal Distribution - corporate intranet** The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 95f7f92bed..05d28db95f 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -16,6 +16,13 @@ ms.date: 07/27/2018 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +<<<<<<< HEAD +======= +## Windows 10 Holographic for Business, version 1800 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. + +>>>>>>> refs/remotes/origin/master ## July 2018 New or changed topic | Description diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index 3de34452cf..0799523310 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -8,7 +8,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 12/20/2017 +ms.date: 09/11/2018 --- # Install apps on HoloLens @@ -55,8 +55,7 @@ The method that you use to install an app from your Microsoft Store for Business ## Use MDM to deploy apps to HoloLens ->[!IMPORTANT] ->Online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. Instead, you can use your MDM provider to deploy MDM-hosted apps to HoloLens, or deploy offline-licensed apps to HoloLens via Store for Business + You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps). @@ -64,6 +63,8 @@ You can deploy UWP apps to HoloLens using your MDM provider. For Intune instruct Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune). +>[!TIP] +>In Windows 10, version 1607, online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. [Update your HoloLens to a later build](https://support.microsoft.com/help/12643/hololens-update-hololens) for this capability. ## Use the Windows Device Portal to install apps on HoloLens @@ -79,13 +80,15 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft. >[!TIP] >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate). -4. In the Windows Device Portal, click **Apps**. +4. In the Windows Device Portal, click **Views** and select **Apps**. ![App Manager](images/apps.png) -5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**. +5. Click **Add** to open the **Deploy or Install Application dialog**. -6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens. +6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**. + +7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 9b54f8a335..f9964c731b 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,32 +7,43 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 05/22/2018 +ms.date: 10/02/2018 --- # Set up HoloLens in kiosk mode -In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest) +In Windows 10, version 1803 and later, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest) When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. -Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. +Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +The following table lists the device capabilities in the different kiosk modes. + +Kiosk mode | Voice and Bloom commands | Mini-menu | Camera and video | Miracast +--- | --- | --- | --- | --- +Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) +Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in mini-menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. + +>[!NOTE] +>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. + +The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. >[!WARNING] >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. > ->Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. +>Be aware that voice commands are enabled for multi-app kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. -For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: +For HoloLens devices running Windows 10, version 1803 or later, there are three methods that you can use to configure the device as a kiosk: - You can use [Microsoft Intune or other mobile device management (MDM) service](#intune-kiosk) to configure single-app and multi-app kiosks. - You can [use a provisioning package](#ppkg-kiosk) to configure single-app and multi-app kiosks. - You can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. -For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. +>[!NOTE] +>For HoloLens devices running Windows 10, version 1607, [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. ## Start layout for HoloLens @@ -145,8 +156,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. + 8. On the **File** menu, select **Save.** 9. On the **Export** menu, select **Provisioning package**. 10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** @@ -209,11 +219,11 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* - You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. - We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. - You can select Cortana as a kiosk app. -- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. - +- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. ## More information Watch how to configure a kiosk in a provisioning package. ->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] \ No newline at end of file +>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] + diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c1a90edadb..c51029ccd7 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Configure HoloLens using a provisioning package @@ -137,7 +137,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa 10. When the build completes, click **Finish**. -## Apply a provisioning package to HoloLens +## Apply a provisioning package to HoloLens during setup 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -156,6 +156,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!NOTE] >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +## Apply a provisioning package to HoloLens after setup + +>[!NOTE] +>Windows 10, version 1809 only + +On your PC: +1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). +2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +3. Drag and drop the provisioning package to the Documents folder on the HoloLens. + +On your HoloLens: +1. Go to **Settings > Accounts > Access work or school**. +2. In **Related Settings**, select **Add or remove a provisioning package**. +3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. + +After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package. + ## What you can configure Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md index 0f62fc2e6e..6912c956f4 100644 --- a/devices/hololens/hololens-setup.md +++ b/devices/hololens/hololens-setup.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 08/02/2018 --- # Set up HoloLens @@ -30,7 +30,12 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens. 3. Next, you'll be guided through connecting to a Wi-Fi network. 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. - - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). + - When you choose **My work or school owns it**, you sign in with an Azure AD account. + + >[!NOTE] + >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + + If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). 1. Enter your organizational account. 2. Accept privacy statement. 3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page. diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 75556a83db..0ce5db3f17 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -1,18 +1,58 @@ --- title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1803. +description: Windows Holographic for Business gets new features in Windows 10, version 1809. ms.prod: hololens ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # What's new in Microsoft HoloLens +## Windows 10, version 1809 for Microsoft HoloLens + +### For everyone + +Feature | Details +--- | --- +Mini-menu | When you're in an app, the Bloom gesture will now open a mini-menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the mini-menu in kiosk mode.

![sample of the mini-menu](images/minimenu.png) +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + + + +### For administrators + + +Feature | Details +--- | --- +[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. +Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. + +### For international customers + + +Feature | Details +--- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. + + + +## Windows 10, version 1803 for Microsoft HoloLens Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: diff --git a/devices/hololens/images/apps.png b/devices/hololens/images/apps.png index 5cb3b7ec8f..4e00aa96fc 100644 Binary files a/devices/hololens/images/apps.png and b/devices/hololens/images/apps.png differ diff --git a/devices/hololens/images/minimenu.png b/devices/hololens/images/minimenu.png new file mode 100644 index 0000000000..7aa0018011 Binary files /dev/null and b/devices/hololens/images/minimenu.png differ diff --git a/devices/hololens/images/windows-device-portal-home-page.png b/devices/hololens/images/windows-device-portal-home-page.png index 9604161bcd..55e4b0eaad 100644 Binary files a/devices/hololens/images/windows-device-portal-home-page.png and b/devices/hololens/images/windows-device-portal-home-page.png differ diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index ae2a7ce2e0..f037f97ecb 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -33,9 +33,9 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub. To successfully execute these PowerShell scripts, you will need to install the following prerequisites: -- [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://www.microsoft.com/download/details.aspx?id=41950) -- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185) -- [Windows PowerShell Module for Skype for Business Online](https://www.microsoft.com/download/details.aspx?id=39366) +- [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://www.microsoft.com/download/details.aspx?id=41950) +- [Microsoft Azure Active Directory Module for Windows PowerShell (64-bit version)](https://www.powershellgallery.com/packages/MSOnline/1.1.183.17) +- [Windows PowerShell Module for Skype for Business Online](https://www.microsoft.com/download/details.aspx?id=39366) ## PowerShell scripts for Surface Hub administrators @@ -280,7 +280,7 @@ if ([System.String]::IsNullOrEmpty($strLyncFQDN)) PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..." -try +try { $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credExchange -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue } @@ -305,7 +305,7 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue ## Create the Exchange mailbox ## -# Note: These exchange commandlets do not always throw their errors as exceptions +# Note: These exchange commandlets do not always throw their errors as exceptions # Because Get-Mailbox will throw an error if the mailbox is not found $Error.Clear() @@ -333,7 +333,7 @@ $easpolicy = $null try { $easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy } -catch {} +catch {} if ($easpolicy) { @@ -355,7 +355,7 @@ else $easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true if ($easpolicy) { - PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." + PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." } else { @@ -388,7 +388,7 @@ if ($easpolicy) if (!((Get-Mailbox $credNewAccount.UserName).ResourceType)) { $Error.Clear() - # Set policy for account + # Set policy for account Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy if (!$Error) { @@ -399,9 +399,9 @@ if ($easpolicy) $status["ActiveSync Policy"] = "Failed to apply the EAS policy to the account." } $Error.Clear() - + # Convert back to room mailbox - Set-Mailbox $credNewAccount.UserName -Type Room + Set-Mailbox $credNewAccount.UserName -Type Room # Loop until resource type goes back to room for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++) { @@ -409,12 +409,12 @@ if ($easpolicy) } if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room") { - # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. + # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. $status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type." } else { - try + try { Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true } catch { } @@ -424,7 +424,7 @@ if ($easpolicy) } $Error.Clear() } - + } } } @@ -464,13 +464,13 @@ $Error.Clear() ## Configure the Account to not expire ## PrintAction "Configuring password not to expire..." Start-Sleep -s 20 -try +try { Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true } catch { - + } if ($Error) @@ -503,7 +503,7 @@ $Error.Clear() try { Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress } -catch { } +catch { } if ($Error) { @@ -524,14 +524,14 @@ $strUsr = $credNewAccount.UserName PrintAction "Summary for creation of $strUsr ($strDisplay)" if ($status.Count -gt 0) { - ForEach($k in $status.Keys) + ForEach($k in $status.Keys) { $v = $status[$k] $color = "yellow" if ($v[0] -eq "S") { $color = "green" } - elseif ($v[0] -eq "F") + elseif ($v[0] -eq "F") { - $color = "red" + $color = "red" $v += " Go to http://aka.ms/shubtshoot" } @@ -611,11 +611,11 @@ function ExitIfError($strMsg) try { Import-Module LyncOnlineConnector Import-Module MSOnline -} +} catch { PrintError "Some dependencies are missing" - PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297" CleanupAndFail } @@ -638,10 +638,10 @@ $credAdmin = $null $credAdmin=Get-Credential -Message "Enter credentials of an Exchange and Skype for Business admin" if (!$credadmin) { - CleanupAndFail "Valid admin credentials are required to create and prepare the account." + CleanupAndFail "Valid admin credentials are required to create and prepare the account." } PrintAction "Connecting to remote sessions. This can occasionally take a while - please do not enter input..." -try +try { $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $credAdmin -AllowRedirection -Authentication basic -ConnectionUri "https://outlook.office365.com/powershell-liveid/" -WarningAction SilentlyContinue } @@ -661,7 +661,7 @@ catch try { - Connect-MsolService -Credential $credAdmin + Connect-MsolService -Credential $credAdmin } catch { @@ -672,7 +672,7 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue ## Create the Exchange mailbox ## -# Note: These exchange commandlets do not always throw their errors as exceptions +# Note: These exchange commandlets do not always throw their errors as exceptions # Because Get-Mailbox will throw an error if the mailbox is not found $Error.Clear() @@ -700,7 +700,7 @@ $easpolicy = $null try { $easpolicy = Get-MobileDeviceMailboxPolicy $strPolicy } -catch {} +catch {} if ($easpolicy) { @@ -722,7 +722,7 @@ else $easpolicy = New-MobileDeviceMailboxPolicy -Name $strPolicy -PasswordEnabled $false -AllowNonProvisionableDevices $true if ($easpolicy) { - PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." + PrintSuccess "A new device policy has been created; you can use this same policy for all future Surface Hub device accounts." } else { @@ -756,7 +756,7 @@ if ($easpolicy) if (!((Get-Mailbox $credNewAccount.UserName).ResourceType)) { $Error.Clear() - # Set policy for account + # Set policy for account Set-CASMailbox $credNewAccount.UserName -ActiveSyncMailboxPolicy $strPolicy if (!$Error) { @@ -768,9 +768,9 @@ if ($easpolicy) PrintError "Failed to apply policy" } $Error.Clear() - + # Convert back to room mailbox - Set-Mailbox $credNewAccount.UserName -Type Room + Set-Mailbox $credNewAccount.UserName -Type Room # Loop until resource type goes back to room for ($i = 0; ($i -lt 5) -And ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room"); $i++) { @@ -778,7 +778,7 @@ if ($easpolicy) } if ((Get-Mailbox $credNewAccount.UserName).ResourceType -ne "Room") { - # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. + # A failure to convert the mailbox back to a room is unfortunate but means the mailbox is unusable. $status["Mailbox Setup"] = "A mailbox was created but we could not set it to a room resource type." } else @@ -790,7 +790,7 @@ if ($easpolicy) } $Error.Clear() } - + } } } @@ -834,13 +834,13 @@ else $Error.Clear() ## Configure the Account to not expire ## PrintAction "Configuring password not to expire..." -try +try { Set-MsolUser -UserPrincipalName $credNewAccount.UserName -PasswordNeverExpires $true } catch { - + } if ($Error) @@ -883,7 +883,7 @@ $Error.Clear() try { Enable-CsMeetingRoom -Identity $credNewAccount.UserName -RegistrarPool $strRegPool -SipAddressType EmailAddress } -catch { } +catch { } if ($Error) { @@ -933,14 +933,14 @@ else if (![System.String]::IsNullOrEmpty($strLicenses)) { - try + try { $Error.Clear() Set-MsolUserLicense -UserPrincipalName $credNewAccount.UserName -AddLicenses $strLicenses } catch { - + } if ($Error) { @@ -959,7 +959,7 @@ else } -Write-Host +Write-Host ## Cleanup and print results ## Cleanup @@ -968,14 +968,14 @@ $strUsr = $credNewAccount.UserName PrintAction "Summary for creation of $strUsr ($strDisplay)" if ($status.Count -gt 0) { - ForEach($k in $status.Keys) + ForEach($k in $status.Keys) { $v = $status[$k] $color = "yellow" if ($v[0] -eq "S") { $color = "green" } - elseif ($v[0] -eq "F") + elseif ($v[0] -eq "F") { - $color = "red" + $color = "red" $v += " Go to http://aka.ms/shubtshoot for help" } @@ -1100,7 +1100,7 @@ if ($fSfbIsOnline) try { Import-Module LyncOnlineConnector } - catch + catch { CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from http://www.microsoft.com/download/details.aspx?id=39366" } @@ -1116,7 +1116,7 @@ if ($fHasOnline) try { Import-Module MSOnline } - catch + catch { CleanupAndFail "To verify accounts in online tenants you need the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297" } @@ -1128,7 +1128,7 @@ if ($fExIsOnline) { $authType = [System.Management.Automation.Runspaces.AuthenticationMechanism]::Basic } -try +try { $sessEx = $null if ($fExIsOnline) @@ -1139,12 +1139,12 @@ try { $sessEx = New-PSSession -ConfigurationName microsoft.exchange -Credential $credEx -AllowRedirection -Authentication $authType -ConnectionUri https://$strExServer/powershell -WarningAction SilentlyContinue } -} +} catch { } -if (!$sessEx) +if (!$sessEx) { CleanupAndFail "Connecting to Exchange Powershell failed, please validate your server is accessible and credentials are correct" } @@ -1184,12 +1184,12 @@ if ($fHasOnline) { CleanupAndFail "Internal error - could not determine MS Online credentials" } - try + try { PrintAction "Connecting to Azure Active Directory Services..." Connect-MsolService -Credential $credMsol PrintSuccess "Connected to Azure Active Directory Services" - } + } catch { # This really shouldn't happen unless there is a network error @@ -1201,26 +1201,26 @@ if ($fHasOnline) PrintAction "Importing remote sessions into the local session..." try { - $importEx = Import-PSSession $sessEx -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking - $importSfb = Import-PSSession $sessSfb -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking + $importEx = Import-PSSession $sessEx -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking + $importSfb = Import-PSSession $sessSfb -AllowClobber -WarningAction SilentlyContinue -DisableNameChecking } -catch +catch { } if (!$importEx -or !$importSfb) { - CleanupAndFail "Import failed" + CleanupAndFail "Import failed" } PrintSuccess "Import successful" $mailbox = $null -try +try { $mailbox = Get-Mailbox -Identity $strUpn -} +} catch -{ +{ } if (!$mailbox) @@ -1334,12 +1334,12 @@ if ($casMailbox) $policy = Get-ActiveSyncMailboxPolicy -Identity $strPolicy -WarningAction SilentlyContinue -ErrorAction SilentlyContinue Validate -Test "The policy $strPolicy does not require a device password" -Condition ($policy.PasswordEnabled -ne $True) -FailureMsg "PasswordEnabled - policy requires a device password - the Surface Hub will not be able to send mail or sync its calendar." } - + if ($policy -ne $null) { Validate -Test "The policy $strPolicy allows non-provisionable devices" -Condition ($policy.AllowNonProvisionableDevices -eq $null -or $policy.AllowNonProvisionableDevices -eq $true) -FailureMsg "AllowNonProvisionableDevices - policy will not allow the SurfaceHub to sync" } - + } @@ -1409,7 +1409,7 @@ if ($fHasOnline) } } -#If there is an on-prem component, we can get the authorative AD user from mailbox +#If there is an on-prem component, we can get the authorative AD user from mailbox if ($fHasOnPrem) { $accountOnPrem = $null @@ -1512,16 +1512,16 @@ if ($online) { try { Import-Module LyncOnlineConnector - } + } catch { PrintError "Some dependencies are missing" - PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" + PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366" PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297" CleanupAndFail } } -else +else { $strRegPool = Read-Host "Enter the FQDN of your Skype for Business Registrar Pool" } @@ -1633,7 +1633,7 @@ To apply the policy, the mailbox cannot be a room type, so it has to be converte ```PowerShell # Convert user to regular type Set-Mailbox $strRoomUpn -Type Regular -# Set policy for account +# Set policy for account Set-CASMailbox $strRoomUpn -ActiveSyncMailboxPolicy $strPolicy ``` diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 10317bd4e4..836ff19136 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -44,7 +44,7 @@ New or changed topic | Description New or changed topic | Description --- | --- -[Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Added section for account verification and testing, with link to new Surface Hub Hardware Diagnostic app. +[Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Added section for account verification and testing, with link to new Surface Hub Hardware Diagnostic app. ## February 2018 @@ -63,7 +63,7 @@ New or changed topic | Description ## November 2017 -New or changed topic | Description +New or changed topic | Description --- | --- [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | New [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Added settings for 802.1x wired authentication. @@ -73,10 +73,10 @@ New or changed topic | Description New or changed topic | Description | --- | --- [Install apps on your Microsoft Surface Hub](install-apps-on-surface-hub.md) | Updated instructions to use Windows Team device family -[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated the instructions for Exchange on-premises +[Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated the instructions for Exchange on-premises [Create a device account using UI](create-a-device-account-using-office-365.md) | Updated the instructions [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | Clarified user sign-in on Surface Hub -[Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Removed **How to control and manage Whiteboard to Whiteboard collaboration** due to issues with the EnterpriseModernAppmanagement CSP losing state during End Session. +[Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Removed **How to control and manage Whiteboard to Whiteboard collaboration** due to issues with the EnterpriseModernAppmanagement CSP losing state during End Session. | [Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Removed settings for managing Whiteboard collaboration. | [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | Added link to Surface Hub warranty information @@ -122,7 +122,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also - [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) ->[Looking for the Surface Hub admin guide for Windows 10, version 1607?](http://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) +>[Looking for the Surface Hub admin guide for Windows 10, version 1607?](https://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) ## May 2017 @@ -180,5 +180,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Password management (Surface Hub)](password-management-for-surface-hub-device-accounts.md) | Updates to content. | | [Create and test a device account (Surface Hub)](create-and-test-a-device-account-surface-hub.md) | Reorganize and streamline guidance on creating a device account. | | [Introduction to Surface Hub](intro-to-surface-hub.md) | Move Surface Hub dependencies table to [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md). | -| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) | Add dependency table and reorganize topic. | +| [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) | Add dependency table and reorganize topic. | | [Local management for Surface Hub settings](local-management-surface-hub-settings.md) | New topic. | \ No newline at end of file diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 6b6492acc1..4e42bd0dad 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -36,7 +36,7 @@ If you prefer to use a graphical user interface, you can create a device account 3. In the Office 365 Admin Center, navigate to **Resources** in the left panel, and then click **Rooms & equipment**. ![Rooms & equipment option in Office 365 admin center](images/room-equipment.png) - + 4. Click **Add** to create a new Room account. Enter a display name and email address for the account, and then click **Add**. ![Create new room account window](images/room-add.png) @@ -77,7 +77,7 @@ In order to run cmdlets used by these PowerShell scripts, the following must be - [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149) - [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids) -- [Skype for Business Online, Windows PowerShell Module](http://www.microsoft.com/download/details.aspx?id=39366) +- [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366) ### Connecting to online services @@ -137,19 +137,19 @@ Now that you're connected to the online services, you can finish setting up the 1. You’ll need to enter the account’s mail address and create a variable with that value: - ```powershell + ```powershell $mailbox = (Get-Mailbox ) ``` To store the value get it from the mailbox: - ```powershell + ```powershell $strEmail = $mailbox.WindowsEmailAddress ``` Print the value: - ```powershell + ```powershell $strEmail ``` @@ -160,7 +160,7 @@ Now that you're connected to the online services, you can finish setting up the 2. Run the following cmdlet: ```powershell - Set-CASMailbox $strEmail -ActiveSyncMailboxPolicy "SurfaceHubDeviceMobilePolicy" + Set-CASMailbox $strEmail -ActiveSyncMailboxPolicy "SurfaceHubDeviceMobilePolicy" ``` 4. Various Exchange properties can be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. @@ -192,15 +192,15 @@ In order to enable Skype for Business, your environment will need to meet the fo 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector - $cssess=New-CsOnlineSession -Credential $cred + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` @@ -351,15 +351,15 @@ In order to enable Skype for Business, your environment will need to meet the fo 1. Start by creating a remote PowerShell session from a PC. ```PowerShell - Import-Module LyncOnlineConnector - $cssess=New-CsOnlineSession -Credential $cred + Import-Module LyncOnlineConnector + $cssess=New-CsOnlineSession -Credential $cred Import-PSSession $cssess -AllowClobber ``` 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index b4ee4473f6..7fce01ab55 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -36,27 +36,27 @@ Initiating a reset will return the device to the last cumulative Windows update, After the reset, Surface Hub restarts the [first run program](first-run-program-surface-hub.md) again. If the Surface Hub displays a Welcome screen, that indicates that the reset encountered a problem and rolled back to the previously existing OS image. -If you see a blank screen for long periods of time during the **Reset device** process, please wait and do not take any action. +If you see a blank screen for long periods of time during the **Reset device** process, please wait and do not take any action. ## Reset a Surface Hub from Settings **To reset a Surface Hub** -1. On your Surface Hub, open **Settings**. +1. On your Surface Hub, open **Settings**. ![Image showing Settings app for Surface Hub.](images/sh-settings.png) - + 2. Click **Update & Security**. ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) - + 3. Click **Recovery**, and then, under **Reset device**, click **Get started**. - ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) + ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) ## Recover a Surface Hub from the cloud - + In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. >[!NOTE] @@ -64,7 +64,7 @@ In the Windows Recovery Environment (Windows RE), you can recover your device by ### Recover a Surface Hub in a bad state -If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. +If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. 1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**. @@ -74,23 +74,23 @@ If the device account gets into an unstable state or the Admin account is runnin ### Recover a locked Surface Hub -On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). +On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). -1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. -2. The device should automatically boot into Windows RE. +1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. +2. The device should automatically boot into Windows RE. 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) - + ![Recover from the cloud](images/recover-from-cloud.png) - + 4. Enter the Bitlocker key (if prompted). 5. When prompted, select **Reinstall**. ![Reinstall](images/reinstall.png) 6. Select **Yes** to repartition the disk. - + ![Repartition](images/repartition.png) - + Reset will begin after the image is downloaded from the cloud. You will see progress indicators. ![downloading 97&](images/recover-progress.png) diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index d72676e762..fde0bb2f8a 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 04/12/2018 +ms.date: 08/30/2018 ms.localizationpriority: medium --- @@ -145,17 +145,17 @@ To enable Skype for Business online, your tenant users must have Exchange mailbo | --- | --- | --- | --- | | Join a scheduled meeting | Skype for Business Standalone Plan 1 | E1, 3, 4, or 5 | Skype for Business Server Standard CAL | | Initiate an ad-hoc meeting | Skype for Business Standalone Plan 2 | E 1, 3, 4, or 5 | Skype for Business Server Standard CAL or Enterprise CAL | -| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with PSTN Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with PSTN Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | -| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Cloud PBX and a PSTN Voice Calling plan | E1 or E3 with Cloud PBX and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | +| Initiate an ad-hoc meeting and dial out from a meeting to phone numbers | Skype for Business Standalone Plan 2 with Audio Conferencing

**Note** PSTN consumption billing is optional | E1 or E3 with Audio Conferencing, or E5| Skype for Business Server Standard CAL or Enterprise CAL | +| Give the room a phone number and make or receive calls from the room or join a dial-in conference using a phone number | Skype for Business Standalone Plan 2 with Phone System and a PSTN Voice Calling plan | E1 or E3 with Phone System and a PSTN Voice Calling plan, or E5 | Skype for Business Server Standard CAL or Plus CAL | The following table lists the Office 365 plans and Skype for Business options. -| O365 Plan | Skype for Business | Cloud PBX | PSTN Conferencing | PSTN Calling | +| O365 Plan | Skype for Business | Phone System | Audio Conferencing | Calling Plans | | --- | --- | --- | --- | --- | | O365 Business Essentials | Included | | | | | O365 Business Premium | Included | | | | -| E1 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | -| E3 | Included | Add-on | Add-on | Add-on (requires Cloud PBX add-on) | +| E1 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | +| E3 | Included | Add-on | Add-on | Add-on (requires Phone System add-on) | | E5 | Included | Included | Included | Add-on | 1. Start by creating a remote PowerShell session from a PC to the Skype for Business online environment. @@ -190,7 +190,7 @@ The following table lists the Office 365 plans and Skype for Business options. - Click **Licenses**. - - In **Assign licenses**, select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. + - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub. - Click **Save**. @@ -282,7 +282,7 @@ Use this procedure if you use Exchange online. 5. Add email address for your on-premises domain account. - For this procedure, you'll be using AD admin tools to add an email address for your on-preises domain account. + For this procedure, you'll be using AD admin tools to add an email address for your on-premises domain account. - In **Active Directory Users and Computers** AD tool, right-click on the folder or Organizational Unit that your Surface Hub accounts will be created in, click **New**, and **User**. - Type the display name from the previous cmdlet into the **Full name** box, and the alias into the **User logon name** box. Click **Next**. @@ -291,7 +291,8 @@ Use this procedure if you use Exchange online. - Type the password for this account. You'll need to retype it for verification. Make sure the **Password never expires** checkbox is the only option selected. - >**Important** Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. + >[!IMPORTANT] + >Selecting **Password never expires** is a requirement for Skype for Business on the Surface Hub. Your domain rules may prohibit passwords that don't expire. If so, you'll need to create an exception for each Surface Hub device account. ![Image showing password dialog box.](images/hybriddeployment-02a.png) diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index b819e54b9a..f91b3e81bf 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -13,9 +13,9 @@ ms.localizationpriority: medium # Microsoft Surface Hub admin guide ->[Looking for the Surface Hub admin guide for Windows 10, version 1607?](http://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) +>[Looking for the Surface Hub admin guide for Windows 10, version 1607?](https://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) ->[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) +>[Looking for the user's guide for Surface Hub?](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.![image of a Surface Hub](images/surfacehub.png)
@@ -41,9 +41,9 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof | [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. | | [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. | | [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. | -| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | +| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | | [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. | -| [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. | +| [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. | | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. | | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | @@ -51,3 +51,11 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof +## Additional resources + +- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history) +- [Surface Hub help](https://support.microsoft.com/hub/4343507/surface-hub-help) +- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/) +- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ) +- [Microsoft Surface on Twitter](https://twitter.com/surface) + diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 953c771d7c..c62abeb7fa 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 06/01/2018 +ms.date: 08/28/2018 ms.localizationpriority: medium --- @@ -108,8 +108,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013  ## Disable anonymous email and IM ->[!WARNING] ->This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index ff5af2b652..babce30d59 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -6,7 +6,7 @@ ms.prod: surface-hub ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 06/01/2018 +ms.date: 08/28/2018 ms.localizationpriority: medium --- @@ -97,8 +97,7 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o ## Disable anonymous email and IM ->[!WARNING] ->This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account. diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index 8ddafa924a..689358891c 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -16,22 +16,21 @@ This topic provides links to useful Surface Hub documents, such as product datas | Link | Description | | --- | --- | -| [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) | -| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](http://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. | -| [Surface Hub Quick Reference Guide (PDF)](http://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. | -| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. | +| [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov) | +| [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. | +| [Surface Hub Quick Reference Guide (PDF)](https://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf) | Use this quick reference guide to get information about key features and functions of the Surface Hub. | +| [Surface Hub User Guide (PDF)](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. | | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. | -| [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. | -| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. | -| [Unpacking Guide for 84-inch Surface Hub (PDF)](http://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) | -| [Unpacking Guide for 55-inch Surface Hub (PDF)](http://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) | -| [Wall Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Wall_Mounts_EN-FR-ES-NL-DE-IT-PT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) | -| [Floor-Supported Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Floor_Support_Mount_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) | -| [Rolling Stand Mounting and Assembly Guide (PDF)](http://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) | -| [Mounts and Stands Datasheet (PDF)](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. | -| [Surface Hub Stand and Wall Mount Specifications (PDF)](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. | +| [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. | +| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](https://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. | +| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) | +| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) | +| [Wall Mounting and Assembly Guide (PDF)](https://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Wall_Mounts_EN-FR-ES-NL-DE-IT-PT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) | +| [Floor-Supported Mounting and Assembly Guide (PDF)](https://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Floor_Support_Mount_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the floor-supported brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/ed/de/edde468a-e1d4-4ce8-8b61-c4527dd25c81.mov?n=04.07.16_installation_video_06_floor_support_mount.mov) | +| [Rolling Stand Mounting and Assembly Guide (PDF)](https://download.microsoft.com/download/7/0/2/702485E3-B55E-4DE8-B5DD-3B56F90DCF5D/SH-Guide_WACG_Rolling_Stands_EN-FR-ES-NL-DE-IT-AR-DA-FI-NO-SV.pdf) | Detailed instructions on how to safely and securely assemble the rolling stand, and how to mount your Surface Hub onto it. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/1f/94/1f949613-3e4a-41e3-ad60-fe8aa7134115.mov?n=04.07.16_installation_video_04_rolling_stand_mount.mov) | +| [Mounts and Stands Datasheet (PDF)](https://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) | Specifications and prices for all Surface Hub add-on stands and mounts that turn your workspace into a Surface Hub workspace. | +| [Surface Hub Stand and Wall Mount Specifications (PDF)](https://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) | Illustrated specifications for the 55” and 84” Surface Hub rolling stands, wall mounts, and floor-supported wall mounts. | - \ No newline at end of file diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md index ef1cd24725..262bcc5d2a 100644 --- a/devices/surface-hub/surface-hub-recovery-tool.md +++ b/devices/surface-hub/surface-hub-recovery-tool.md @@ -14,9 +14,9 @@ ms.localizationpriority: medium # Using the Surface Hub Recovery Tool -The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs. +The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs. -To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). +To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). >[!IMPORTANT] >Do not let the device go to sleep or interrupt the download of the image file. @@ -31,15 +31,15 @@ If the tool is unsuccessful in reimaging your drive, please contact [Surface Hub - Internet access - Open USB 2.0 or greater port - USB-to-SATA cable -- 10 GB of free disk space on the host computer -- SSDs shipped with Surface Hub or a SSD provided by Support as a replacement. SSDs not supplied by Microsoft are not supported. +- 10 GB of free disk space on the host computer +- SSDs shipped with Surface Hub or a SSD provided by Support as a replacement. SSDs not supplied by Microsoft are not supported. ### Recommended - High-speed Internet connection - Open USB 3.0 port - USB 3.0 or higher USB-to-SATA cable -- The imaging tool was tested with the following make and model of cables: +- The imaging tool was tested with the following make and model of cables: - Startech USB312SAT3CB - Rosewill RCUC16001 - Ugreen 20231 @@ -57,7 +57,7 @@ Install Surface Hub Recovery Tool on the host PC. ## Run Surface Hub Recovery Tool -1. On the host PC, select the **Start** button, scroll through the alphabetical list on the left, and select the recovery tool shortcut. +1. On the host PC, select the **Start** button, scroll through the alphabetical list on the left, and select the recovery tool shortcut. ![Microsoft Surface Hub Recovery Tool shortcut](images/shrt-shortcut.png) @@ -69,11 +69,11 @@ Install Surface Hub Recovery Tool on the host PC. ![Do not let your machine go to sleep guidance](images/shrt-guidance.png) -4. click **Yes** to download the image. Time to download the recovery image is dependent on internet connection speeds. On an average corporate connection, it can take up to an hour to download the 8GB image file. +4. click **Yes** to download the image. Time to download the recovery image is dependent on internet connection speeds. On an average corporate connection, it can take up to an hour to download the 8GB image file. ![Download the image?](images/shrt-download.png) -5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](http://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). +5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows. The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf). ![Connect SSD](images/shrt-drive.png) diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 6bb7a33e57..e68eb9a565 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -10,6 +10,7 @@ ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) #### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) #### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +### [Battery Limit setting](battery-limit.md) ## [Surface firmware and driver updates](update.md) ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md new file mode 100644 index 0000000000..2406c075e7 --- /dev/null +++ b/devices/surface/battery-limit.md @@ -0,0 +1,84 @@ +--- +title: Battery Limit setting (Surface) +description: Battery Limit is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: brecords +ms.date: 10/02/2018 +ms.author: jdecker +ms.topic: article +--- + +# Battery Limit settings + +Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions. + +## Battery Limit information + +Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. + +Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [support article](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. + +## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) + +The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Advanced Options**, toggle **Enable Battery Limit Mode** to **On**. + +![Screenshot of Advanced options](images/enable-bl.png) + +## Enabling Battery Limit in Surface UEFI (Surface Pro 3) + +The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**. + +![Screenshot of Advanced options](images/enable-bl-sp3.png) + +![Screenshot of Advanced options](images/enable-bl-sp3-2.png) + +## Enabling Battery Limit using Surface Enterprise Management Mode (SEMM) or Surface Pro 3 firmware PowerShell scripts + +The Surface UEFI battery limit is also available for configuration via the following methods: + +- Surface Pro 4 and later + - [Microsoft Surface UEFI Configurator](https://docs.microsoft.com/en-us/surface/surface-enterprise-management-mode) + - Surface UEFI Manager Powershell scripts (SEMM_Powershell.zip) in the [Surface Tools for IT downloads](https://www.microsoft.com/download/details.aspx?id=46703) +- Surface Pro 3 + - [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703) + +### Using Microsoft Surface UEFI Configurator + +To configure Battery Limit mode, set the **Kiosk Overrides** setting on the **Advanced Settings** configuration page in SEMM (Surface Pro 4 and later). + +![Screenshot of advanced settings](images/semm-bl.png) + +### Using Surface UEFI Manager PowerShell scripts + +The battery limit feature is controlled via the following setting: + +`407 = Battery Profile` + +**Description**: Active management scheme for battery usage pattern + +**Default**: `0` + +Set this to `1` to enable Battery Limit. + +### Using Surface Pro 3 firmware tools + +The battery limit feature is controlled via the following setting: + +**Name**: BatteryLimitEnable + +**Description**: BatteryLimit + +**Current Value**: `0` + +**Default Value**: `0` + +**Proposed Value**: `0` + +Set this to `1` to enable Battery Limit. + +>[!NOTE] +>To configure this setting, you must use [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703). + diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 7b010ca138..86bde3c803 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,19 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/15/2018 +ms.date: 10/02/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## October 2018 + +New or changed topic | Description +--- | --- +[Battery Limit setting](battery-limit.md) | New + ## May 2018 |New or changed topic | Description | diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 0d4a26f5e9..4218ee9ba8 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -22,7 +22,7 @@ This article walks you through the process of customizing the Surface out-of-box It is common practice in a Windows deployment to customize the user experience for the first startup of deployed computers — the out-of-box experience, or OOBE. >[!NOTE] ->OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](http://msdn.microsoft.com/library/windows/hardware/dn898581.aspx). +>OOBE is also often used to describe the phase, or configuration pass, of Windows setup during which the user experience is displayed. For more information about the OOBE phase of setup, see [How Configuration Passes Work](https://msdn.microsoft.com/library/windows/hardware/dn898581.aspx). In some scenarios, you may want to provide complete automation to ensure that at the end of a deployment, computers are ready for use without any interaction from the user. In other scenarios, you may want to leave key elements of the experience for users to perform necessary actions or select between important choices. For administrators deploying to Surface devices, each of these scenarios presents a unique challenge to overcome. @@ -30,8 +30,8 @@ This article provides a summary of the scenarios where a deployment might requir >[!NOTE] >Although the OOBE phase of setup is still run during a deployment with an automated deployment solution such as the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117) or System Center Configuration Manager Operating System Deployment (OSD), it is automated by the settings supplied in the Deployment Wizard and task sequence. For more information see:
->- [Deploy Windows 10 with the Microsoft Deployment Toolkit](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit) ->- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](http://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager) +>- [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit) +>- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager)   diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index d009237304..a023fdb141 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 12/07/2017 +ms.date: 09/13/2018 ms.author: jdecker ms.topic: article --- @@ -23,11 +23,7 @@ As easy as it is to keep Surface device drivers and firmware up to date automati On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md). -Driver and firmware updates for Surface devices are released in one of two ways: - -- **Point updates** are released for specific drivers or firmware revisions and provide the latest update for a specific component of the Surface device. - -- **Cumulative updates** provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows. +Driver and firmware updates for Surface devices are **cumulative updates** which provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows. Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article. @@ -212,10 +208,10 @@ Download the following updates [for Surface Pro (Model 1514) from the Microsoft - Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1 -## Surface RT +## Surface devices with Windows RT -There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update. +There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update. If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business). diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 00e7dc22e0..69865822f6 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -6,14 +6,14 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 01/29/2018 +ms.date: 10/02/2018 ms.author: jdecker ms.topic: article --- # Deploy Surface devices -Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. +Get deployment guidance for your Surface devices including information about Microsoft Deployment Toolkit (MDT), out-of-box-experience (OOBE) customization, Ethernet adaptors, Surface Deployment Accelerator, and the Battery Limit setting. ## In this section @@ -26,6 +26,7 @@ Get deployment guidance for your Surface devices including information about MDT | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| | [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.| | [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. | +[Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. diff --git a/devices/surface/images/enable-bl-sp3-2.png b/devices/surface/images/enable-bl-sp3-2.png new file mode 100644 index 0000000000..f1940c403f Binary files /dev/null and b/devices/surface/images/enable-bl-sp3-2.png differ diff --git a/devices/surface/images/enable-bl-sp3.png b/devices/surface/images/enable-bl-sp3.png new file mode 100644 index 0000000000..7fa99786f1 Binary files /dev/null and b/devices/surface/images/enable-bl-sp3.png differ diff --git a/devices/surface/images/enable-bl.png b/devices/surface/images/enable-bl.png new file mode 100644 index 0000000000..a99cb994fb Binary files /dev/null and b/devices/surface/images/enable-bl.png differ diff --git a/devices/surface/images/semm-bl.png b/devices/surface/images/semm-bl.png new file mode 100644 index 0000000000..3f8a375057 Binary files /dev/null and b/devices/surface/images/semm-bl.png differ diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 9b9736af68..3ba289e3e6 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -26,6 +26,7 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Go * Surface Book 2 * Surface Pro with LTE Advanced (Model 1807) * Surface Pro (Model 1796) @@ -60,7 +61,7 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include: To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool: -1. Run the DataEraserSetup.msi installation file that you downloaded from the Microsoft Download Center. +1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703). 2. Select the check box to accept the terms of the license agreement, and then click **Install**. @@ -147,10 +148,16 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.68.0 +This version of Microsoft Surface Data Eraser adds support for the following: + +- Surface Go + + ### Version 3.2.58.0 This version of Microsoft Surface Data Eraser adds support for the following: -- • Additional storage devices (drives) for Surface Pro and Surface Laptop devices +- Additional storage devices (drives) for Surface Pro and Surface Laptop devices ### Version 3.2.46.0 diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index da0e607baf..8dfbc020a2 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -94,6 +94,12 @@ SDA is periodically updated by Microsoft. For instructions on how these features >[!NOTE] >To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share. +### Version 2.8.136.0 +This version of SDA supports deployment of the following: +* Surface Book 2 +* Surface Laptop +* Surface Pro LTE + ### Version 2.0.8.0 This version of SDA supports deployment of the following: * Surface Pro diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index f6235d2f28..e239bcea68 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -126,7 +126,26 @@ The following steps show you how to create a deployment share for Windows 10 th ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window") *Figure 5. The Installation Progress window* +>[!NOTE] +>The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this: + ``` +In the following two PowerShell scripts: +%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 +%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 + +Edit the $BITSTransfer variable in the input parameters to $False as shown below: + +Param( + [Parameter( + Position=0, + Mandatory=$False, + HelpMessage="Download via BITS bool true/false" + )] + [string]$BITSTransfer = $False + ) + ``` + 8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. ### Optional: Create a deployment share without an Internet connection @@ -263,7 +282,7 @@ After you have prepared the USB drive for boot, the next step is to generate off 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. ![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option") - + *Figure 12. Select the Update Media Content option* 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** @@ -313,7 +332,7 @@ The **2 – Create Windows Reference Image** task sequence is used to perform a Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations. >[!NOTE] ->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](http://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). +>Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and System Center Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 227433e7b2..445be071c9 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -117,6 +117,14 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.22.139.0 +*Release Date: 26 July 2018* + +This version of Surface Dock Updater adds support for the following: + +- Increase update reliability +- Add support for Surface Go + ### Version 2.12.136.0 *Release Date: 29 January 2018* diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 42df3fd641..2932bee71c 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -189,8 +189,23 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must >[!NOTE] >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. +## Version History + +### Version 2.14.136.0 +* Add support to Surface Go + +### Version 2.9.136.0 +* Add support to Surface Book 2 +* Add support to Surface Pro LTE +* Accessibility improvements + +### Version 1.0.74.0 +* Add support to Surface Laptop +* Add support to Surface Pro +* Bug fixes and general improvement + ## Related topics [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) -[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) \ No newline at end of file +[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index c5de082d9e..73c49f7dbc 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -42,7 +42,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro #### Download SEMM scripts for Configuration Manager -After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) from the TechNet Gallery Script Center. +After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center. ## Deploy Microsoft Surface UEFI Manager @@ -269,7 +269,7 @@ The following code fragment, found on lines 352-363, is used to write this regis ### Settings names and IDs -To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from [SEMM management scripts for Configuration Manager](https://gallery.technet.microsoft.com/Sample-PowerShell-for-5eb5f03c) in the TechNet Gallery Script Center. +To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703) The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. @@ -424,4 +424,4 @@ Removal of SEMM from a device deployed with Configuration Manager using these sc >When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken. ->For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. \ No newline at end of file +>For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken. diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 3550f35fd6..bb250ba302 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 01/31/2018 +ms.date: 09/12/2018 ms.author: jdecker ms.topic: article --- @@ -45,8 +45,13 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e * Surface Book 2 * Surface Laptop * Surface Studio +* Surface Go ## Surface partners enabled for Windows Autopilot Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. -You can find a list of Surface partners enabled for Windows Autopilot at the [Windows Autopilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface). \ No newline at end of file +When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: + +- [SHI](https://www.shi.com/?reseller=shi) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html) +- [Atea](https://www.atea.com/) \ No newline at end of file diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index d5a982714e..5500fe19dc 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -26,10 +26,10 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea ## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting |

  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| -| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| +| Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| | Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
|

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|
@@ -40,18 +40,18 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Spelling suggestions for phonetic misspellings |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

|

X

| | | Synonyms alongside spelling suggestions that can be read aloud |
  • Word 2016
  • Outlook 2016
| |

X

|

X

|

X

| | | Grammar checks |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | -| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | -| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
| |

X

|

X

|

X

| | +| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
|

X

|

X

|

X

| | | +| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
|

X

|

X

|

X

|

X

| | | Editor |
  • Word 2016
| |

X

|

X

| | |
| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| -| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | -| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | -| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | +| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

|

X

| | | +| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

|

X

| | | +| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
|

X

|

X

|

X

| | | | Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
  • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
| |

X

| | | | -| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | +| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

|

X

| | | | Ability to request accessible content |
  • Outlook Web Access
| | | | | |
@@ -79,4 +79,4 @@ Depending on how you plan to do billing, you can have Office 365 accounts that a 1. Sign-in to your services and subscriptions with your Microsoft account. 2. Find the subscription in the list, then select **Change how you pay**. >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires. -3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. \ No newline at end of file +3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. diff --git a/education/index.md b/education/index.md index c78b456b9e..20840df5df 100644 --- a/education/index.md +++ b/education/index.md @@ -125,245 +125,6 @@ ms.date: 10/30/2017 -
  • - Teachers - -
    • -
  • - Students - -
  • Developer
      diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index b9fffc43b3..3eb30e45f8 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -1,6 +1,6 @@ --- title: Educator Trial in a Box Guide -description: Need help or have a question about using Microsoft Education? Start here. +description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 ms.technology: Windows @@ -28,8 +28,8 @@ ms.date: 03/18/2018 | [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?**
      Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. | | [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?**
      Open [OneNote](#edu-task4) and create an example group project for your class. | | [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?**
      Try the [Photos app](#edu-task5) to make your own example video. | -| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
      Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | -| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
      Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | +| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?**
      Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. | +| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?**
      Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. | | | |
      @@ -40,21 +40,21 @@ ms.date: 03/18/2018
      -![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) +![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png) ## 1. Log in and connect to the school network To try out the educator tasks, start by logging in as a teacher. 1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet. 2. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit. >**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network. - + 3. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.

      -![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) +![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png) ## 2. Significantly improve student reading speed and comprehension > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y] @@ -65,7 +65,7 @@ To try out the educator tasks, start by logging in as a teacher. Learning Tools and the Immersive Reader can be used in the Microsoft Edge browser, Microsoft Word, and Microsoft OneNote to: * Increase fluency for English language learners * Build confidence for emerging readers -* Provide text decoding solutions for students with learning differences such as dyslexia +* Provide text decoding solutions for students with learning differences such as dyslexia **Try this!** @@ -75,7 +75,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse 3. Select the **View** menu. -4. Select the **Immersive Reader** button. +4. Select the **Immersive Reader** button. ![Word Online's Immersive Reader](images/word_online_immersive_reader.png) @@ -92,7 +92,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse -![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) +![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) ## 3. Spark communication, critical thinking, and creativity in the classroom > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8] @@ -100,7 +100,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
      -Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more! +Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more! Take a guided tour of Microsoft Teams and test drive this digital hub. @@ -113,7 +113,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.

      -![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) +![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png) ## 4. Expand classroom collaboration and interaction between students > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE] @@ -125,7 +125,7 @@ Microsoft OneNote organizes curriculum and lesson plans for teachers and student **Try this!** See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box. -When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again. +When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again. 1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**. @@ -136,12 +136,12 @@ When you're not using the pen, just use the magnet to stick it to the left side ![OneNote Draw tab](images/onenote_draw.png) - - Type anywhere on the page! Just click your cursor where you want to place text. - - Use the checkmark in the **Home** tab to keep track of completed tasks. + - Type anywhere on the page! Just click your cursor where you want to place text. + - Use the checkmark in the **Home** tab to keep track of completed tasks. ![OneNote To Do Tag](images/onenote_checkmark.png) - - To find information without leaving OneNote, use the Researcher tool found under the Insert tab. + - To find information without leaving OneNote, use the Researcher tool found under the Insert tab. ![OneNote Researcher](images/onenote_researcher.png) @@ -160,18 +160,18 @@ The Photos app now has a built-in video editor, making it easy for you and your **Try this!** Use video to create a project summary. -1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. +1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. -3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. +3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. -4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app. +4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app. 5. Select the first video to preview it full screen. Select **Edit & Create**, then select **Create a video with text**. - 1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen. + 1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen. -6. Name your project “Laser Maze Project.” Hit Enter to continue. +6. Name your project “Laser Maze Project.” Hit Enter to continue. 7. Select **Add photos and videos** and then **From my collection**. Scroll to select the 6 additional videos and select **Add**. @@ -179,12 +179,12 @@ Use video to create a project summary. ![Photos app layout showing videos added in previous steps](images/photo_app_1.png) -9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. +9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**. -10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**. +10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**. 11. Select the last card on the Storyboard and select **3D effects**. - 1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser. + 1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser. 2. Find the **lightning bolt** effect and click or drag to add it to the scene. Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror. 3. Position the blue anchor over the end of the laser pointer in the video and toggle on **Attach to a point** for the lightning bolt effect to anchor the effect in the scene. 4. Play back your effect. @@ -196,30 +196,30 @@ Use video to create a project summary. 1. The music will update automatically to match the length of your video project, even as you make changes. 2. If you don’t see more than a few music options, confirm that you’re connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background. -13. You can adjust the volume for the background music using the **Music volume** button. +13. You can adjust the volume for the background music using the **Music volume** button. 14. Preview your video to see how it all came together. -15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps. +15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps. Check out this use case video of the Photos team partnering with the Bureau Of Fearless Ideas in Seattle to bring the Photos app to local middle school students: https://www.youtube.com/watch?v=0dFFAu6XwPg


      -![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) +![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png) ## 6. Get kids to further collaborate and problem solve > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
      -Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination. +Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination. **Try this!** Today, we'll explore a Minecraft world through the eyes of a student. -1. Connect the included mouse to your computer for optimal interaction. +1. Connect the included mouse to your computer for optimal interaction. 2. Open Microsoft Edge and visit https://aka.ms/lessonhub. @@ -242,7 +242,7 @@ Today, we'll explore a Minecraft world through the eyes of a student. * **A** moves left. * **S** moves right. * **D** moves backward. - + 10. Use your mouse as your "eyes". Just move it to look around. 11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land. @@ -265,7 +265,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.

      -![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) +![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png) ## 7. Use Windows Ink to provide a personal math tutor for your students The **Math Assistant** and **Ink Replay** features available in the OneNote app for Windows 10 and OneNote Online give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph. @@ -293,7 +293,7 @@ To solve the equation 3x+4=7, follow these instructions: ![Lasso button](images/lasso.png) -3. On the **Draw** tab, click the **Math** button. +3. On the **Draw** tab, click the **Math** button. ![Math button](images/math-button.png) @@ -312,7 +312,7 @@ To graph the equation 3x+4=7, follow these instructions: ![Graph both sides in 2D](images/graph-for-x.png) -2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page. +2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.

      @@ -327,7 +327,7 @@ Bring out the best in students by providing a platform for collaborating, explor ## Update your apps -Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. +Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations. For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles: diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 5cfd544fe5..533981750f 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -21,6 +21,7 @@ ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) ### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md) ## [Test Windows 10 in S mode on existing Windows 10 education devices](test-windows10s-for-edu.md) +## [Enable Windows 10 in S mode on Surface Go devices](enable-s-mode-on-surface-go-devices.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) ## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md) diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md new file mode 100644 index 0000000000..de525d8e81 --- /dev/null +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -0,0 +1,145 @@ +--- +title: Enable S mode on Surface Go devices for Education +description: Steps that an education customer can perform to enable S mode on Surface Go devices +keywords: Surface Go for Education, S mode +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: kaushika-msft +ms.author: +ms.date: 07/30/2018 +--- + +# Surface Go for Education - Enabling S mode + +Surface Go devices are available with both Windows 10 Home in S mode and Windows 10 Pro configurations. Education customers who purchase Surface Go devices with Windows 10 Pro may wish to take advantage of S mode on their Pro devices. These customers can create their own S mode image for Surface Go or enable S mode on a per-device basis. + +## Prerequisites + +Here are some things you’ll need before attempting any of these procedures: + +- A Surface Go device or Surface Go device image based on Windows 10 Pro + (1803) +- General understanding of [Windows deployment scenarios and related + tools](https://docs.microsoft.com/windows/deployment/windows-deployment-scenarios-and-tools) +- [Windows ADK for Windows 10 + 1803](https://docs.microsoft.com/windows/deployment/windows-adk-scenarios-for-it-pros) +- [Bootable Windows Preinstall Environment + (WinPE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) + +## Enabling S Mode – Windows Image (WIM) + +Like enterprise administrators performing large-scale deployment of customized Windows images, education customers can create their own customized Windows images for deployment to multiple classroom devices. An education customer who plans to follow [a traditional image-based deployment +process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-scenarios#traditional-deployment) using a Windows 10 Pro (1803) image for Surface Go devices can enable S mode as follows: + +1. Use DISM to mount your offline Windows 10 Pro (1803) image. + + ``` + dism /Mount-image /imagefile:\ {/Index:\ | /Name:\} /MountDir:\ + ``` + +2. Create an unattend.xml answer file, adding the + amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing + and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”. + The resulting xml should look like this… + + Copy + ``` + + + 1 + + + ``` +3. Save the answer file in the **Windows\Panther** folder of your mounted image as unattend.xml. +4. Use DISM to apply the unattend.xml file and enable S Mode: + + Copy + ``` + dism /image:C:\mount\windows /apply-unattend:C:\mount\windows\windows\panther\unattend.xml + ``` + + > Note: in the above example, C:\\mount\\ is the local directory used to mount + > the offline image. +5. Commit the image changes and unmount the image + + Copy + ``` + dism /Unmount-image /MountDir:C:\\mount /Commit + ``` +>Note: don’t forget the /Commit parameter to ensure you don’t lose your + changes. + +Your Windows 10 Pro (1803) image now has S mode enabled and is ready to deploy to Surface Go devices. + +## Enabling S Mode – Per Device + +Education customers who wish to avoid the additional overhead associated with Windows image creation, customization, and deployment can enable S mode on a per-device basis. Performing the following steps on a Surface Go device will enable S mode on an existing installation of Windows 10 Pro (1803). + +1. Create a bootable WinPE media. See [Create a bootable Windows PE USB + drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) for details. + +2. Create an unattend.xml answer file, adding the + amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing + and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”. The resulting xml should look like this… + + Copy + ``` + + + 1 + + + ``` + +3. Attach your bootable WinPE USB drive to a Surface Go device and perform a USB boot (hold the **volume down** button while powering on the device… continue to hold until the Surface logo appears) +4. Wait for WinPE to launch a command window (*X:\\windows\\system32\\cmd.exe*). +5. Apply the unattend.xml created in step 2 using DISM. + + Copy + ``` + dism /image:C:\ /apply-unattend:D:\unattend.xml + ``` + > Note: in the above example, C:\\ is the local OS drive (offline). D:\ is where the S mode unattend.xml file (from Step 2) resides. + +6. Once DISM has successfully applied the unattend.xml, reboot the Surface Go device. +Upon reboot, you should find your Surface Go device now is now in S mode. + +## Troubleshooting + +|ISSUE | RESOLUTION | +|------------------------ |-----------------------| +|DISM fails to apply the unattend.xml because the OS drive is encrypted. | This is one reason why it’s best to enable S mode before setting up and configuring a device. If the OS drive has already been encrypted, you’ll need to fully decrypt the drive before you can enable S mode. | +|Unattend.xml has been applied and dism reports success. However, when I boot the device, it’s not in S mode. This can happen when a device was booted to Windows 10 Pro before S mode was enabled. To resolve this issue, do the following: | 1. **Run** “shutdown.exe -p -f” to force a complete shutdown.
      2. Hold the **vol-up** button while pressing the **power** button to power on the device. Continue to hold **vol-up** until you see the Surface UEFI settings.
      3. Under **Security** find the **Secure Boot** option and disable it.
      4. With SecureBoot disabled choose **exit** -\> **restart now** to exit UEFI settings and reboot the device back to Windows.
      5. Confirm that S mode is now properly enabled.
      6. Once you’ve confirmed S mode, you should re-enable Secure Boot… repeat the above steps, choosing to **Enable** Secure Boot from the UEFI securitysettings. + +## Additional Info + +[Windows 10 deployment scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios) + +[Windows 10 deployment scenarios and tools](https://docs.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools) + +[Download and install the Windows ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) + +[Windows ADK for Windows 10 scenarios for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/windows-adk-scenarios-for-it-pros) + +[Modify a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) + +[Service a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism) + +[DISM Image Management Command-Line Options](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) + diff --git a/education/windows/images/suspc-add-recommended-apps-1807.png b/education/windows/images/suspc-add-recommended-apps-1807.png index e579c8f99d..61a674e363 100644 Binary files a/education/windows/images/suspc-add-recommended-apps-1807.png and b/education/windows/images/suspc-add-recommended-apps-1807.png differ diff --git a/education/windows/images/suspc-available-student-settings-1807.png b/education/windows/images/suspc-available-student-settings-1807.png new file mode 100644 index 0000000000..d39fc2ceba Binary files /dev/null and b/education/windows/images/suspc-available-student-settings-1807.png differ diff --git a/education/windows/images/suspc-configure-student-settings-1807.png b/education/windows/images/suspc-configure-student-settings-1807.png index 92d6ae184a..553fb4d689 100644 Binary files a/education/windows/images/suspc-configure-student-settings-1807.png and b/education/windows/images/suspc-configure-student-settings-1807.png differ diff --git a/education/windows/images/suspc-createpackage-signin-1807.png b/education/windows/images/suspc-createpackage-signin-1807.png new file mode 100644 index 0000000000..7a80f5c751 Binary files /dev/null and b/education/windows/images/suspc-createpackage-signin-1807.png differ diff --git a/education/windows/images/suspc-createpackage-summary-1807.png b/education/windows/images/suspc-createpackage-summary-1807.png new file mode 100644 index 0000000000..e78ac67856 Binary files /dev/null and b/education/windows/images/suspc-createpackage-summary-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-1807.png b/education/windows/images/suspc-current-os-version-1807.png new file mode 100644 index 0000000000..bc2ba6a08d Binary files /dev/null and b/education/windows/images/suspc-current-os-version-1807.png differ diff --git a/education/windows/images/suspc-current-os-version-next-1807.png b/education/windows/images/suspc-current-os-version-next-1807.png new file mode 100644 index 0000000000..a0b6632bd3 Binary files /dev/null and b/education/windows/images/suspc-current-os-version-next-1807.png differ diff --git a/education/windows/images/suspc-device-names-1807.png b/education/windows/images/suspc-device-names-1807.png index 886ff13413..f3ad674b99 100644 Binary files a/education/windows/images/suspc-device-names-1807.png and b/education/windows/images/suspc-device-names-1807.png differ diff --git a/education/windows/images/suspc-savepackage-insertusb-1807.png b/education/windows/images/suspc-savepackage-insertusb-1807.png new file mode 100644 index 0000000000..cd75795863 Binary files /dev/null and b/education/windows/images/suspc-savepackage-insertusb-1807.png differ diff --git a/education/windows/images/suspc-savepackage-ppkgisready-1807.png b/education/windows/images/suspc-savepackage-ppkgisready-1807.png new file mode 100644 index 0000000000..fd82b1e50b Binary files /dev/null and b/education/windows/images/suspc-savepackage-ppkgisready-1807.png differ diff --git a/education/windows/images/suspc-select-wifi-network-1807.png b/education/windows/images/suspc-select-wifi-network-1807.png index 6c7240db39..5a362daaa0 100644 Binary files a/education/windows/images/suspc-select-wifi-network-1807.png and b/education/windows/images/suspc-select-wifi-network-1807.png differ diff --git a/education/windows/images/suspc-take-a-test-1807.png b/education/windows/images/suspc-take-a-test-1807.png new file mode 100644 index 0000000000..ea6295658f Binary files /dev/null and b/education/windows/images/suspc-take-a-test-1807.png differ diff --git a/education/windows/images/suspc-time-zone-1807.png b/education/windows/images/suspc-time-zone-1807.png new file mode 100644 index 0000000000..274e411a4d Binary files /dev/null and b/education/windows/images/suspc-time-zone-1807.png differ diff --git a/education/windows/images/suspc-wifi-network-1807.png b/education/windows/images/suspc-wifi-network-1807.png new file mode 100644 index 0000000000..6e03d35363 Binary files /dev/null and b/education/windows/images/suspc-wifi-network-1807.png differ diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index bdf6a298c9..c4b90aee80 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -7,15 +7,15 @@ ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -ms.localizationpriority: high +ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 07/11/2018 +ms.date: 08/03/2018 --- # Use the Set up School PCs app -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. Set up School PCs also: * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. @@ -46,7 +46,7 @@ USB drives are, by default, FAT32-formatted, and are unable to save more than 4 5. Set **File system** to **NTFS**. 6. Click **Start** to format the drive. -### Prepare existing PC account for new setup +### Prepare existing PC account for new setup Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data. If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state. @@ -68,12 +68,12 @@ This section offers recommendations to prepare you for the best possible setup e ### Run the same Windows 10 build on the admin device and the student PCs We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs. -### Student PCs should meet OS requirements for the app -Check the minimum OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. +### Student PCs should meet OS requirements for the app +Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs. To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**. -### Use app on a PC that is connected to your school's network +### Use app on a PC that is connected to your school's network We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually. > [!NOTE] @@ -82,7 +82,7 @@ We recommend that you run the Set up School PCs app on a computer that's connect >* Open Wi-Fi networks that require the user to accept Terms of Use. ### Run app on an open network or network that requires a basic password -Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up numerous devices over Wi-Fi, make sure that your network configuration can support it. +Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it. We recommend that you: * Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously. @@ -92,16 +92,17 @@ We recommend that you: > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings. ### Use an additional USB drive -You can set up PCs at the same time. Just save the provisioning package to an additional USB drive. Then plug them in at the same time during deployment. +To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. -### Limit changes to school-optimized settings +### Limit changes to school-optimized settings -We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and sign-in time. -## Create the provisioning package +We strongly recommend that you avoid changing preset policies. Changes can slow down setup, performance, and the time it takes to sign in. + +## Create the provisioning package The **Set up School PCs** app guides you through the configuration choices for the student PCs. -### Sign-in +### Sign in 1. Open the Set up School PCs app on your PC and click **Get started**. ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png) @@ -120,10 +121,10 @@ a. Click **Work or school account** > **Continue**. 1. Click **Accept** to allow Set up School PCs to access your account throughout setup. 2. When your account name appears on the page, as shown in the image below, click **Next.** - ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) + ![Verify that the account you selected shows up](images/suspc-createpackage-signin-1807.png) ### Wireless network -Add and save a wireless network profile to provision on each student PC. Only skip Wi-Fi setup if you have an Ethernet connection. +Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection. Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.** @@ -139,41 +140,54 @@ To make sure all device names are unique, Set up School PCs automatically append ### Settings -Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. +Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs. +![Screenshot of the Current OS version page with the Select OS version menu selected, showing 6 Windows 10 options. All other settings on page are unavailable to select.](images/suspc-current-os-version-1807.png) -![Configure student PC settings page showing 5 settings with checkboxes and 1 setting with browser button](images/suspc-configure-student-settings-1807.png) +Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10. -Setting selections vary based on the OS version you select. The following table lists all possible settings, descriptions, and important notes to consider. After you've made your selections, click **Next**. +![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspc-available-student-settings-1807.png) +> [!NOTE] +> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot below, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, you will not be asked to configure the time zone. -|Setting |What happens if I select it? |Note| -|---------|---------|---------| -|Remove apps pre-installed by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| -|Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| -|Optimize device for a single student, instead of a shared cart or lab |Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | -|Let guests sign in to these PCs |Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| -|Enable Windows Autopilot Reset | Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| -|Lock screen background|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| +The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column. +|Setting |1703|1709|1803|What happens if I select it? |Note| +|---------|---------|---------|---------|---------|---------| +|Remove apps pre-installed by the device manufacturer |X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.| +|Allow local storage (not recommended for shared devices) |X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be part of a shared cart or lab.| +|Optimize device for a single student, instead of a shared cart or lab |X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended option only if the device is not shared with other students in the school. Single-optimized accounts are set to expire, and require a signin, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. | +|Let guests sign in to these PCs |X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.| +|Enable Autopilot Reset |Not available|X|X| Lets you remotely reset a student’s PC from the lock screen, apply the device’s original settings, and enroll it in device management (Azure AD and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.| +|Lock screen background|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.| -### Take a Test app +After you've made your selections, click **Next**. + +![Configure student PC settings page showing 5 settings, with two settings selected. Lock screen background image is the default image. Cursor is hovering over the blue Next button.](images/suspc-current-os-version-next-1807.png) + +### Time zone + +> [!WARNING] +> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error. + +Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**. + +![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspc-time-zone-1807.png) + +### Take a Test Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device. 1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs. - ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc_createpackage_takeatestpage_073117.png) -2. Select from the advanced settings. The following table lists available settings and their descriptions. - -|Setting |Description | -|---------|---------| -|Allow keyboard auto-suggestions | Allows app to suggest words as the student types on the PC's keyboard. | -|Allow teachers to monitor online tests | Enables screen capture in the Take a Test app. | + ![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspc-take-a-test-1807.png) +2. Select from the advanced settings. Available settings inclue: + * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard. + * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app. 3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment. - 4. Click **Next**. -### Add recommended apps +### Recommended apps Choose from a list of recommended Microsoft Store apps to install on student PCs. Then click **Next**. After they're assigned, apps are pinned to the student's Start menu. ![Add recommended apps screen with 7 icons of recommended apps and selection boxes. Skip button is enabled and Next button is disabled. ](images/suspc-add-recommended-apps-1807.png) @@ -186,23 +200,25 @@ The following table lists the recommended apps you'll see. |Minecraft: Education Edition | Free trial| |Other apps fit for the classroom |Select from WeDo 2.0 LEGO®, Arduino IDE, Ohbot, Sesavis Visual, and EV3 Programming| +If you receive an error and are unable to add the selected apps, click **Skip**. Contact your IT admin to get these apps later. + ### Summary 1. Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over. 2. To make changes now, click any page along the left side of the window. 3. When finished, click **Accept**. - ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Take a Test, and Recommended apps. Accept button is active and the page contains three links on the right-hand side to help and support.](images/suspc_createpackage_summary_073117.png) + ![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspc-createpackage-summary-1807.png) ### Insert USB 1. Insert a USB drive. The **Save** button will light up when your computer detects the USB. 2. Choose your USB drive from the list and click **Save**. - ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc_savepackage_insertusb.png) + ![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspc-savepackage-insertusb-1807.png) 3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**. - ![Your provisioning package is ready screen with package details, active Next button, and grayed-out Add a USB button.](images/suspc_savepackage_ppkgisready.png) + ![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspc-savepackage-ppkgisready-1807.png) ## Run package - Get PCs ready Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**. @@ -231,8 +247,8 @@ When used in context of the Set up School PCs app, the word *package* refers to ![Screen with message telling user to remove the USB drive.](images/suspc_setup_removemediamessage.png) -4. If you did not set up the package to do Azure AD Join, go through the rest of the Windows device setup experience. If you did configure the package for Azure AD Join, the computer is ready for use and no further configurations are required. +4. If you didn't set up the package with Azure AD Join, continue the Windows device setup experience. If you did configure the package with Azure AD Join, the computer is ready for use and no further configurations are required. - If successful, you'll see a setup complete message. The PCs start up on the lock screen with your school's custom background. Upon first use, students and teachers will be able to connect to your school's network and resources. + If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources. diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 0c32462f68..77282ce61d 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -32,7 +32,7 @@ Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and For Cortana[1](#footnote1), - If you're using version 1607, Cortana is removed. - If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). @@ -51,7 +51,7 @@ Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise For Cortana1, - If you're using version 1607, Cortana1 is removed. - If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). @@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https: ## Related topics * [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) -* [Windows deployment for education](http://aka.ms/edudeploy) +* [Windows deployment for education](https://aka.ms/edudeploy) * [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787) * [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788) * [Plan for volume activation](https://go.microsoft.com/fwlink/?LinkId=822789) diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index 4d7ec7cd8c..c3b4414d7c 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -61,14 +61,14 @@ In addition to the product documentation available online, supplemental product MDOP is a suite of products that can help streamline desktop deployment, management, and support across the enterprise. MDOP is available as an additional subscription for Software Assurance customers. -**Evaluate MDOP** -MDOP is also available for test and evaluation to [MSDN](http://msdn.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) and [TechNet](http://technet.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) subscribers in accordance with MDSN and TechNet agreements. +**Evaluate MDOP** +MDOP is also available for test and evaluation to [MSDN](https://msdn.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) and [TechNet](https://technet.microsoft.com/subscriptions/downloads/default.aspx?PV=42:178) subscribers in accordance with MDSN and TechNet agreements. -**Download MDOP** +**Download MDOP** MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/?LinkId=166331). -**Purchase MDOP** -Visit the enterprise [Purchase Windows Enterprise Licensing](http://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business. +**Purchase MDOP** +Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business.   diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md index 5dec2b8fb8..4f285ff5cf 100644 --- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md @@ -50,7 +50,7 @@ The hardware requirements are applicable to all versions. Operating System Edition Service Pack -System Architecture +Achitectural SKU @@ -74,31 +74,21 @@ The hardware requirements are applicable to all versions.

      Windows 8

      -

      Professional or Enterprise Edition

      +

      Pro or Enterprise Edition

      x86 and x64

      -  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). + - **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266). -- **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266). - -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ### Software Requirements for Versions that Precede App-V 4.6 SP2 @@ -113,7 +103,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + @@ -121,33 +111,26 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + - + - +
      Operating System Edition Service PackSystem ArchitectureAchitectural SKU

      Windows XP

      Professional Edition

      SP2 or SP3

      x86

      x86 and x64

      Windows Vista

      Business, Enterprise, or Ultimate Edition

      No service pack, SP1, or SP2

      x86

      x86 and x64

      Windows 7¹

      Professional, Enterprise, or Ultimate Edition

      No service pack or SP1

      x86

      x86 and x64
      - -  - ¹Supported for App-V 4.5 SP1 and SP2, App-V 4.6 and 4.6 SP1 only -**Note**   -The Application Virtualization (App-V) 4.6 Desktop Client supports 32-bit and 64-bit versions of these operating systems. +The Application Virtualization (App-V) 4.6 Desktop Client supports x86 and x64 SKUs of these operating systems. -  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). @@ -156,25 +139,16 @@ The following software prerequisites are installed automatically if you are usin - **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file. -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ## Application Virtualization Client for Remote Desktop Services - Following are the recommended hardware and software requirements for the Application Virtualization Client for Remote Desktop Services. The requirements are listed first for appv461\_3, followed by the requirements for versions that preceded App-V 4.6 SP2. -**Note**   The Application Virtualization (App-V) Client for Remote Desktop Services requires no additional processor or RAM resources beyond the requirements of the host operating system. -  - ### Hardware Requirements The hardware requirements are applicable to all versions. @@ -199,7 +173,7 @@ The hardware requirements are applicable to all versions. Operating System Edition Service Pack -System Architecture +Achitectural SKU @@ -207,13 +181,13 @@ The hardware requirements are applicable to all versions.

      Windows Server 2003 R2

      Standard Edition, Enterprise Edition, or Datacenter Edition

      SP2

      -

      x86

      +

      x86 and x64

      Windows Server 2008

      Standard, Enterprise, or Datacenter Edition

      SP2

      -

      x86

      +

      x86 and x64

      Windows Server 2008 R2

      @@ -225,14 +199,11 @@ The hardware requirements are applicable to all versions.

      Windows Server 2012

      Standard, Enterprise, or Datacenter Edition

      -

      x86 or x64

      +

      x64

      -  - -**Note**   The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first. - **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360). @@ -241,15 +212,10 @@ The following software prerequisites are installed automatically if you are usin - **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file. -  - -**Note**   For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed. - **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700). -  - ### Software Requirements for Versions that Precede App-V 4.6 SP2 @@ -264,7 +230,7 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + @@ -272,19 +238,19 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add - + - + - + @@ -295,31 +261,11 @@ For the Application Virtualization (App-V) 4.6 Desktop Client, the following add
      Operating System Edition Service PackSystem ArchitectureAchitectural SKU

      Windows Server 2003

      Standard Edition, Enterprise Edition, or Datacenter Edition

      SP1 or SP2

      x86

      x86 and x64

      Windows Server 2003 R2

      Standard Edition, Enterprise Edition, or Datacenter Edition

      No service pack or SP2

      x86

      x86 and x64

      Windows Server 2008

      Standard, Enterprise, or Datacenter Edition

      SP1 or SP2

      x86

      x86 and x64

      Windows Server 2008 R2
      -  - -**Note**   -The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems. - -  +The Application Virtualization (App-V) 4.6 Client for Remote Desktop Services supports x86 and x64 SKUs of these operating systems. ## Related topics - - -[Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md) - -[Application Virtualization System Requirements](application-virtualization-system-requirements.md) - -[How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) - -[How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md) - -[How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md) - -  - -  - - - - - +- [Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md) +- [Application Virtualization System Requirements](application-virtualization-system-requirements.md) +- [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) +- [How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md) +- [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md) diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md index 01ed9e88ed..9186e17f03 100644 --- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md +++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md @@ -86,7 +86,7 @@ The following list outlines the supported operating systems for running the App-

      Windows 8

      -

      Professional or Enterprise Edition

      +

      Pro or Enterprise Edition

      x86 and x64

      diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md index c085c1698f..6aa8082174 100644 --- a/mdop/appv-v5/about-app-v-50-sp3.md +++ b/mdop/appv-v5/about-app-v-50-sp3.md @@ -99,7 +99,7 @@ Review the following information before you start the upgrade:
      Note   -

      To use the App-V client user interface, download the existing version from [Microsoft Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      +

      To use the App-V client user interface, download the existing version from [Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186).

        @@ -190,7 +190,7 @@ Complete the following steps to upgrade each component of the App-V infrastructu

      Management database

      -

      To install or upgrade, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](http://support.microsoft.com/kb/3031340).

      +

      To install or upgrade, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](https://support.microsoft.com/kb/3031340).

      Reporting database

      @@ -720,7 +720,7 @@ Cmdlet help is available in the following formats:

      On TechNet as web pages

      -

      See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](http://technet.microsoft.com/library/dn520245.aspx).

      +

      See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).

      diff --git a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md index b88cdd9529..45009f6404 100644 --- a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md +++ b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md @@ -1,877 +1,905 @@ --- -title: About App-V 5.1 Dynamic Configuration -description: About App-V 5.1 Dynamic Configuration +title: About App-V 5.1 dynamic configuration +description: You can use the dynamic configuration to customize an App-V 5.1 package for a user. Use the following information to create or edit an existing dynamic configuration file. author: jamiejdt -ms.assetid: 6cc1027c-576f-483b-ad0d-bb700594a92c +ms.assetid: 35bc9908-d502-4a9c-873f-8ee17b6d9d74 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 06/16/2016 +ms.date: 08/28/2018 +ms.author: pashort --- +# About App-V 5.1 dynamic configuration +With dynamic configuration, you can edit the dynamic configuration file to customize how an App-V 5.1 package runs for a user or group. Package customization removes the need to resequence packages using the desired settings. It also provides a way to keep package content and custom settings independent. -# About App-V 5.1 Dynamic Configuration +Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). +When a package gets created, the sequencer generates default deployment and user configuration .xml files automatically using the package manifest data. Therefore, these generated files reflect the default settings configured during sequencing. If you apply these files to a package in the form generated by the sequencer, the packages have the same default settings that came from their manifest. -You can use the dynamic configuration to customize an App-V 5.1 package for a user. Use the following information to create or edit an existing dynamic configuration file. +Use these generated files to make changes, if necessary, which doesn’t directly affect the package. If you want to add, delete or update the configuration files, make your changes about the default values in the manifest information. -When you edit the dynamic configuration file it customizes how an App-V 5.1 package will run for a user or group. This helps to provide a more convenient method for package customization by removing the need to re-sequence packages using the desired settings, and provides a way to keep package content and custom settings independent. +>[!TIP] +>The order in which the files read are:
      • UserConfig.xml
      • DeploymentConfig.xml
      • Manifest

      The first entry represents what gets read last. Therefore, its content takes precedence, and all packages inherently contain and provide default settings from the package manifest.

      1. If customizing the DeploymentConfig.xml file and apply the customized settings, the default settings in the package manifest get overridden.
      2. If customizing the UserConfig.xml and apply the customized settings, the default settings for both the deployment configuration and the package manifest get overridden.
      -## Advanced: Dynamic Configuration +## User configuration file contents (UserConfig.xml) +The UserConfig file provides configuration settings that get applied for a specific user when deploying the package to a computer running the App-V 5.1 client. These settings don’t affect any other users on the client. +Use the UserConfig file to specify or modify custom settings for a package: -Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: +- Extensions integrated into the native system per user: shortcuts, file-type associations, URL protocols, AppPaths, software clients and COM +- Virtual subsystems: application objects, environment variables, registry modifications, services and fonts +- Scripts (user context only) +- Managing authority (for controlling co-existence of package with App-V 4.6) -- User Configuration file +### Header -- Deployment configuration file +The header of a dynamic user configuration file looks like: -The previous .xml files specify package settings and allow for packages to be customized without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. Therefore, these automatically generated configuration files simply reflect the default settings that the package innately as from how things were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed. - -**Note**   -The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. - -  - -### Dynamic Configuration file contents - -All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. Review the following table: - - --- - - - - - - - - - - - -

      User Configuration .xml file

      Deployment Configuration .xml file

      Package Manifest

      - -  - -The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults. - -The following list displays more information about the two file types: - -- **User Configuration File (UserConfig)** – Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V 5.1 client. - -- **Deployment Configuration File (DeploymentConfig)** – Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V 5.1 client. - -To customize the settings for a package for a specific set of users on a computer or to make changes that will be applied to local user locations such as HKCU, the UserConfig file should be used. To modify the default settings of a package for all users on a machine or to make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the all users folder, the DeploymentConfig file should be used. - -The UserConfig file provides configuration settings that can be applied to a single user without affecting any other users on a client: - -- Extensions that will be integrated into the native system per user:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM - -- Virtual Subsystems:- Application Objects, Environment variables, Registry modifications, Services and Fonts - -- Scripts (User context only) - -- Managing Authority (for controlling co-existence of package with App-V 4.6) - -The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the UserConfig list above: - -- All UserConfig settings above - -- Extensions that can only be applied globally for all users - -- Virtual Subsystems that can be configured for global machine locations e.g. registry - -- Product Source URL - -- Scripts (Machine context only) - -- Controls to Terminate Child Processes - -### File structure - -The structure of the App-V 5.1 Dynamic Configuration file is explained in the following section. - -### Dynamic User Configuration file - -**Header** - the header of a dynamic user configuration file is as follows: - -<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - -The **PackageId** is the same value as exists in the Manifest file. - -**Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: - -1. **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. - - <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - - <Applications> - - <!-- No new application can be defined in policy. AppV Client will ignore any application ID that is not also in the Manifest file --> - - <Application Id="{a56fa627-c35f-4a01-9e79-7d36aed8225a}" Enabled="false"> - - </Application> - - </Applications> - - … - - </UserConfiguration> - -2. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>: - - <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> - - <Subsystems> - - .. - - </Subsystems> - - .. - - </UserConfiguration> - - Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples. - - **Extensions:** - - Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM - - Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an <Extensions> node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. - - Example using the shortcuts subsystem: - - 1. If the user defined this in either the dynamic or deployment config file: - -                              **<Shortcuts  Enabled="true">** - -                                          **<Extensions>** - -                                           ... - -                                          **</Extensions>** - -                              **</Shortcuts>** - -                   Content in the manifest will be ignored.    - - 2. If the user defined only the following: - -                             **<Shortcuts  Enabled="true"/>** - -                   Then the content in the Manifest will be integrated during publishing. - - 3. If the user defines the following - -                            **<Shortcuts  Enabled="true">** - -                                          **<Extensions/>** - -                              **</Shortcuts>** - - Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated. - - The supported Extension Subsystems are: - - **Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts: - - <Subsystems> - - <Shortcuts Enabled="true"> - -   <Extensions> - -     <Extension Category="AppV.Shortcut"> - -       <Shortcut> - -         <File>\[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk</File> - -         <Target>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</Target> - -         <Icon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe</Icon> - -         <Arguments /> - -         <WorkingDirectory /> - -         <AppUserModelId>ContosoApp.Filler.3</AppUserModelId> - -         <Description>Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp.</Description> - -         <Hotkey>0</Hotkey> - -         <ShowCommand>1</ShowCommand> - -         <ApplicationId>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</ApplicationId> - -       </Shortcut> - -   </Extension> - -   <Extension Category="AppV.Shortcut"> - -     <Shortcut> - -       <File>\[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK</File> - -       <Target>\[{AppData}\]\\Microsoft\\Templates</Target> - -       <Icon /> - -       <Arguments /> - -       <WorkingDirectory /> - -       <AppUserModelId /> - -       <Description /> - -       <Hotkey>0</Hotkey> - -       <ShowCommand>1</ShowCommand> - -       <!-- Note the ApplicationId is optional --> - -     </Shortcut> - -   </Extension> - -  </Extensions> - - </Shortcuts> - - **File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below: - - <FileTypeAssociations Enabled="true"> - - <Extensions> - -   <Extension Category="AppV.FileTypeAssociation"> - -     <FileTypeAssociation> - -       <FileExtension MimeAssociation="true"> - -       <Name>.docm</Name> - -       <ProgId>contosowordpad.DocumentMacroEnabled.12</ProgId> - -       <PerceivedType>document</PerceivedType> - -       <ContentType>application/vnd.ms-contosowordpad.document.macroEnabled.12</ContentType> - -       <OpenWithList> - -         <ApplicationName>wincontosowordpad.exe</ApplicationName> - -       </OpenWithList> - -      <OpenWithProgIds> - -         <ProgId>contosowordpad.8</ProgId> - -       </OpenWithProgIds> - -       <ShellNew> - -         <Command /> - -         <DataBinary /> - -         <DataText /> - -         <FileName /> - -         <NullFile>true</NullFile> - -         <ItemName /> - -         <IconPath /> - -         <MenuText /> - -         <Handler /> - -       </ShellNew> - -     </FileExtension> - -     <ProgId> - -        <Name>contosowordpad.DocumentMacroEnabled.12</Name> - -         <DefaultIcon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15</DefaultIcon> - -         <Description>Blah Blah Blah</Description> - -         <FriendlyTypeName>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182</FriendlyTypeName> - -         <InfoTip>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424</InfoTip> - -         <EditFlags>0</EditFlags> - -         <ShellCommands> - -           <DefaultCommand>Open</DefaultCommand> - -           <ShellCommand> - -              <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId> - -              <Name>Edit</Name> - -              <FriendlyName>&Edit</FriendlyName> - -              <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1"</CommandLine> - -           </ShellCommand> - -           </ShellCommand> - -             <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId> - -             <Name>Open</Name> - -             <FriendlyName>&Open</FriendlyName> - -             <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1"</CommandLine> - -             <DropTargetClassId /> - -             <DdeExec> - -               <Application>mscontosowordpad</Application> - -               <Topic>ShellSystem</Topic> - -               <IfExec>\[SHELLNOOP\]</IfExec> - -               <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand> - -             </DdeExec> - -           </ShellCommand> - -         </ShellCommands> - -       </ProgId> - -      </FileTypeAssociation> - -    </Extension> - -   </Extensions> - -   </FileTypeAssociations> - - **URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”. - - <URLProtocols Enabled="true"> - - <Extensions> - - <Extension Category="AppV.URLProtocol"> - - <URLProtocol> - -   <Name>mailto</Name> - -   <ApplicationURLProtocol> - -   <DefaultIcon>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403</DefaultIcon> - -   <EditFlags>2</EditFlags> - -   <Description /> - -   <AppUserModelId /> - -   <FriendlyTypeName /> - -   <InfoTip /> - - <SourceFilter /> - -   <ShellFolder /> - -   <WebNavigableCLSID /> - -   <ExplorerFlags>2</ExplorerFlags> - -   <CLSID /> - -   <ShellCommands> - -   <DefaultCommand>open</DefaultCommand> - -   <ShellCommand> - -   <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId> - -   <Name>open</Name> - -   <CommandLine>\[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1"</CommandLine> - -   <DropTargetClassId /> - -   <FriendlyName /> - -   <Extended>0</Extended> - -   <LegacyDisable>0</LegacyDisable> - -   <SuppressionPolicy>2</SuppressionPolicy> - -    <DdeExec> - -   <NoActivateHandler /> - -   <Application>contosomail</Application> - -   <Topic>ShellSystem</Topic> - -   <IfExec>\[SHELLNOOP\]</IfExec> - -   <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand> - -   </DdeExec> - -   </ShellCommand> - -   </ShellCommands> - -   </ApplicationURLProtocol> - -   </URLProtocol> - -   </Extension> - -   </Extension> - -   </URLProtocols> - - **Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. - - <SoftwareClients Enabled="true"> - -   <ClientConfiguration EmailEnabled="false" /> - - </SoftwareClients> - - AppPaths:- If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe. - - <AppPaths Enabled="true"> - - <Extensions> - - <Extension Category="AppV.AppPath"> - - <AppPath> - -   <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId> - -   <Name>contosomail.exe</Name> - -   <ApplicationPath>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationPath> - -   <PATHEnvironmentVariablePrefix /> - -   <CanAcceptUrl>false</CanAcceptUrl> - -   <SaveUrl /> - - </AppPath> - - </Extension> - - </Extensions> - - </AppPaths> - - **COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. - - <COM Mode="Isolated"/> - - **Other Settings**: - - In addition to Extensions, other subsystems can be enabled/disabled and edited: - - **Virtual Kernel Objects**: - - <Objects Enabled="false" /> - - **Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU - - <Registry Enabled="true"> - - <Include> - - <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\ABC"> - - <Value Type="REG\_SZ" Name="Bar" Data="NewValue" /> - -  </Key> - -   <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\EmptyKey" /> - -  </Include> - - <Delete> - -   </Registry> - - **Virtual File System** - -       <FileSystem Enabled="true" /> - - **Virtual Fonts** - -       <Fonts Enabled="false" /> - - **Virtual Environment Variables** - - <EnvironmentVariables Enabled="true"> - - <Include> - -        <Variable Name="UserPath" Value="%path%;%UserProfile%" /> - -        <Variable Name="UserLib" Value="%UserProfile%\\ABC" /> - -        </Include> - -       <Delete> - -        <Variable Name="lib" /> - -         </Delete> - -         </EnvironmentVariables> - - **Virtual services** - -       <Services Enabled="false" /> - -3. **UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used. - -4. **ManagingAuthority** – Can be used when 2 versions of your package are co-existing on the same machine, one deployed to App-V 4.6 and the other deployed on App-V 5.0. To Allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6: - - <ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName="032630c0-b8e2-417c-acef-76fc5297fe81" /> - -### Dynamic Deployment Configuration file - -**Header** - The header of a Deployment Configuration file is as follows: - -<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration"> +```xml + +``` The **PackageId** is the same value as exists in the manifest file. -**Body** - The body of the deployment configuration file includes two sections: -- User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +### Body -- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. +The body of the dynamic user configuration file can include all the app extension points defined in the manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: -<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration"> +1. **[Applications](#applications)** +2. **[Subsystems](#subsystems)** +3. **[UserScripts](#userscripts)** +4. **[ManagingAuthority](#managingauthority)** -<UserConfiguration> +#### Applications -  .. +All app-extensions contained in the manifest file within a package have an Application ID assigned, which you find in the manifest file. The Application ID lets you enable or disable all extensions for a given application within a package. The Application ID must exist in the manifest file, or it gets ignored. -</UserConfiguration> +```XML + -<MachineConfiguration> + + + + + + + + + .. -</MachineConfiguration> + + +``` + +#### Subsystems + +AppExtensions and other subsystems arranged as subnodes. + +```XML + + + .. -</MachineConfiguration> + -</DeploymentConfiguration> +.. -**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file. + -Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element +``` -1. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under <Subsystems>: +You can enable or disable each subsystem using the **Enabled** attribute. - <MachineConfiguration> +**Extensions** -   <Subsystems> +Some subsystems (extension subsystems) control extensions. Those subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. -   .. +Extension subsystems can be enabled and disabled independently of the content. For example, if you enable Shortcuts, the client uses the Shortcuts contained within the manifest by default. Each extension subsystem can contain an \ node. If this child element is present, the client ignores the content in the manifest file for that subsystem and only use the content in the configuration file. -   </Subsystems> +_**Examples:**_ - .. +- If you define this in either the user or deployment config file, the content in the manifest gets ignored. - </MachineConfiguration> + ```XML - The following section displays the various subsystems and usage samples. + - **Extensions**: + - Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section. + ... - **Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types.  This extension also makes the virtual application visible in the Set Default Programs UI.: + - <ApplicationCapabilities Enabled="true"> + -   <Extensions> + ``` +- If you define only the following, the content in the manifest gets integrated during publishing. + + ```XML -    <Extension Category="AppV.ApplicationCapabilities"> + -     <ApplicationCapabilities> + ``` -      <ApplicationId>\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe</ApplicationId> +- If you define the following, all Shortcuts within the manifest still get ignored. In other words, no Shortcuts get integrated. -      <Reference> + ```XML -       <Name>LitView Browser</Name> + -       <Path>SOFTWARE\\LitView\\Browser\\Capabilities</Path> + -      </Reference> + -    <CapabilityGroup> + ``` -     <Capabilities> +_**Supported extension subsystems:**_ -      <Name>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345</Name> +**Shortcuts** extension subsystem controls what shortcuts get integrated into the local system. -      <Description>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346</Description> +```XML -      <Hidden>0</Hidden> + -      <EMailSoftwareClient>Lit View E-Mail Client</EMailSoftwareClient> + -      <FileAssociationList> + -       <FileAssociation Extension=".htm" ProgID="LitViewHTML" /> + -       <FileAssociation Extension=".html" ProgID="LitViewHTML" /> + -       <FileAssociation Extension=".shtml" ProgID="LitViewHTML" /> + [{Common Programs}]\Microsoft Contoso\Microsoft ContosoApp Filler 2010.lnk -      </FileAssociationList> + [{PackageRoot}]\Contoso\ContosoApp.EXE -      <MIMEAssociationList> + + [{Windows}]\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe -       <MIMEAssociation Type="audio/mp3" ProgID="LitViewHTML" /> + -       <MIMEAssociation Type="audio/mpeg" ProgID="LitViewHTML" /> + -      </MIMEAssociationList> + ContosoApp.Filler.3 -     <URLAssociationList> + Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp. -       <URLAssociation Scheme="http" ProgID="LitViewHTML.URL.http" /> + 0 -      </URLAssociationList> + 1 + + [{PackageRoot}]\Contoso\ContosoApp.EXE -      </Capabilities> + -   </CapabilityGroup> + -    </ApplicationCapabilities> + -   </Extension> + + + [{AppData}]\Microsoft\Contoso\Recent\Templates.LNK - </Extensions> + [{AppData}]\Microsoft\Templates - </ApplicationCapabilities> + - **Other Settings**: + - In addition to Extensions, other subsystems can be edited: + - **Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine + - <Registry> + - <Include> + 0 -   <Key Path="\\REGISTRY\\Machine\\Software\\ABC"> + 1 -     <Value Type="REG\_SZ" Name="Bar" Data="Baz" /> + -    </Key> + -   <Key Path="\\REGISTRY\\Machine\\Software\\EmptyKey" /> + -  </Include> + - <Delete> + - </Registry> +``` - **Machine Wide Virtual Kernel Objects** +**File-Type Associates** extension subsystem associates file types with programs to open by default as well as set up the context menu. - <Objects> +>[!TIP] +>You can set up the subsystem with MIME types. - <NotIsolate> +```XML -    <Object Name="testObject" /> + -  </NotIsolate> + - </Objects> + -2. **ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch.   + - <MachineConfiguration> + -   ..  + .docm -   <ProductSourceURLOptOut Enabled="true" /> + contosowordpad.DocumentMacroEnabled.12 -   .. + document + + application/vnd.ms-contosowordpad.document.macroEnabled.12 - </MachineConfiguration> + -3. **MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used + wincontosowordpad.exe -4. **TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated. + - <MachineConfiguration> + -   ..    + contosowordpad.8 -   <TerminateChildProcesses> + -     <Application Path="\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE" /> + -     <Application Path="\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe" /> + -     <Application Path="\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE" /> + -   </TerminateChildProcesses> + -   .. + - </MachineConfiguration> + true -### Scripts + + + + + + + + + + + + + + + contosowordpad.DocumentMacroEnabled.12 + + [{Windows}]\Installer\{90140000-0011-0000-0000-000000FF1CE}\contosowordpadicon.exe,15 + + Blah Blah Blah + + [{FOLDERID_ProgramFilesX86}]\Microsoft Contoso 14\res.dll,9182 + + [{FOLDERID_ProgramFilesX86}]\Microsoft Contoso 14\res.dll,1424 + + 0 + + + + Open + + + + {e56fa627-c35f-4a01-9e79-7d36aed8225a} + + Edit + + &Edit + + "[{PackageRoot}]\Contoso\WINcontosowordpad.EXE" /vu "%1" + + + + + + {e56fa627-c35f-4a01-9e79-7d36aed8225a} + + Open + + &Open + + "[{PackageRoot}]\Contoso\WINcontosowordpad.EXE" /n "%1" + + + + + + mscontosowordpad + + ShellSystem + + [SHELLNOOP] + + [SetForeground][ShellNewDatabase"%1"] + + + + + + + + + + + + + + + + + +``` + +**URL Protocols** extension subsystem controls the URL protocols integrated into the local registry of the client machine, for example, _mailto:_. + +```XML + + + + + + + + + + mailto + + + + [{ProgramFilesX86}]\MicrosoftContoso\Contoso\contosomail.EXE,-9403 + + 2 + + + + + + + + + + + + + + + + 2 + + + + + + open + + + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + open + + [{ProgramFilesX86}\Microsoft Contoso\Contoso\contosomail.EXE" -c OEP.Note /m "%1" + + + + + + 0 + + 0 + + 2 + + + + + + contosomail + + ShellSystem + + [SHELLNOOP] + + [SetForeground][ShellNewDatabase "%1"] + + + + + + + + + + + + + + + + + +``` + +**Software Clients** extension subsystem allows the app to register as an email client, news reader, media player and makes the app visible in the Set program access and Computer defaults UI. In most cases, you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. + +```XML + + + + + + + +``` + +**AppPaths** extension subsystem opens apps registered with an application path. For example, if contoso.exe has an apppath name of _myapp_, users can type _myapp_ from the run menu, opening contoso.exe. + +```XML + + + + + + + + + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + contosomail.exe + + [{ProgramFilesX86}]\Microsoft Contoso\Contoso\contosomail.EXE + + + + false + + + + + + + + + + + +``` + +**COM** extensions subsystem allows an application registered to local COM servers. The mode can be: + +- Integration +- Isolated +- Off + +```XML + + + +``` + +**Virtual Kernel Objects** + +```XML + + + +``` + +**Virtual Registry** sets a registry in the virtual registry within HKCU. + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Virtual File System** + +```XML + + + +``` + +**Virtual Fonts** + +```XML + + + +``` + +**Virtual Environment Variables** + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Virtual services** + +```XML + + + +``` + +#### UserScripts + +Use UserScripts to set up or alter the virtual environment. You can also execute scripts at the time of deployment or to clean up the environment after the application terminates. To see a sample script, refer to the user configuration file generated by the sequencer. +The Scripts section below provides more information on the various triggers that can be used. + +#### ManagingAuthority + +Use ManagingAuthority when two versions of your package co-exist on the same machine, one deployed to App-V 4.6 and another deployed on App-V 5.0. To allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6: + +```XML + + + +``` + +## Deployment configuration file (DeploymentConfig.xml) + +The DeploymentConfig file provides configuration settings for machine context and user context, providing the same capabilities listed in the UserConfig file. The setting get applied when deploying the package to a computer running the App-V 5.1 client. + +Use the DeploymentConfig file to specify or modify custom settings for a package: + +- All UserConfig settings +- Extensions that can only be applied globally for all users +- Virtual subsystems for global machine locations, for example, registry +- Product source URL +- Scripts (machine context only) +- Controls to terminate child processes + +### Header + +The header of a dynamic deployment configuration file looks like: + +```XML + +``` + +The **PackageId** is the same value as exists in the manifest file. + +### Body + +The body of the dynamic deployment configuration file includes two sections: + +- **UserConfiguration:** allows the same content as the user configuration file described in the previous section. When publishing the package to a user, any appextensions configuration settings in this section override corresponding settings in the manifest within the package, unless you provide a user configuration file. If also providing a UserConfig file, it gets used instead of the User settings in the deployment configuration file. If publishing the package globally, then only the contents of the deployment configuration file get used in combination with the manifest. For more details, see [User configuration file contents (UserConfig.xml)](#user-configuration-file-contents-userconfigxml). + +- **MachineConfiguration:** contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY_LOCAL_MACHINE registry keys in the VFS. + +```XML + + + + + +... + + + + + +... + + + +... + + + + + +``` + +### UserConfiguration + +Refer to [User configuration file contents (UserConfig.xml)](#user-configuration-file-contents-userconfigxml) for information on the settings provided for this section. + +### MachineConfiguration + +Use the MachineConfiguration section to configure information for an entire machine; not for a specific user on the computer. For example, HKEY_LOCAL_MACHINE registry keys in the virtual registry. There are four subsections allowed in under this element: + +1. **[Subsystems](#subsystems-1)** +2. **[ProductSourceURLOptOut](#productsourceurloptout)** +3. **[MachineScripts](#machinescripts)** +4. **[TerminateChildProcess](#terminatechildprocess)** + +#### Subsystems + +AppExtensions and other subsystems arranged as subnodes. + +```XML + + + + + + … + + + +… + + + +``` + +You can enable or disable each subsystem using the **Enabled** attribute. + +**Extensions** + +Some subsystems (extension subsystems) control extensions. The subsystem is Application Capabilities that default programs use. For this type of extension, the package must be published globally for integration into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also, apply to those in the MachineConfiguration section. + +**Application Capabilities**: Used by default programs that allow an application to register itself as: + +- Capable of opening specific file extensions +- A contender for the start menu internet browser slot +- Capable of opening specific windows MIME types + +This extension also makes the virtual application visible in the Set default programs UI. + +```XML + + + + + + + + + + + [{PackageRoot}]\LitView\LitViewBrowser.exe + + + + LitView Browser + + SOFTWARE\LitView\Browser\Capabilities + + + + + + + + + @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12345 + + + @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12346 + + 0 + + Lit View E-Mail Client + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +_**Supported extension subsystems:**_ + +**Machine Wide Virtual Registry** extension subsystem sets a registry key in the virtual registry within HKEY_Local_Machine. + +```XML + + + + + + + + + + + + + + + + + + + +``` + +**Machine Wide Virtual Kernel Objects** + +```XML + + + + + + + + + + + +``` + +#### ProductSourceURLOptOut + +Use ProductSourceURLOptOut to indicate that the URL for the package can be modified globally through _PackageSourceRoot_ (to support branch office scenarios). Changes take effect on the next launch. + +```XML + + + + ... + + + + ... + + + +``` + +#### MachineScripts + +The package can be configured to execute scripts at time of deployment, publishing or removal. To see a sample script, refer to the deployment configuration file generated by the sequencer. + +The Scripts section below provides more information on the various triggers that can be used. + +#### TerminateChildProcess + +An application executable can be specified, whose child processes get terminated when the application exe process terminates. + +```XML + + + + ... + + + + + + + + + + + + ... + + + +``` + + + +## Scripts The following table describes the various script events and the context under which they can be run. - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Script Execution TimeCan be specified in Deployment ConfigurationCan be specified in User ConfigurationCan run in the Virtual Environment of the packageCan be run in the context of a specific applicationRuns in system/user context: (Deployment Configuration, User Configuration)

      AddPackage

      X

      (SYSTEM, N/A)

      PublishPackage

      X

      X

      (SYSTEM, User)

      UnpublishPackage

      X

      X

      (SYSTEM, User)

      RemovePackage

      X

      (SYSTEM, N/A)

      StartProcess

      X

      X

      X

      X

      (User, User)

      ExitProcess

      X

      X

      X

      (User, User)

      StartVirtualEnvironment

      X

      X

      X

      (User, User)

      TerminateVirtualEnvironment

      X

      X

      (User, User)

      - -  +| Script Execution Time | Can be specified in Deployment Configuration | Can be specified in User Configuration | Can run in the Virtual Environment of the package | Can be run in the context of a specific application | Runs in system/user context: (Deployment Configuration, User Configuration) | +|-----------------------------|----------------------------------------------|----------------------------------------|---------------------------------------------------|-----------------------------------------------------|-----------------------------------------------------------------------------| +| AddPackage | X | | | | (SYSTEM, N/A) | +| PublishPackage | X | X | | | (SYSTEM, User) | +| UnpublishPackage | X | X | | | (SYSTEM, User) | +| RemovePackage | X | | | | (SYSTEM, N/A) | +| StartProcess | X | X | X | X | (User, User) | +| ExitProcess | X | X | | X | (User, User) | +| StartVirtualEnvironment | X | X | X | | (User, User) | +| TerminateVirtualEnvironment | X | X | | | (User, User) | ### Using multiple scripts on a single event trigger -App-V 5.1 supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V 5.0 or later. To enable the use of multiple scripts, App-V 5.1 uses a script launcher application, named ScriptRunner.exe, which is installed as part of the App-V client installation. +App-V 5.1 supports the use of multiple scripts on a single event trigger for +App-V packages, including packages that you convert from App-V 4.6 to App-V 5.0 +or later. To enable the use of multiple scripts, App-V 5.1 uses a script +launcher application, named ScriptRunner.exe, which is installed as part of the +App-V client installation. -**How to use multiple scripts on a single event trigger:** +### How to use multiple scripts on a single event trigger -For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. +For each script that you want to run, pass that script as an argument to the +ScriptRunner.exe application. The application then runs each script separately, +along with the arguments that you specify for each script. Use only one script +(ScriptRunner.exe) per trigger. -**Note**   -We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file. +>[!NOTE] -  +>We recommended that you run the multi-script line from a command prompt +first to make sure that all arguments are built correctly before adding them to +the deployment configuration file. -**Example script and parameter descriptions** +### Example script and parameter descriptions -Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run. +Using the following example file and table, modify the deployment or user +configuration file to add the scripts that you want to run. -``` syntax +```XML ScriptRunner.exe @@ -885,89 +913,64 @@ Using the following example file and table, modify the deployment or user config ``` - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
      Parameter in the example fileDescription

      <AddPackage>

      Name of the event trigger for which you are running a script, such as adding a package or publishing a package.

      <Path>ScriptRunner.exe</Path>

      The script launcher application that is installed as part of the App-V client installation.

      -
      -Note   -

      Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.

      -
      -
      -  -
      <Arguments>
--appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
 
--appvscript script2.vbs arg1 arg2
+**Parameters in the example file include:**
 
--appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
-</Arguments>

      -appvscript - Token that represents the actual script that you want to run.

      -

      script1.exe – Name of the script that you want to run.

      -

      arg1 arg2 – Arguments for the script that you want to run.

      -

      -appvscriptrunnerparameters – Token that represents the execution options for script1.exe

      -

      -wait – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script.

      -

      -timeout=x – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts will still run.

      -

      -rollbackonerror – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.

      <Wait timeout=”40” RollbackOnError=”true”/>

      Waits for overall completion of ScriptRunner.exe.

      -

      Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

      -

      If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client.

      +#### \ -  +Name of the event trigger for which you are running a script, such as adding a package or publishing a package. -ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run. +#### \ScriptRunner.exe\ -### Create a Dynamic Configuration file using an App-V 5.1 Manifest file +The script launcher application that is installed as part of the App-V client installation. -You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V 5.1 Management Console or sequencing a package, which will be generated with 2 sample files. +>[!NOTE] -For more information about how to create the file using the App-V 5.1 Management Console see, [How to Create a Custom Configuration File by Using the App-V 5.1 Management Console](how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md). +>Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:FilesApplication Virtualizationfolder. + +#### \ + +`-appvscript` - Token that represents the actual script that you want to run. + +`script1.exe` – Name of the script that you want to run. + +`arg1 arg2` – Arguments for the script that you want to run. + +`-appvscriptrunnerparameters` – Token that represents the execution options for script1.exe. + +`-wait` – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script. + +`-timeout=x` – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts still runs. + +`-rollbackonerror` – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client. + +#### \ + +Waits for overall completion of ScriptRunner.exe. + +Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts. + +If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client. + +ScriptRunner runs any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script does not run. + +### Create a dynamic configuration file using an App-V 5.1 manifest file + +You can create the dynamic configuration file using one of three methods: either manually, using the App-V 5.1 Management Console or sequencing a package, which generates two sample files. For more information about how to create the file using the App-V 5.1 Management Console see, [How to create a custom configuration File by using the App-V 5.1 Management Console](how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md). To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. ## Got a suggestion for App-V? - -Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +- Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). +- For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics +- [How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell51.md) -[How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell51.md) - -[How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell51.md) - -[Operations for App-V 5.1](operations-for-app-v-51.md) - -  - -  - - - +- [How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell51.md) +- [Operations for App-V 5.1](operations-for-app-v-51.md) +--- \ No newline at end of file diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md index 9f0cdd5170..700251df9c 100644 --- a/mdop/appv-v5/about-app-v-51.md +++ b/mdop/appv-v5/about-app-v-51.md @@ -96,7 +96,7 @@ Review the following information before you start the upgrade:
      Note   -

      Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](http://www.microsoft.com/download/details.aspx?id=41186).

      +

      Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186).

        diff --git a/mdop/appv-v5/app-v-50-prerequisites.md b/mdop/appv-v5/app-v-50-prerequisites.md index 8d90940d1b..986a0450c7 100644 --- a/mdop/appv-v5/app-v-50-prerequisites.md +++ b/mdop/appv-v5/app-v-50-prerequisites.md @@ -60,7 +60,7 @@ The following table lists prerequisite information that pertains to specific ope

    • Windows Server 2008

      • You may want to download the following KB:

      -

      [Microsoft Security Advisory: Insecure library loading could allow remote code execution](http://support.microsoft.com/kb/2533623)

      +

      [Microsoft Security Advisory: Insecure library loading could allow remote code execution](https://support.microsoft.com/kb/2533623)

      Be sure to check for subsequent KBs that have superseded this one, and note that some KBs may require that you uninstall previous updates.

      @@ -97,8 +97,8 @@ The following table lists the installation prerequisites for the App-V 5.0 clien

      Software requirements

        -

      • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • -

      • [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        +

      • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • +

      • [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        Note   @@ -107,7 +107,7 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
         
        • -

      • Download and install [KB2533623](http://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

        +

      • Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

        Important   @@ -119,12 +119,12 @@ The following table lists the installation prerequisites for the App-V 5.0 clien

      • The client installer (.exe) will detect if it is necessary to install the following prerequisites, and it will do so accordingly:

          -

        • [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

          +

        • [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

          This prerequisite is only required if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.

          • -

        • [The Microsoft Visual C++ 2010 Redistributable](http://www.microsoft.com/download/details.aspx?id=26999) (https://go.microsoft.com/fwlink/?LinkId=26999)

          +

        • [The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999) (https://go.microsoft.com/fwlink/?LinkId=26999)

          • -

        • [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](http://www.microsoft.com/download/details.aspx?id=5638) (http://www.microsoft.com/download/details.aspx?id=5638)

          • +

        • [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638) (http://www.microsoft.com/download/details.aspx?id=5638)

      @@ -157,8 +157,8 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot

      Software requirements

        -

      • [Microsoft.NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • -

      • [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        +

      • [Microsoft.NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • +

      • [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        Note   @@ -179,12 +179,12 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot

      • The client (.exe) installer will detect if it is necessary to install the following prerequisites, and it will do so accordingly:

          -

        • [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

          +

        • [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

          This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.

          • -

        • [The Microsoft Visual C++ 2010 Redistributable](http://www.microsoft.com/download/details.aspx?id=26999) (https://go.microsoft.com/fwlink/?LinkId=26999)

          +

        • [The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999) (https://go.microsoft.com/fwlink/?LinkId=26999)

          • -

        • [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](http://www.microsoft.com/download/details.aspx?id=5638) (http://www.microsoft.com/download/details.aspx?id=5638)

          • +

        • [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638) (http://www.microsoft.com/download/details.aspx?id=5638)

      @@ -222,14 +222,14 @@ If the system requirements of a locally installed application exceed the require

      Software requirements

        -

      • [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

        +

      • [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784) (http://www.microsoft.com/download/details.aspx?id=40784)

        This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2.

        • -

      • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        +

      • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • -

      • [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        +

      • [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

        • -

      • Download and install [KB2533623](http://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

        +

      • Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

      • For computers running Microsoft Windows Server 2008 R2 SP1, download and install [KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 ) (https://go.microsoft.com/fwlink/?LinkId=286102)

        @@ -256,7 +256,7 @@ The following prerequisites are already installed for computers that run Windows - Windows PowerShell 3.0 -- Download and install [KB2533623](http://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623) +- Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623) **Important**   You can still download install the previous KB. However, it may have been replaced with a more recent version. @@ -294,8 +294,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve

        Management Server

          -

        • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

          • -

        • [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

          +

        • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

          • +

        • [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595) (http://www.microsoft.com/download/details.aspx?id=34595)

          Note  

          Installing PowerShell 3.0 requires a restart.

          @@ -304,7 +304,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve  

        • Windows Web Server with the IIS role enabled and the following features: Common HTTP Features (static content and default document), Application Development (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), Security (Windows Authentication, Request Filtering), Management Tools (IIS Management Console).

          • -

        • Download and install [KB2533623](http://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

          +

        • Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)

          Important   @@ -313,7 +313,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
           
          • -

        • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](http://www.microsoft.com/download/details.aspx?id=13523) (http://www.microsoft.com/download/details.aspx?id=13523)

          • +

        • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](https://www.microsoft.com/download/details.aspx?id=13523) (http://www.microsoft.com/download/details.aspx?id=13523)

        • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110) (https://go.microsoft.com/fwlink/?LinkId=267110)

        • 64-bit ASP.NET registration

        @@ -345,7 +345,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve  
        -

      • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • +

      • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

      • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)(https://go.microsoft.com/fwlink/?LinkId=267110)

      The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.

      @@ -361,7 +361,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve

      Reporting Server

        -

      • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • +

      • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

      • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)(https://go.microsoft.com/fwlink/?LinkId=267110)

      • Note   @@ -388,7 +388,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve  
          -

        • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

          • +

        • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)(https://go.microsoft.com/fwlink/?LinkId=267110)

        The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 reporting database.

        @@ -404,7 +404,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve

        Publishing Server

          -

        • [Microsoft .NET Framework 4 (Full Package)](http://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

          • +

        • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)

        • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)(https://go.microsoft.com/fwlink/?LinkId=267110)

        • Windows Web Server with the IIS role with the following features: Common HTTP Features (static content and default document), Application Development (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), Security (Windows Authentication, Request Filtering), Security (Windows Authentication, Request Filtering), Management Tools (IIS Management Console)

        • 64-bit ASP.NET registration

          • diff --git a/mdop/appv-v5/app-v-50-sp3-prerequisites.md b/mdop/appv-v5/app-v-50-sp3-prerequisites.md index c1277e22ab..da61af1bfa 100644 --- a/mdop/appv-v5/app-v-50-sp3-prerequisites.md +++ b/mdop/appv-v5/app-v-50-sp3-prerequisites.md @@ -135,19 +135,19 @@ Install the required prerequisite software for the App-V 5.0 SP3 Server componen

          For supported versions, see [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md).

          -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          Download and install [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          Download and install [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -232,11 +232,11 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -266,7 +266,7 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana

          Microsoft SQL Server Service Agent

          -

          Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](http://technet.microsoft.com/magazine/gg313742.aspx).

          +

          Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](https://technet.microsoft.com/magazine/gg313742.aspx).

          @@ -288,11 +288,11 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -395,11 +395,11 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana

          For supported versions, see [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md).

          -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -473,11 +473,11 @@ The Reporting database is required only if you are using the App-V 5.0 SP3 Repor -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -532,20 +532,20 @@ Install the following prerequisite software for the App-V client. -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -571,20 +571,20 @@ Install the following prerequisite software for the App-V Remote Desktop Service -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -614,20 +614,20 @@ Install the following prerequisite software for the App-V Remote Desktop Service -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          diff --git a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md index fb07569e2a..fdd9c0c8ac 100644 --- a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md +++ b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md @@ -440,7 +440,7 @@ The App-V client supports the following versions of System Center Configuration - System Center 2012 R2 Configuration Manager SP1 -For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](http://technet.microsoft.com/library/jj822982.aspx). +For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). ## Got a suggestion for App-V? diff --git a/mdop/appv-v5/app-v-50-supported-configurations.md b/mdop/appv-v5/app-v-50-supported-configurations.md index ea0cd97733..c45a8eda10 100644 --- a/mdop/appv-v5/app-v-50-supported-configurations.md +++ b/mdop/appv-v5/app-v-50-supported-configurations.md @@ -508,7 +508,7 @@ You can use Microsoft System Center 2012 Configuration Manager or System Cen   -For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](http://technet.microsoft.com/library/jj822982.aspx). +For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). ## Got a suggestion for App-V? diff --git a/mdop/appv-v5/app-v-51-prerequisites.md b/mdop/appv-v5/app-v-51-prerequisites.md index 5289f56ed3..f8078582a5 100644 --- a/mdop/appv-v5/app-v-51-prerequisites.md +++ b/mdop/appv-v5/app-v-51-prerequisites.md @@ -145,19 +145,19 @@ Install the required prerequisite software for the App-V 5.1 Server components.

          For supported versions, see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).

          -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          Download and install [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          Download and install [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -243,11 +243,11 @@ The Management database is required only if you are using the App-V 5.1 Manageme -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -277,7 +277,7 @@ The Management database is required only if you are using the App-V 5.1 Manageme

          Microsoft SQL Server Service Agent

          -

          Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](http://technet.microsoft.com/magazine/gg313742.aspx).

          +

          Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](https://technet.microsoft.com/magazine/gg313742.aspx).

          @@ -299,11 +299,11 @@ The Management database is required only if you are using the App-V 5.1 Manageme -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -406,11 +406,11 @@ The Management database is required only if you are using the App-V 5.1 Manageme

          For supported versions, see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).

          -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -484,11 +484,11 @@ The Reporting database is required only if you are using the App-V 5.1 Reporting -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -543,20 +543,20 @@ Install the following prerequisite software for the App-V client. -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -582,20 +582,20 @@ Install the following prerequisite software for the App-V Remote Desktop Service -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          -

          [Visual C++ Redistributable Packages for Visual Studio 2013](http://www.microsoft.com/download/details.aspx?id=40784)

          +

          [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)

          @@ -625,16 +625,16 @@ Install the following prerequisite software for the App-V Remote Desktop Service -

          [Microsoft .NET Framework 4.5.1 (Web Installer)](http://www.microsoft.com//download/details.aspx?id=40773)

          +

          [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)

          -

          [Windows PowerShell 3.0](http://www.microsoft.com/download/details.aspx?id=34595)

          +

          [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)

          Installing PowerShell 3.0 requires a restart.

          -

          [KB2533623](http://support.microsoft.com/kb/2533623)

          +

          [KB2533623](https://support.microsoft.com/kb/2533623)

          Applies to Windows 7 only: Download and install the KB.

          diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index 715eccb830..b60c43d593 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -467,7 +467,7 @@ The App-V client supports the following versions of System Center Configuration The following App-V and System Center Configuration Manager version matrix shows all officially supported combinations of App-V and Configuration Manager. -**Note:** Both App-V 4.5 and 4.6 have exited Mainstream support. +**Note:** Both App-V 4.5 and 4.6 have exited Mainstream support. @@ -518,7 +518,7 @@ The following App-V and System Center Configuration Manager version matrix shows   -For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](http://technet.microsoft.com/library/jj822982.aspx). +For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx). ## Got a suggestion for App-V? diff --git a/mdop/appv-v5/application-publishing-and-client-interaction.md b/mdop/appv-v5/application-publishing-and-client-interaction.md index 48a137c6bb..b3bd9b1dbb 100644 --- a/mdop/appv-v5/application-publishing-and-client-interaction.md +++ b/mdop/appv-v5/application-publishing-and-client-interaction.md @@ -38,7 +38,7 @@ This article provides technical information about common App-V client operations - [Client logging](#bkmk-client-logging) -For additional reference information, see [Microsoft Application Virtualization (App-V) Documentation Resources Download Page](http://www.microsoft.com/download/details.aspx?id=27760). +For additional reference information, see [Microsoft Application Virtualization (App-V) Documentation Resources Download Page](https://www.microsoft.com/download/details.aspx?id=27760). ## App-V package files created by the Sequencer @@ -93,7 +93,7 @@ The Sequencer creates App-V packages and produces a virtualized application. The   -For information about sequencing, see [Application Virtualization 5.0 Sequencing Guide](http://www.microsoft.com/download/details.aspx?id=27760). +For information about sequencing, see [Application Virtualization 5.0 Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760). ## What’s in the appv file? @@ -241,7 +241,7 @@ The App-V Client manages the applications assets mounted in the package store. T Example of a path to a specific application: ``` syntax -C:\ProgramData\App-V\PackGUID\VersionGUID +C:\ProgramData\App-V\PackGUID\VersionGUID ``` To change the default location of the package store during setup, see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md). diff --git a/mdop/appv-v5/application-publishing-and-client-interaction51.md b/mdop/appv-v5/application-publishing-and-client-interaction51.md index 59628e39ad..dfaa56d9c0 100644 --- a/mdop/appv-v5/application-publishing-and-client-interaction51.md +++ b/mdop/appv-v5/application-publishing-and-client-interaction51.md @@ -38,7 +38,7 @@ This article provides technical information about common App-V client operations - [Client logging](#bkmk-client-logging) -For additional reference information, see [Microsoft Application Virtualization (App-V) Documentation Resources Download Page](http://www.microsoft.com/download/details.aspx?id=27760). +For additional reference information, see [Microsoft Application Virtualization (App-V) Documentation Resources Download Page](https://www.microsoft.com/download/details.aspx?id=27760). ## App-V package files created by the Sequencer @@ -241,7 +241,7 @@ The App-V Client manages the applications assets mounted in the package store. T Example of a path to a specific application: ``` syntax -C:\ProgramData\App-V\PackGUID\VersionGUID +C:\ProgramData\App-V\PackGUID\VersionGUID ``` To change the default location of the package store during setup, see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md). diff --git a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md index 0b805161f8..69af0d0e77 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md @@ -17,7 +17,7 @@ ms.date: 06/16/2016 After you have properly deployed the Microsoft Application Virtualization (App-V) 5.0 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the Microsoft Application Virtualization (App-V) 5.0 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the Microsoft Application Virtualization (App-V) 5.0 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).   diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md index 4b78b20309..4062dd1379 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md @@ -17,9 +17,9 @@ ms.date: 06/16/2016 After you have properly deployed the Microsoft Application Virtualization (App-V) 5.1 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). -**Note** +**Note** The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. ## Sequencing an application diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md index b2a242e96e..6a30148ca3 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md @@ -102,7 +102,7 @@ Before you deploy Office by using App-V, review the following requirements.

        • Visio Pro for Office 365

        • Project Pro for Office 365

          • - @@ -204,7 +204,7 @@ Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V Packages are created using the Office Deployment Tool, which generates an Office 2013 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation: -1. Download the [Office Deployment Tool for Click-to-Run](http://www.microsoft.com/download/details.aspx?id=36778). +1. Download the [Office Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778). 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. @@ -233,7 +233,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + ``` @@ -418,7 +418,7 @@ After you download the Office 2013 applications through the Office Deployment To <Product ID="VisioProRetail"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Subscription licensing:

          You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

          +

          You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).

          You don’t use shared computer activation if you’re deploying a volume licensed product, such as:

          • Office Professional Plus 2013

            • @@ -135,7 +135,7 @@ The following table describes the recommended methods for excluding specific Off

          Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.

          • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.

            • -

          • For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).

            • +

          • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
          @@ -452,7 +452,7 @@ After you download the Office 2013 applications through the Office Deployment To <Product ID="VisioProVolume"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Volume licensing:

          @@ -668,7 +668,7 @@ Use the steps in this section to enable Office plug-ins with your Office package You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. **Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](http://technet.microsoft.com/library/jj219426.aspx). +To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://technet.microsoft.com/library/jj219426.aspx).   @@ -721,7 +721,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut. ``` syntax - Shortcuts + Shortcuts --> @@ -836,7 +836,7 @@ The following table describes the requirements and options for deploying Visio 2

          1. Create a package that contains Office, Visio, and Project.

          2. Deploy the package to all users.

            3. -

          3. Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

            4. +

          4. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

          diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md index 91c0f3ed75..8b3ad7e937 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md @@ -101,7 +101,7 @@ Before you deploy Office by using App-V, review the following requirements.

        • Visio Pro for Office 365

        • Project Pro for Office 365

          • -           @@ -206,7 +206,7 @@ Create Office 2013 App-V packages on 64-bit Windows computers. Once created, the Office 2013 App-V Packages are created using the Office Deployment Tool, which generates an Office 2013 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation: -1. Download the [Office Deployment Tool for Click-to-Run](http://www.microsoft.com/download/details.aspx?id=36778). +1. Download the [Office Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778). 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. @@ -235,7 +235,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + ``` @@ -424,7 +424,7 @@ After you download the Office 2013 applications through the Office Deployment To <Product ID="VisioProRetail"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Subscription licensing:

          You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

          +

          You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).

          You don’t use shared computer activation if you’re deploying a volume licensed product, such as:

          • Office Professional Plus 2013

            • @@ -134,7 +134,7 @@ The following table describes the recommended methods for excluding specific Off

          Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.

          • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.

            • -

          • For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).

            • +

          • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
          @@ -458,7 +458,7 @@ After you download the Office 2013 applications through the Office Deployment To <Product ID="VisioProVolume"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Volume licensing:

          @@ -674,7 +674,7 @@ Use the steps in this section to enable Office plug-ins with your Office package You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. **Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](http://technet.microsoft.com/library/jj219426.aspx). +To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://technet.microsoft.com/library/jj219426.aspx).   @@ -727,7 +727,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut. ``` syntax - Shortcuts + Shortcuts --> @@ -842,7 +842,7 @@ The following table describes the requirements and options for deploying Visio 2

          1. Create a package that contains Office, Visio, and Project.

          2. Deploy the package to all users.

            3. -

          3. Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

            4. +

          4. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

          diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index d397429c2f..ceacdbb6dc 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -103,7 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.

        • Visio Pro for Office 365

        • Project Pro for Office 365

          • -           @@ -131,7 +131,7 @@ The following table describes the recommended methods for excluding specific Off @@ -228,7 +228,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + ``` @@ -410,7 +410,7 @@ After you download the Office 2016 applications through the Office Deployment To <Product ID="VisioProRetail"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Subscription licensing:

          You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

          +

          You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).

          Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.

          • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.

            • -

          • For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).

            • +

          • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
          @@ -658,7 +658,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut. ``` syntax - Shortcuts + Shortcuts --> @@ -754,7 +754,7 @@ The following table describes the requirements and options for deploying Visio 2

          1. Create a package that contains Office, Visio, and Project.

          2. Deploy the package to all users.

            3. -

          3. Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

            4. +

          4. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

          diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index 2439d3d384..d2b4fb5e5e 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -103,7 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.

        • Visio Pro for Office 365

        • Project Pro for Office 365

          • -           @@ -131,7 +131,7 @@ The following table describes the recommended methods for excluding specific Off @@ -228,7 +228,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + ``` @@ -410,7 +410,7 @@ After you download the Office 2016 applications through the Office Deployment To <Product ID="VisioProRetail"> <Language ID="en-us" /> </Product> - </Add> + </Add> </Configuration>

          In this example, the following changes were made to create a package with Subscription licensing:

          You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

          +

          You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).

          Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.

          • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.

            • -

          • For more information, see [ExcludeApp element](http://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).

            • +

          • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
          @@ -442,7 +442,7 @@ After you download the Office 2016 applications through the Office Deployment To @@ -658,7 +658,7 @@ You may want to disable shortcuts for certain Office applications instead of unp 2. To disable certain shortcuts, delete or comment out the specific shortcuts you don’t want. You must keep the subsystem present and enabled. For example, in the example below, delete the Microsoft Access shortcuts, while keeping the subsystems <shortcut> </shortcut> intact to disable the Microsoft Access shortcut. ``` syntax - Shortcuts + Shortcuts --> @@ -754,7 +754,7 @@ The following table describes the requirements and options for deploying Visio 2

          1. Create a package that contains Office, Visio, and Project.

          2. Deploy the package to all users.

            3. -

          3. Use [Microsoft AppLocker](http://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

            4. +

          4. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.

           diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md b/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md index 521ad09c45..b9dfd5d542 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md @@ -34,7 +34,7 @@ Use the following information to install the App-V 5.0 client (preferably, with - [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v.md) -5. Test that your App-V 5.0 packages are successful, and then remove the 4.6 packages. To check the user state of your client computers, we recommend that you use [User Experience Virtualization](http://technet.microsoft.com/library/dn458947.aspx) or another user environment management tool. +5. Test that your App-V 5.0 packages are successful, and then remove the 4.6 packages. To check the user state of your client computers, we recommend that you use [User Experience Virtualization](https://technet.microsoft.com/library/dn458947.aspx) or another user environment management tool. **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md b/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md index 65546d80c5..e617718801 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md @@ -20,7 +20,7 @@ Use the following information to install the Microsoft Application Virtualizatio 1. Install the following version of the App-V client on the computer that is running App-V 4.6. - - [Microsoft Application Virtualization 4.6 Service Pack 3](http://www.microsoft.com/download/details.aspx?id=41187) + - [Microsoft Application Virtualization 4.6 Service Pack 3](https://www.microsoft.com/download/details.aspx?id=41187) 2. Install the App-V 5.1 client on the computer that is running the App-V 4.6 SP3 version of the client. For best results, we recommend that you install all available updates to the App-V 5.1 client. @@ -42,7 +42,7 @@ Use the following information to install the Microsoft Application Virtualizatio - [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md) -6. Test that your App-V 5.1 packages are successful, and then remove the 4.6 packages. To check the user state of your client computers, we recommend that you use [User Experience Virtualization](http://technet.microsoft.com/library/dn458947.aspx) or another user environment management tool. +6. Test that your App-V 5.1 packages are successful, and then remove the 4.6 packages. To check the user state of your client computers, we recommend that you use [User Experience Virtualization](https://technet.microsoft.com/library/dn458947.aspx) or another user environment management tool. **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md index 0a450eda33..cfd6725e5d 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md @@ -49,7 +49,7 @@ Use the following instructions to use SQL scripts, rather than the Windows Insta - +

          PACKAGEGUID (optional)

          By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.

          An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.

          - + >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.

          ManagementDatabase subfolder

          Important   -

          If you are upgrading to or installing the App-V 5.0 SP3 Management database, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](http://support.microsoft.com/kb/3031340).

          +

          If you are upgrading to or installing the App-V 5.0 SP3 Management database, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](https://support.microsoft.com/kb/3031340).

            diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md index a3898dfd1d..c552e9a3a8 100644 --- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md +++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md @@ -193,7 +193,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:

          On TechNet as web pages

          See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](http://technet.microsoft.com/library/dn520245.aspx).

          See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
          diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md index 6e024f6302..253c7dc664 100644 --- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md +++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md @@ -192,7 +192,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:

          On TechNet as web pages

          -

          See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](http://technet.microsoft.com/library/dn520245.aspx).

          +

          See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).

          diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md index 0a5aa62dcf..bbc5378d44 100644 --- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md +++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md @@ -265,9 +265,9 @@ The following table displays the required steps to prepare the base image and th We recommend using Microsoft User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. UE-V is optimized for RDS and VDI scenarios. -For more information see [Getting Started With User Experience Virtualization 2.0](http://technet.microsoft.com/library/dn458936.aspx) +For more information see [Getting Started With User Experience Virtualization 2.0](https://technet.microsoft.com/library/dn458936.aspx) -In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](http://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](http://technet.microsoft.com/library/dn458936.aspx). +In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458936.aspx). **Note**   Without performing an additional configuration step, the Microsoft User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. @@ -341,7 +341,7 @@ Registry – HKEY\_CURRENT\_USER Additionally, we recommend using Microsoft User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. -For more information see [Getting Started With User Experience Virtualization 1.0](http://technet.microsoft.com/library/jj680015.aspx) and [Sharing Settings Location Templates with the UE-V Template Gallery](http://technet.microsoft.com/library/jj679972.aspx). +For more information see [Getting Started With User Experience Virtualization 1.0](https://technet.microsoft.com/library/jj680015.aspx) and [Sharing Settings Location Templates with the UE-V Template Gallery](https://technet.microsoft.com/library/jj679972.aspx). ### User Experience Walk-through @@ -445,37 +445,37 @@ The following section contains lists with information about Microsoft documentat About NGEN technology -- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) +- [How to speed up NGEN optimaztion](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) -- [Script](http://aka.ms/DrainNGenQueue) +- [Script](https://aka.ms/DrainNGenQueue) **Windows Server and Server Roles** Server Performance Tuning Guidelines for -- [Microsoft Windows Server 2012 R2](http://msdn.microsoft.com/library/windows/hardware/dn529133.aspx) +- [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx) -- [Microsoft Windows Server 2012](http://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx) +- [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx) -- [Microsoft Windows Server 2008 R2](http://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx) +- [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx) **Server Roles** -- [Remote Desktop Virtualization Host](http://msdn.microsoft.com/library/windows/hardware/dn567643.aspx) +- [Remote Desktop Virtualization Host](https://msdn.microsoft.com/library/windows/hardware/dn567643.aspx) -- [Remote Desktop Session Host](http://msdn.microsoft.com/library/windows/hardware/dn567648.aspx) +- [Remote Desktop Session Host](https://msdn.microsoft.com/library/windows/hardware/dn567648.aspx) -- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](http://msdn.microsoft.com/library/windows/hardware/dn567678.aspx) +- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](https://msdn.microsoft.com/library/windows/hardware/dn567678.aspx) -- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](http://technet.microsoft.com/library/jj134210.aspx) +- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](https://technet.microsoft.com/library/jj134210.aspx) **Windows Client (Guest OS) Performance Tuning Guidance** -- [Microsoft Windows 7](http://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx) +- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx) - [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx) -- [Microsoft Windows 8](http://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf) +- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf) - [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx) diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md index f97427ff85..2f09ab6f22 100644 --- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md +++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md @@ -267,7 +267,7 @@ We recommend using Microsoft User Experience Virtualization (UE-V) to capture an For more information see [Getting Started With User Experience Virtualization 2.0](https://technet.microsoft.com/library/dn458926.aspx) -In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](http://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458926.aspx). +In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458926.aspx). **Note**   Without performing an additional configuration step, the Microsoft User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default. @@ -348,7 +348,7 @@ Registry – HKEY\_CURRENT\_USER Additionally, we recommend using Microsoft User Experience Virtualization (UE-V) to capture and centralize application settings and Windows operating system settings for a specific user. These settings are then applied to the different computers that are accessed by the user, including desktop computers, laptop computers, and virtual desktop infrastructure (VDI) sessions. -For more information see [Getting Started With User Experience Virtualization 1.0](http://technet.microsoft.com/library/jj680015.aspx) and [Sharing Settings Location Templates with the UE-V Template Gallery](http://technet.microsoft.com/library/jj679972.aspx). +For more information see [Getting Started With User Experience Virtualization 1.0](https://technet.microsoft.com/library/jj680015.aspx) and [Sharing Settings Location Templates with the UE-V Template Gallery](https://technet.microsoft.com/library/jj679972.aspx). ### User Experience Walk-through @@ -452,37 +452,37 @@ The following section contains lists with information about Microsoft documentat About NGEN technology -- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) +- [How to speed up NGEN optimaztion](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx) -- [Script](http://aka.ms/DrainNGenQueue) +- [Script](https://aka.ms/DrainNGenQueue) **Windows Server and Server Roles** Server Performance Tuning Guidelines for -- [Microsoft Windows Server 2012 R2](http://msdn.microsoft.com/library/windows/hardware/dn529133.aspx) +- [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx) -- [Microsoft Windows Server 2012](http://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx) +- [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx) -- [Microsoft Windows Server 2008 R2](http://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx) +- [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx) **Server Roles** -- [Remote Desktop Virtualization Host](http://msdn.microsoft.com/library/windows/hardware/dn567643.aspx) +- [Remote Desktop Virtualization Host](https://msdn.microsoft.com/library/windows/hardware/dn567643.aspx) -- [Remote Desktop Session Host](http://msdn.microsoft.com/library/windows/hardware/dn567648.aspx) +- [Remote Desktop Session Host](https://msdn.microsoft.com/library/windows/hardware/dn567648.aspx) -- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](http://msdn.microsoft.com/library/windows/hardware/dn567678.aspx) +- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](https://msdn.microsoft.com/library/windows/hardware/dn567678.aspx) -- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](http://technet.microsoft.com/library/jj134210.aspx) +- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](https://technet.microsoft.com/library/jj134210.aspx) **Windows Client (Guest OS) Performance Tuning Guidance** -- [Microsoft Windows 7](http://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx) +- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx) - [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx) -- [Microsoft Windows 8](http://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf) +- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf) - [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx) diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md index 5cf5ae27cc..111265456f 100644 --- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md +++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md @@ -21,7 +21,7 @@ Use the following information to plan how to migrate to App-V 5.0 from previous Before you start any upgrades, review the following requirements: -- If you are upgrading from a version earlier than App-V 4.6 SP2, upgrade to version App-V 4.6 SP3 first before upgrading to App-V 5.0 or later. In this scenario, upgrade the App-V clients first, and then upgrade the server components. +- If you are upgrading from a version earlier than App-V 4.6 SP2, upgrade to version App-V 4.6 SP3 first before upgrading to App-V 5.0 or later. In this scenario, upgrade the App-V clients first, and then upgrade the server components. **Note:** App-V 4.6 has exited Mainstream support. - App-V 5.0 supports only packages that are created using App-V 5.0, or packages that have been converted to the App-V 5.0 (**.appv**) format. @@ -74,7 +74,7 @@ To run coexisting clients, you must: - Install the App-V 4.6 client before you install the App-V 5.0 client. -- Enable the **Enable Migration Mode** Group Policy setting, which is in the **App-V** > **Client Coexistence** node. To get the deploy the .admx template, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](http://technet.microsoft.com/library/dn659707.aspx). +- Enable the **Enable Migration Mode** Group Policy setting, which is in the **App-V** > **Client Coexistence** node. To get the deploy the .admx template, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://technet.microsoft.com/library/dn659707.aspx). ### Client downloads and documentation @@ -94,7 +94,7 @@ The following table provides link to the TechNet documentation about the release

          App-V 4.6 SP3

          -

          [About Microsoft Application Virtualization 4.6 SP3](http://technet.microsoft.com/library/dn511019.aspx)

          +

          [About Microsoft Application Virtualization 4.6 SP3](https://technet.microsoft.com/library/dn511019.aspx)

          App-V 5.0 SP3

          @@ -109,7 +109,7 @@ For more information about how to configure App-V 5.0 client coexistence, see: - [How to Deploy the App-V 4.6 and the App-V 5.0 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md) -- [App-V 5.0 Coexistence and Migration](http://technet.microsoft.com/windows/jj835811.aspx) +- [App-V 5.0 Coexistence and Migration](https://technet.microsoft.com/windows/jj835811.aspx) ## Converting “previous-version” packages using the package converter diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md index 935ab2548a..ccdd275962 100644 --- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md +++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md @@ -21,7 +21,7 @@ Use the following information to plan how to migrate to Microsoft Application Vi Before you start any upgrades, review the following requirements: -- If you are upgrading from a version earlier than App-V 4.6 SP2, upgrade to version App-V 4.6 SP3 first before upgrading to App-V 5.1 or later. In this scenario, upgrade the App-V clients first, and then upgrade the server components. +- If you are upgrading from a version earlier than App-V 4.6 SP2, upgrade to version App-V 4.6 SP3 first before upgrading to App-V 5.1 or later. In this scenario, upgrade the App-V clients first, and then upgrade the server components. **Note:** App-V 4.6 has exited Mainstream support. - App-V 5.1 supports only packages that are created using App-V 5.0 or App-V 5.1, or packages that have been converted to the **.appv** format. @@ -74,7 +74,7 @@ To run coexisting clients, you must: - Install the App-V 4.6 client before you install the App-V 5.1 client. -- Enable the **Enable Migration Mode** Group Policy setting, which is in the **App-V** > **Client Coexistence** node. To deploy the .admx template, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](http://technet.microsoft.com/library/dn659707.aspx). +- Enable the **Enable Migration Mode** Group Policy setting, which is in the **App-V** > **Client Coexistence** node. To deploy the .admx template, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://technet.microsoft.com/library/dn659707.aspx). **Note**   App-V 5.1 packages can run side by side with App-V 4.6 packages if you have coexisting installations of App-V 5.1 and 4.6. However, App-V 5.1 packages cannot interact with App-V 4.6 packages in the same virtual environment. @@ -99,7 +99,7 @@ The following table provides links to the App-V 4.6 client downloads and to the

          App-V 4.6 SP3

          -

          [About Microsoft Application Virtualization 4.6 SP3](http://technet.microsoft.com/library/dn511019.aspx)

          +

          [About Microsoft Application Virtualization 4.6 SP3](https://technet.microsoft.com/library/dn511019.aspx)

          App-V 4.6 SP3

          @@ -114,7 +114,7 @@ For more information about how to configure App-V 5.1 client coexistence, see: - [How to Deploy the App-V 4.6 and the App-V 5.1 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md) -- [App-V 5.0 Coexistence and Migration](http://technet.microsoft.com/windows/jj835811.aspx) +- [App-V 5.0 Coexistence and Migration](https://technet.microsoft.com/windows/jj835811.aspx) ## Converting “previous-version” packages using the package converter diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md index bc10c246f9..83ae379e97 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md @@ -129,11 +129,11 @@ Before implementing Office coexistence, review the following Office documentatio

          Office 2013

          -

          [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)

          +

          [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](https://support.microsoft.com/kb/2784668)

          Office 2010

          -

          [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)

          +

          [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](https://support.microsoft.com/kb/2121447)

          @@ -184,7 +184,7 @@ The Windows Installer-based and Click-to-Run Office installation methods integra   -Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069). +Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069). ### Known limitations of Office coexistence scenarios diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md index 0413034d8b..12a63c2e9c 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md @@ -66,11 +66,11 @@ Before implementing Office coexistence, review the following Office documentatio

          Office 2013

          -

          [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](http://support.microsoft.com/kb/2784668)

          +

          [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](https://support.microsoft.com/kb/2784668)

          Office 2010

          -

          [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](http://support.microsoft.com/kb/2121447)

          +

          [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](https://support.microsoft.com/kb/2121447)

          @@ -121,7 +121,7 @@ The Windows Installer-based and Click-to-Run Office installation methods integra   -Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](http://support.microsoft.com/kb/2830069). +Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069). ### Known limitations of Office coexistence scenarios diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md index cfabb0ba9f..a1f34fddf2 100644 --- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md +++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md @@ -49,7 +49,7 @@ This topic contains the following sections:

      • Ensure that the following folders are available to each user who logs into the computer that is running the App-V 5.0 SP2 or later client:

          -

        • %AppData% is configured to the desired network location (with or without [Offline Files](http://technet.microsoft.com/library/cc780552.aspx) support).

          • +

        • %AppData% is configured to the desired network location (with or without [Offline Files](https://technet.microsoft.com/library/cc780552.aspx) support).

        • %LocalAppData% is configured to the desired local folder.

      @@ -169,7 +169,7 @@ The following table describes how folder redirection works when %AppData% is red

      More resources

      -

      [Folder redirection overview](http://technet.microsoft.com/library/cc778976.aspx)

      +

      [Folder redirection overview](https://technet.microsoft.com/library/cc778976.aspx)

      diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md index be01b37844..83456b984c 100644 --- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md +++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md @@ -49,7 +49,7 @@ This topic contains the following sections:

    • Ensure that the following folders are available to each user who logs into the computer that is running the App-V 5.0 SP2 or later client:

        -

      • %AppData% is configured to the desired network location (with or without [Offline Files](http://technet.microsoft.com/library/cc780552.aspx) support).

        • +

      • %AppData% is configured to the desired network location (with or without [Offline Files](https://technet.microsoft.com/library/cc780552.aspx) support).

      • %LocalAppData% is configured to the desired local folder.

      • @@ -169,7 +169,7 @@ The following table describes how folder redirection works when %AppData% is red

      More resources

      -

      [Folder redirection overview](http://technet.microsoft.com/library/cc778976.aspx)

      +

      [Folder redirection overview](https://technet.microsoft.com/library/cc778976.aspx)

      diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp3.md b/mdop/appv-v5/release-notes-for-app-v-50-sp3.md index 8f37aafe6b..2fcfd69810 100644 --- a/mdop/appv-v5/release-notes-for-app-v-50-sp3.md +++ b/mdop/appv-v5/release-notes-for-app-v-50-sp3.md @@ -32,9 +32,9 @@ The issue occurs because the Server files are not being deleted when you uninsta ## Querying AD DS can cause some applications to work incorrectly -When you receive updated packages by querying Active Directory Domain Services for updated group memberships, it can cause some applications to work incorrectly if the applications depend on the user’s access token. In addition, frequent group membership queries can cause the domain controller to overload. For more information about user access tokens, see [Access Tokens](http://msdn.microsoft.com/library/windows/desktop/aa374909.aspx). +When you receive updated packages by querying Active Directory Domain Services for updated group memberships, it can cause some applications to work incorrectly if the applications depend on the user’s access token. In addition, frequent group membership queries can cause the domain controller to overload. For more information about user access tokens, see [Access Tokens](https://msdn.microsoft.com/library/windows/desktop/aa374909.aspx). -**Workaround**: Wait until the user logs off and then logs back on before you query for updated group memberships. Do not use the registry key, described in [Hotfix Package 2 for Microsoft Application Virtualization 5.0 Service Pack 1](http://support.microsoft.com/kb/2897087), to query for updated group memberships. +**Workaround**: Wait until the user logs off and then logs back on before you query for updated group memberships. Do not use the registry key, described in [Hotfix Package 2 for Microsoft Application Virtualization 5.0 Service Pack 1](https://support.microsoft.com/kb/2897087), to query for updated group memberships. ## Got a suggestion for App-V? diff --git a/mdop/dart-v8/about-dart-81.md b/mdop/dart-v8/about-dart-81.md index 6c1d8eeaca..ba9aa61695 100644 --- a/mdop/dart-v8/about-dart-81.md +++ b/mdop/dart-v8/about-dart-81.md @@ -58,7 +58,7 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 8.1 provides the following enh   - To download Windows ADK 8.1, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1](http://www.microsoft.com/download/details.aspx?id=39982) in the Microsoft Download Center. + To download Windows ADK 8.1, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1](https://www.microsoft.com/download/details.aspx?id=39982) in the Microsoft Download Center. - **Microsoft .NET Framework 4.5.1** @@ -68,7 +68,7 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 8.1 provides the following enh To use the Crash Analyzer tool in DaRT 8.1, you need the required debugging tools, which are available in the Software Development Kit for Windows 8.1. - To download, see [Windows Software Development Kit (SDK) for Windows 8.1](http://msdn.microsoft.com/library/windows/desktop/bg162891.aspx) in the Microsoft Download Center. + To download, see [Windows Software Development Kit (SDK) for Windows 8.1](https://msdn.microsoft.com/library/windows/desktop/bg162891.aspx) in the Microsoft Download Center. ## Language availability diff --git a/mdop/index.md b/mdop/index.md index ef4167770e..757a88fd9a 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -163,11 +163,11 @@ In addition to the product documentation available online, supplemental product MDOP is a suite of products that can help streamline desktop deployment, management, and support across the enterprise. MDOP is available as an additional subscription for Software Assurance customers. -**Download MDOP** +**Download MDOP** MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331). -**Purchase MDOP** -Visit the enterprise [Purchase Windows Enterprise Licensing](http://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business. +**Purchase MDOP** +Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business.   diff --git a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md index 8b32b75d9e..23cbf71a1e 100644 --- a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md +++ b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md @@ -38,7 +38,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o   -5. For specific steps about how and where to install the templates, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](http://technet.microsoft.com/library/dn659707.aspx). +5. For specific steps about how and where to install the templates, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://technet.microsoft.com/library/dn659707.aspx). 6. After the Microsoft BitLocker Administration and Monitoring Setup wizard displays installation pages for the selected features, click **Finish** to close MBAM Setup. diff --git a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md index 735cf97bab..113fd20178 100644 --- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md +++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md @@ -87,9 +87,9 @@ Microsoft Error Reporting is not turned on or off by MBAM. MBAM will utilize wha Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the PC. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied. -Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](http://technet.microsoft.com/library/cc709644.aspx). +Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](https://technet.microsoft.com/library/cc709644.aspx). -Additional information on how to modify enable and disable error reporting is available at this support article: [(http://support.microsoft.com/kb/188296)](http://support.microsoft.com/kb/188296). +Additional information on how to modify enable and disable error reporting is available at this support article: [(http://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296). ### Microsoft Update diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md index 4854c11fbb..098ae2f798 100644 --- a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md +++ b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md @@ -59,9 +59,9 @@ END EXEC dbo.sp_add_job @job_name = N'CreateCache', @enabled = 1; - + EXEC dbo.sp_add_jobstep - @job_name = N'CreateCache', + @job_name = N'CreateCache', @step_name = N'Copy Data', @subsystem = N'TSQL', @command = N'EXEC [ComplianceCore].UpdateCache', @@ -69,52 +69,52 @@ EXEC dbo.sp_add_jobstep @retry_attempts = 5, @retry_interval = 5; - + EXEC dbo.sp_add_jobschedule - @job_name = N'CreateCache', + @job_name = N'CreateCache', @name = N'ReportCacheSchedule1am', @freq_type = 4, @freq_interval = 1, @active_start_time = 010000, @active_end_time = 020000; -EXEC dbo.sp_attach_schedule +EXEC dbo.sp_attach_schedule @job_name = N'CreateCache', @schedule_name = N'ReportCacheSchedule1am'; EXEC dbo.sp_add_jobschedule - @job_name = N'CreateCache', + @job_name = N'CreateCache', @name = N'ReportCacheSchedule7am', @freq_type = 4, @freq_interval = 1, @active_start_time = 070000, @active_end_time = 080000; -EXEC dbo.sp_attach_schedule +EXEC dbo.sp_attach_schedule @job_name = N'CreateCache', @schedule_name = N'ReportCacheSchedule7am'; EXEC dbo.sp_add_jobschedule - @job_name = N'CreateCache', + @job_name = N'CreateCache', @name = N'ReportCacheSchedule1pm', @freq_type = 4, @freq_interval = 1, @active_start_time = 130000, @active_end_time = 140000; -EXEC dbo.sp_attach_schedule +EXEC dbo.sp_attach_schedule @job_name = N'CreateCache', @schedule_name = N'ReportCacheSchedule1pm'; EXEC dbo.sp_add_jobschedule - @job_name = N'CreateCache', + @job_name = N'CreateCache', @name = N'ReportCacheSchedule7pm', @freq_type = 4, @freq_interval = 1, @active_start_time = 190000, @active_end_time = 200000; -EXEC dbo.sp_attach_schedule +EXEC dbo.sp_attach_schedule @job_name = N'CreateCache', @schedule_name = N'ReportCacheSchedule7pm'; @@ -196,82 +196,82 @@ This section contains hotfixes and KB articles for MBAM 2.0.

      2831166

      Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"

      -

      [support.microsoft.com/kb/2831166/EN-US](http://support.microsoft.com/kb/2831166/EN-US)

      +

      [support.microsoft.com/kb/2831166/EN-US](https://support.microsoft.com/kb/2831166/EN-US)

      2870849

      Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal

      -

      [support.microsoft.com/kb/2870849/EN-US](http://support.microsoft.com/kb/2870849/EN-US)

      +

      [support.microsoft.com/kb/2870849/EN-US](https://support.microsoft.com/kb/2870849/EN-US)

      2756402

      MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description

      -

      [support.microsoft.com/kb/2756402/EN-US](http://support.microsoft.com/kb/2756402/EN-US)

      +

      [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)

      2620287

      Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM

      -

      [support.microsoft.com/kb/2620287/EN-US](http://support.microsoft.com/kb/2620287/EN-US)

      +

      [support.microsoft.com/kb/2620287/EN-US](https://support.microsoft.com/kb/2620287/EN-US)

      2639518

      Error opening Enterprise or Computer Compliance Reports in MBAM

      -

      [support.microsoft.com/kb/2639518/EN-US](http://support.microsoft.com/kb/2639518/EN-US)

      +

      [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)

      2620269

      MBAM Enterprise Reporting Not Getting Updated

      -

      [support.microsoft.com/kb/2620269/EN-US](http://support.microsoft.com/kb/2620269/EN-US)

      +

      [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)

      2712461

      Installing MBAM on a Domain Controller is not supported

      -

      [support.microsoft.com/kb/2712461/EN-US](http://support.microsoft.com/kb/2712461/EN-US)

      +

      [support.microsoft.com/kb/2712461/EN-US](https://support.microsoft.com/kb/2712461/EN-US)

      2876732

      You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0

      -

      [support.microsoft.com/kb/2876732/EN-US](http://support.microsoft.com/kb/2876732/EN-US)

      +

      [support.microsoft.com/kb/2876732/EN-US](https://support.microsoft.com/kb/2876732/EN-US)

      2754259

      MBAM and Secure Network Communication

      -

      [support.microsoft.com/kb/2754259/EN-US](http://support.microsoft.com/kb/2754259/EN-US)

      +

      [support.microsoft.com/kb/2754259/EN-US](https://support.microsoft.com/kb/2754259/EN-US)

      2870842

      MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008

      -

      [support.microsoft.com/kb/2870842/EN-US](http://support.microsoft.com/kb/2870842/EN-US)

      +

      [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)

      2668533

      MBAM Setup fails if SQL SSRS is not configured properly

      -

      [support.microsoft.com/kb/2668533/EN-US](http://support.microsoft.com/kb/2668533/EN-US)

      +

      [support.microsoft.com/kb/2668533/EN-US](https://support.microsoft.com/kb/2668533/EN-US)

      2870847

      MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"

      -

      [support.microsoft.com/kb/2870847/EN-US](http://support.microsoft.com/kb/2870847/EN-US)

      +

      [support.microsoft.com/kb/2870847/EN-US](https://support.microsoft.com/kb/2870847/EN-US)

      2870839

      MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure

      -

      [support.microsoft.com/kb/2870839/EN-US](http://support.microsoft.com/kb/2870839/EN-US)

      +

      [support.microsoft.com/kb/2870839/EN-US](https://support.microsoft.com/kb/2870839/EN-US)

      2620269

      MBAM Enterprise Reporting Not Getting Updated

      -

      [support.microsoft.com/kb/2620269/EN-US](http://support.microsoft.com/kb/2620269/EN-US)

      +

      [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)

      2935997

      MBAM Supported Computers compliance reporting incorrectly includes unsupported products

      -

      [support.microsoft.com/kb/2935997/EN-US](http://support.microsoft.com/kb/2935997/EN-US)

      +

      [support.microsoft.com/kb/2935997/EN-US](https://support.microsoft.com/kb/2935997/EN-US)

      2612822

      Computer Record is Rejected in MBAM

      -

      [support.microsoft.com/kb/2612822/EN-US](http://support.microsoft.com/kb/2612822/EN-US)

      +

      [support.microsoft.com/kb/2612822/EN-US](https://support.microsoft.com/kb/2612822/EN-US)

      diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md index 9308bed407..2dd39e48fb 100644 --- a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md +++ b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md @@ -144,82 +144,82 @@ This section contains hotfixes and KB articles for MBAM 2.0 SP1.

      2831166

      Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"

      -

      [support.microsoft.com/kb/2831166/EN-US](http://support.microsoft.com/kb/2831166/EN-US)

      +

      [support.microsoft.com/kb/2831166/EN-US](https://support.microsoft.com/kb/2831166/EN-US)

      2870849

      Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal

      -

      [support.microsoft.com/kb/2870849/EN-US](http://support.microsoft.com/kb/2870849/EN-US)

      +

      [support.microsoft.com/kb/2870849/EN-US](https://support.microsoft.com/kb/2870849/EN-US)

      2756402

      MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description

      -

      [support.microsoft.com/kb/2756402/EN-US](http://support.microsoft.com/kb/2756402/EN-US)

      +

      [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)

      2620287

      Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM

      -

      [support.microsoft.com/kb/2620287/EN-US](http://support.microsoft.com/kb/2620287/EN-US)

      +

      [support.microsoft.com/kb/2620287/EN-US](https://support.microsoft.com/kb/2620287/EN-US)

      2639518

      Error opening Enterprise or Computer Compliance Reports in MBAM

      -

      [support.microsoft.com/kb/2639518/EN-US](http://support.microsoft.com/kb/2639518/EN-US)

      +

      [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)

      2620269

      MBAM Enterprise Reporting Not Getting Updated

      -

      [support.microsoft.com/kb/2620269/EN-US](http://support.microsoft.com/kb/2620269/EN-US)

      +

      [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)

      2712461

      Installing MBAM on a Domain Controller is not supported

      -

      [support.microsoft.com/kb/2712461/EN-US](http://support.microsoft.com/kb/2712461/EN-US)

      +

      [support.microsoft.com/kb/2712461/EN-US](https://support.microsoft.com/kb/2712461/EN-US)

      2876732

      You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0

      -

      [support.microsoft.com/kb/2876732/EN-US](http://support.microsoft.com/kb/2876732/EN-US)

      +

      [support.microsoft.com/kb/2876732/EN-US](https://support.microsoft.com/kb/2876732/EN-US)

      2754259

      MBAM and Secure Network Communication

      -

      [support.microsoft.com/kb/2754259/EN-US](http://support.microsoft.com/kb/2754259/EN-US)

      +

      [support.microsoft.com/kb/2754259/EN-US](https://support.microsoft.com/kb/2754259/EN-US)

      2870842

      MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008

      -

      [support.microsoft.com/kb/2870842/EN-US](http://support.microsoft.com/kb/2870842/EN-US)

      +

      [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)

      2668533

      MBAM Setup fails if SQL SSRS is not configured properly

      -

      [support.microsoft.com/kb/2668533/EN-US](http://support.microsoft.com/kb/2668533/EN-US)

      +

      [support.microsoft.com/kb/2668533/EN-US](https://support.microsoft.com/kb/2668533/EN-US)

      2870847

      MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"

      -

      [support.microsoft.com/kb/2870847/EN-US](http://support.microsoft.com/kb/2870847/EN-US)

      +

      [support.microsoft.com/kb/2870847/EN-US](https://support.microsoft.com/kb/2870847/EN-US)

      2870839

      MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure

      -

      [support.microsoft.com/kb/2870839/EN-US](http://support.microsoft.com/kb/2870839/EN-US)

      +

      [support.microsoft.com/kb/2870839/EN-US](https://support.microsoft.com/kb/2870839/EN-US)

      2620269

      MBAM Enterprise Reporting Not Getting Updated

      -

      [support.microsoft.com/kb/2620269/EN-US](http://support.microsoft.com/kb/2620269/EN-US)

      +

      [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)

      2935997

      MBAM Supported Computers compliance reporting incorrectly includes unsupported products

      -

      [support.microsoft.com/kb/2935997/EN-US](http://support.microsoft.com/kb/2935997/EN-US)

      +

      [support.microsoft.com/kb/2935997/EN-US](https://support.microsoft.com/kb/2935997/EN-US)

      2612822

      Computer Record is Rejected in MBAM

      -

      [support.microsoft.com/kb/2612822/EN-US](http://support.microsoft.com/kb/2612822/EN-US)

      +

      [support.microsoft.com/kb/2612822/EN-US](https://support.microsoft.com/kb/2612822/EN-US)

      diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index 0fdf152e67..7ca9dcb801 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -8,14 +8,16 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 5/30/2018 +ms.date: 8/30/2018 +ms.author: pashort +author: shortpatti --- # Applying hotfixes on MBAM 2.5 SP1 This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126) +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157) #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). diff --git a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md index cd19e01e59..b44f1f559e 100644 --- a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md +++ b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md @@ -104,7 +104,7 @@ To evaluate MBAM by using the Stand-alone topology, use the information in the f ``` ``` syntax - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 ``` @@ -177,7 +177,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, use th

      Install the MBAM Server software on each server where you want to configure an MBAM Server feature.

      Note   -

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](http://technet.microsoft.com/library/ee210546.aspx).

      +

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).

        @@ -220,7 +220,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, use th ``` ``` syntax - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 ``` @@ -315,7 +315,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow

      Install the MBAM Server software on each server where you want to configure an MBAM Server feature.

      Note   -

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](http://technet.microsoft.com/library/ee210546.aspx).

      +

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).

        @@ -358,7 +358,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow ``` ``` syntax - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM] "NoStartupDelay"=dword:00000001 ``` @@ -401,7 +401,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md index 3513df82f6..a7ba39d226 100644 --- a/mdop/mbam-v25/getting-started-with-mbam-25.md +++ b/mdop/mbam-v25/getting-started-with-mbam-25.md @@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation: - [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653) -- [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347) - Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment. ## Getting started with MBAM 2.5 diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md index 41afc5d8a5..3e9aff0890 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md @@ -7,12 +7,12 @@ ms.pagetype: mdop, security ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 -ms.date: 07/18/2017 +ms.date: 08/23/2018 +ms.author: pashort --- -# High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology - +# High-level architecture of MBAM 2.5 with Configuration Manager Integration topology This topic describes the recommended architecture for deploying Microsoft BitLocker Administration and Monitoring (MBAM) with the Configuration Manager Integration topology. This topology integrates MBAM with System Center Configuration Manager. To deploy MBAM with the Stand-alone topology, see [High-Level Architecture of MBAM 2.5 with Stand-alone Topology](high-level-architecture-of-mbam-25-with-stand-alone-topology.md). @@ -54,7 +54,7 @@ The recommended number of servers and supported number of clients in a productio   -## Differences between Configuration Manager Integration and Stand-alone topologies +## Differences between Configuration Manager Integration and stand-alone topologies The main differences between the topologies are: @@ -70,15 +70,15 @@ The following diagram and table describe the recommended high-level architecture ![mbam2\-5](images/mbam2-5-cmserver.png) -### Database Server +### Database server -#### Recovery Database +#### Recovery database This feature is configured on a computer running Windows Server and supported SQL Server instance. The **Recovery Database** stores recovery data that is collected from MBAM Client computers. -#### Audit Database +#### Audit database This feature is configured on a computer running Windows Server and supported SQL Server instance. @@ -90,7 +90,7 @@ This feature is configured on a computer running Windows Server and supported SQ The **Reports** provide recovery audit data for the client computers in your enterprise. You can view reports from the Configuration Manager console or directly from SQL Server Reporting Services. -### Configuration Manager Primary Site Server +### Configuration Manager primary site server System Center Configuration Manager Integration feature @@ -102,19 +102,19 @@ System Center Configuration Manager Integration feature - The **Configuration Manager console** must be installed on the same computer on which you install the MBAM Server software. -### Administration and Monitoring Server +### Administration and monitoring server -#### Administration and Monitoring Website +#### Administration and monitoring website This feature is configured on a computer running Windows Server. -The **Administration and Monitoring Website** is used to: +The **Administration and monitoring website** is used to: - Help end users regain access to their computers when they are locked out. (This area of the Website is commonly called the Help Desk.) - View the Recovery Audit Report, which shows recovery activity for client computers. Other reports are viewed from the Configuration Manager console. -#### Self-Service Portal +#### Self-service portal This feature is configured on a computer running Windows Server. @@ -126,21 +126,19 @@ This feature is installed on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. -**Important**   -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +**Important**
      The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.   -### Management Workstation +### Management workstation -#### MBAM Group Policy Templates +#### MBAM group policy templates - The **MBAM Group Policy Templates** are Group Policy settings that define implementation settings for MBAM, which enable you to manage BitLocker drive encryption. - Before you run MBAM, you must download the Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and copy them to a server or workstation that is running a supported Windows Server or Windows operating system. - **Note**   - The workstation does not have to be a dedicated computer. + **NOTE**
      The workstation does not have to be a dedicated computer.   diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md index c494392cfe..1287ee6b02 100644 --- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md +++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md @@ -109,7 +109,7 @@ This feature is configured on a computer running Windows Server. The **monitoring web services** are used by the MBAM Client and the websites to communicate to the database. **Important**   -The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database. +The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.   diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md index af16424434..151b5e2b55 100644 --- a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md +++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md @@ -55,7 +55,7 @@ The instructions are based on the recommended architecture in [High-Level Archit

      Install the MBAM Server software on each server where you plan to configure an MBAM Server feature.

      Note   -

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](http://technet.microsoft.com/library/ee210546.aspx).

      +

      You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).

        @@ -230,7 +230,7 @@ The instructions are based on the recommended architecture in [High-Level Archit   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).  diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md index 79cc189aaa..9cbd497eb0 100644 --- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md +++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md @@ -44,10 +44,10 @@ This topic explains how to enable BitLocker on an end user's computer by using M - Optionally encrypt FDDs - - Escrow TPM OwnerAuth - For Windows 7, MBAM must own the TPM for escrow to occur. - For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported. - For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + - Escrow TPM OwnerAuth + For Windows 7, MBAM must own the TPM for escrow to occur. + For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported. + For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. - Escrow recovery keys and recovery key packages @@ -63,10 +63,10 @@ This topic explains how to enable BitLocker on an end user's computer by using M **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script. - **MBAM\_Machine WMI Class** + **MBAM\_Machine WMI Class** **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting. - **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + **Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. | Parameter | Description | | -------- | ----------- | @@ -91,13 +91,13 @@ Here are a list of common error messages: | **WS_E_INVALID_ENDPOINT_URL** 2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting. - + | Parameter | Description | | --------- | ----------- | | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. | - + Here are a list of common error messages: - + | Common return values | Error message | | -------------------- | ------------- | | **S_OK**
      0 (0x0) | The method was successful | @@ -108,20 +108,20 @@ Here are a list of common error messages: | **WS_E_ENDPOINT_FAULT_RECEIVED**
      2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. | | **WS_E_INVALID_ENDPOINT_URL**
      2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. | - **MBAM\_Volume WMI Class** + **MBAM\_Volume WMI Class** **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting. - + | Parameter | Description | | --------- | ----------- | | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. | - + Here are a list of common error messages: - + | Common return values | Error message | | -------------------- | ------------- | | **S_OK**
      0 (0x0) | The method was successful | | **FVE_E_LOCKED_VOLUME**
      2150694912 (0x80310000) | The volume is locked. | - | **FVE_E_PROTECTOR_NOT_FOUND**
      2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. | + | **FVE_E_PROTECTOR_NOT_FOUND**
      2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. | | **WS_E_ENDPOINT_ACCESS_DENIED**
      2151481349 (0x803D0005) | Access was denied by the remote endpoint. | | **WS_E_ENDPOINT_NOT_FOUND**
      2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. | | **WS_E_ENDPOINT_FAILURE**
      2151481357 (0x803D000F) | The remote endpoint could not process the request. | @@ -139,7 +139,7 @@ Here are a list of common error messages: **Caution**   If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.** - + 2. Copy `Invoke-MbamClientDeployment.ps1` to **<DeploymentShare>\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **<DeploymentShare>\\Scripts**. 3. Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share. @@ -178,8 +178,8 @@ Here are a list of common error messages: 3. Name the step **Persist TPM OwnerAuth** - 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"` - **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. + 4. Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"` + **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. 3. In the **State Restore** folder, delete the **Enable BitLocker** task. @@ -279,7 +279,7 @@ Here are a list of common error messages: **Note**   You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values. - + Registry entry Configuration settings @@ -329,5 +329,5 @@ Here are a list of common error messages: [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md) ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). \ No newline at end of file diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md index 2a97dc6cbb..518233e7db 100644 --- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md +++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md @@ -38,7 +38,7 @@ Restore the databases FIRST, then run the MBAM Configuration Wizard, choose the 5. Self-Service Portal >[!Note] ->To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. +>To run the example Windows PowerShell scripts provided in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](https://technet.microsoft.com/library/ee176949.aspx) for instructions. ## Move the Recovery Database @@ -69,7 +69,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" ``` ->[!NOTE] +>[!NOTE] >To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. ### Back up the Recovery Database on Server A @@ -80,47 +80,47 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" ``` USE master; - + GO - + ALTER DATABASE "MBAM Recovery and Hardware" - + SET RECOVERY FULL; - + GO - + -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. - + USE master - + GO - + EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', - + 'Z:\MBAM Recovery Database Data.bak'; - + GO - + -- Back up the full MBAM Recovery Database. - + BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; - + GO - + BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] - + TO FILE = 'Z:\SQLServerInstanceCertificateFile' - + WITH PRIVATE KEY - + ( - + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - + ENCRYPTION BY PASSWORD = '$PASSWORD$' - + ); - + GO ``` @@ -235,7 +235,7 @@ Use the information in the following table to replace the values in the code exa 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites. -3. Edit the following registry key: +3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString** @@ -293,11 +293,11 @@ On the server that is running the Administration and Monitoring Website, use the To automate this procedure, you can use Windows PowerShell to run a command that is similar to the following: -```powershell +```powershell Start-Website "Microsoft BitLocker Administration and Monitoring" ``` ->[!NOTE] +>[!NOTE] >To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. ## Move the Compliance and Audit Database @@ -330,7 +330,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" ``` ->[!NOTE] +>[!NOTE] >To run this command, you must add the Internet Information Services (IIS) module for Windows PowerShell to the current instance of Windows PowerShell. ### Back up the Compliance and Audit Database on Server A @@ -398,7 +398,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" |----------------------|---------------------------------------------------------------| | $SERVERNAME$ | Name of the server to which the files will be copied. | | $DESTINATIONSHARE$ | Name of the share and path to which the files will be copied. | - + ### Restore the Compliance and Audit Database on Server B @@ -447,7 +447,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" 2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website. -3. Edit the following registry key: +3. Edit the following registry key: **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString** @@ -463,7 +463,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f ``` - >[!NOTE] + >[!NOTE] >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server. @@ -476,7 +476,7 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring" ### Install MBAM Server software and run the MBAM Server Configuration wizard on Server B -1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). +1. Install the MBAM 2.5 Server software on Server B. For details, see [Installing the MBAM 2.5 Server Software](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/installing-the-mbam-25-server-software). 2. On Server B, start the MBAM Server Configuration wizard, click **Add New Features**, and then select only the **Compliance and Audit Database** feature. For details on how to configure the databases, see [How to Configure the MBAM 2.5 Databases](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-configure-the-mbam-25-databases). @@ -495,5 +495,5 @@ Start-Website "Microsoft BitLocker Administration and Monitoring" ``` ->[!NOTE] +>[!NOTE] >To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell. diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md index bc5fa5a455..980c43f797 100644 --- a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md +++ b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md @@ -27,7 +27,7 @@ The high-level steps for moving the Reports feature are: 4. Resume the instance of the MBAM Administration and Monitoring Website. **Note**   -To run the example Windows PowerShell scripts in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](http://technet.microsoft.com/library/ee176949.aspx) for instructions. +To run the example Windows PowerShell scripts in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](https://technet.microsoft.com/library/ee176949.aspx) for instructions.   @@ -130,7 +130,7 @@ To run the example Windows PowerShell scripts in this topic, you must update the   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).   diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 84fc7c8df0..9e5c96e03d 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -18,25 +18,25 @@ Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplifi To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) +[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) [About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) -[Planning for MBAM 2.5](planning-for-mbam-25.md) +[Planning for MBAM 2.5](planning-for-mbam-25.md) [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) -[Deploying MBAM 2.5](deploying-mbam-25.md) +[Deploying MBAM 2.5](deploying-mbam-25.md) [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) -[Operations for MBAM 2.5](operations-for-mbam-25.md) +[Operations for MBAM 2.5](operations-for-mbam-25.md) [Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) -[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) +[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) -[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) +[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) [Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md) @@ -54,16 +54,16 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). -- [MBAM Deployment Guide](http://www.microsoft.com/download/details.aspx?id=38398) +- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. - [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) Guide of how to apply MBAM 2.5 SP1 Server hotfixes - + ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).   diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md index 3f10ae0da3..bf45fa3815 100644 --- a/mdop/mbam-v25/mbam-25-security-considerations.md +++ b/mdop/mbam-v25/mbam-25-security-considerations.md @@ -32,7 +32,7 @@ This topic contains the following information about how to secure Microsoft BitL ## Configure MBAM to escrow the TPM and store OwnerAuth passwords -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addition, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. Depending on its configuration, the Trusted Platform Module (TPM) will lock itself in certain situations ─ such as when too many incorrect passwords are entered ─ and can remain locked for a period of time. During TPM lockout, BitLocker cannot access the encryption keys to perform unlock or decryption operations, requiring the user to enter their BitLocker recovery key to access the operating system drive. To reset TPM lockout, you must provide the TPM OwnerAuth password. @@ -40,7 +40,7 @@ MBAM can store the TPM OwnerAuth password in the MBAM database if it owns the TP ### Escrowing TPM OwnerAuth in Windows 8 and higher -**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +**Note** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. In Windows 8 or higher, MBAM no longer must own the TPM to store the OwnerAuth password, as long as the OwnerAuth is available on the local machine. @@ -229,7 +229,7 @@ TPM lockout auto reset is only supported on computers running TPM version 1.2. T ## Secure connections to SQL Server -In MBAM, SQL Server communicates with SQL Server Reporting Services and with the web services for the Administration and Monitoring Website and Self-Service Portal. We recommend that you secure the communication with SQL Server. For more information, see [Encrypting Connections to SQL Server](http://technet.microsoft.com/library/ms189067.aspx). +In MBAM, SQL Server communicates with SQL Server Reporting Services and with the web services for the Administration and Monitoring Website and Self-Service Portal. We recommend that you secure the communication with SQL Server. For more information, see [Encrypting Connections to SQL Server](https://technet.microsoft.com/library/ms189067.aspx). For more information about securing the MBAM websites, see [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md). @@ -282,7 +282,7 @@ When TDE is enabled on a database, all backups are encrypted. Thus, special care Back up the certificate with the database. Each certificate backup should have two files. Both of these files should be archived. Ideally for security, they should be backed up separately from the database backup file. You can alternatively consider using the extensible key management (EKM) feature (see Extensible Key Management) for storage and maintenance of keys that are used for TDE. -For an example of how to enable TDE for MBAM database instances, see [Understanding Transparent Data Encryption (TDE)](http://technet.microsoft.com/library/bb934049.aspx). +For an example of how to enable TDE for MBAM database instances, see [Understanding Transparent Data Encryption (TDE)](https://technet.microsoft.com/library/bb934049.aspx). ## Understand general security considerations @@ -293,7 +293,7 @@ For an example of how to enable TDE for MBAM database instances, see [Understand **Apply the most recent security updates to all computers**. Stay informed about new updates for Windows operating systems, SQL Server, and MBAM by subscribing to the Security Notification service at the [Security TechCenter](https://go.microsoft.com/fwlink/?LinkId=28819). -**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all MBAM administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](http://technet.microsoft.com/library/hh994572.aspx). +**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all MBAM administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](https://technet.microsoft.com/library/hh994572.aspx). @@ -304,7 +304,7 @@ For an example of how to enable TDE for MBAM database instances, see [Understand   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).   diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md index 5d73f5edf1..0dc592b269 100644 --- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md +++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md @@ -292,7 +292,7 @@ The following table lists the installation prerequisites for the MBAM Administra

      Service Principal Name (SPN)

      The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

      -

      If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

      +

      If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](https://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

      If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization to create the SPN for you by using the following command.

      Setspn -s http/mbamvirtual contoso\mbamapppooluser
 Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
      @@ -341,7 +341,7 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

      Service Principal Name (SPN)

      The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

      -

      If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

      +

      If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](https://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

      If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization administrators in your organization to create the SPN for you by using the following command.

      Setspn -s http/mbamvirtual contoso\mbamapppooluser
 Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
      @@ -422,7 +422,7 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 4eb36ebf32..db4b4232a6 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -365,7 +365,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967< **Note** -In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 . In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features. +In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.   ### SQL Server processor, RAM, and disk space requirements – Stand-alone topology diff --git a/mdop/mbam-v25/planning-for-mbam-25-high-availability.md b/mdop/mbam-v25/planning-for-mbam-25-high-availability.md index fcf168b878..801ea71276 100644 --- a/mdop/mbam-v25/planning-for-mbam-25-high-availability.md +++ b/mdop/mbam-v25/planning-for-mbam-25-high-availability.md @@ -75,7 +75,7 @@ Complete the following tasks: 3. If you are configuring the websites in a web farm with a load balancer, you must configure the websites to use the same machine key. - For more information, see the following sections in [machineKey Element (ASP.NET Settings Schema)](http://msdn.microsoft.com/library/vstudio/w8h3skw9.aspx): + For more information, see the following sections in [machineKey Element (ASP.NET Settings Schema)](https://msdn.microsoft.com/library/vstudio/w8h3skw9.aspx): - Machine Key Explained @@ -134,7 +134,7 @@ The VSS writer is registered on every server where you enable an MBAM web applic   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md index b59cdf6226..500b84672e 100644 --- a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md +++ b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md @@ -52,7 +52,7 @@ We recommend that you use a certificate to secure the communication between the: - Browser and the Administration and Monitoring Website and the Self-Service Portal websites -For information about requesting and installing a certificate, see [Configuring Internet Server Certificates](http://technet.microsoft.com/library/cc731977.aspx). +For information about requesting and installing a certificate, see [Configuring Internet Server Certificates](https://technet.microsoft.com/library/cc731977.aspx). **Note**   You can configure the websites and web services on different servers only if you are using Windows PowerShell. If you use the MBAM Server Configuration wizard to configure the websites, you must configure the websites and the web services on the same server. @@ -326,7 +326,7 @@ If you already registered SPNs on the machine account rather than in an applicat   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md index f151a12f21..13d5e28e78 100644 --- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md +++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md @@ -49,7 +49,7 @@ Before you install the MBAM Client software on end users' computers, ensure that

      For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM.

      In MBAM 2.5 SP1, you must turn on auto-provisioning.

      -

      See [TPM owner password](http://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details. +

      See [TPM owner password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.

      @@ -94,7 +94,7 @@ If BitLocker was used without MBAM, MBAM can be installed and utilize the existi   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).   diff --git a/mdop/mbam-v25/release-notes-for-mbam-25.md b/mdop/mbam-v25/release-notes-for-mbam-25.md index 91c710e6ee..5ed4366556 100644 --- a/mdop/mbam-v25/release-notes-for-mbam-25.md +++ b/mdop/mbam-v25/release-notes-for-mbam-25.md @@ -128,7 +128,7 @@ This table lists the hotfixes and KB articles for MBAM 2.5.

      2975636

      Hotfix Package 1 for Microsoft BitLocker Administration and Monitoring 2.5

      -

      [support.microsoft.com/kb/2975636/EN-US](http://support.microsoft.com/kb/2975636/EN-US)

      +

      [support.microsoft.com/kb/2975636/EN-US](https://support.microsoft.com/kb/2975636/EN-US)

      3015477

      @@ -138,27 +138,27 @@ This table lists the hotfixes and KB articles for MBAM 2.5.

      3011022

      MBAM 2.5 installation or Configuration Manager reporting fails if the name of SSRS instance contains an underscore

      -

      [support.microsoft.com/kb/3011022/EN-US](http://support.microsoft.com/kb/3011022/EN-US)

      +

      [support.microsoft.com/kb/3011022/EN-US](https://support.microsoft.com/kb/3011022/EN-US)

      2756402

      MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description

      -

      [support.microsoft.com/kb/2756402/EN-US](http://support.microsoft.com/kb/2756402/EN-US)

      +

      [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)

      2639518

      Error opening Enterprise or Computer Compliance Reports in MBAM

      -

      [support.microsoft.com/kb/2639518/EN-US](http://support.microsoft.com/kb/2639518/EN-US)

      +

      [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)

      2870842

      MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008

      -

      [support.microsoft.com/kb/2870842/EN-US](http://support.microsoft.com/kb/2870842/EN-US)

      +

      [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)

      2975472

      SQL deadlocks when many MBAM clients connect to the MBAM recovery database

      -

      [support.microsoft.com/kb/2975472/EN-US](http://support.microsoft.com/kb/2975472/EN-US)

      +

      [support.microsoft.com/kb/2975472/EN-US](https://support.microsoft.com/kb/2975472/EN-US)

      @@ -174,7 +174,7 @@ This table lists the hotfixes and KB articles for MBAM 2.5.   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).  diff --git a/mdop/mbam-v25/server-event-logs.md b/mdop/mbam-v25/server-event-logs.md index 637ae371f3..c2d73ac15e 100644 --- a/mdop/mbam-v25/server-event-logs.md +++ b/mdop/mbam-v25/server-event-logs.md @@ -510,7 +510,7 @@ The following table contains messages and troubleshooting information for event

      QueryRecoveryKeyIdsForUser: An error occurred while getting recovery key Ids from the database. Message:{message} -or-

      QueryVolumeUsers: An error occurred while getting user information from the database.

      This message is logged whenever there is an exception while communicating with the MBAM recovery database. Read through the information contained in the trace to get specific details about the exception.

      -

      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).

      +

      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).

      101

      @@ -522,7 +522,7 @@ The following table contains messages and troubleshooting information for event

      QueryRecoveryKeyIdsForUser: An error occurred while logging an audit event to the compliance database. Message:{message} -or-

      QueryDriveRecoveryData: An error occurred while logging an audit event to the compliance database. Message:{message}

      This message is logged whenever there is an exception while communicating the MBAM compliance database. Read through the information contained in the trace to get specific details about the exception.

      -

      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).

      +

      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).

      102

      @@ -530,7 +530,7 @@ The following table contains messages and troubleshooting information for event

      AgentServiceRecoveryDbError

      This message indicates an exception when MBAM Agent service tries to communicate with the recovery database. Read through the message contained in the event to get specific information about the exception.

      -

      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether the MBAM app pool account has required permissions in place to connect or execute on MBAM recovery database.

      +

      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether the MBAM app pool account has required permissions in place to connect or execute on MBAM recovery database.

      103

      @@ -555,7 +555,7 @@ The following table contains messages and troubleshooting information for event

      StatusServiceComplianceDbError

      This error indicates that MBAM websites/web services were unable to connect to the MBAMCompliance database.

      -

      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the IIS app pool account could connect to the MBAM compliance database.

      +

      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the IIS app pool account could connect to the MBAM compliance database.

      106

      @@ -598,7 +598,7 @@ The following table contains messages and troubleshooting information for event

      QueryRecoveryKeyIdsForUser: an error occurred while getting recovery key Ids for a user. Message:{message} -or-

      An error occurred while getting TPM password hash from the Recovery database. EventDetails:{ExceptionMessage}

      This message indicates that recovery database connection string information at "HKLM\Software\Microsoft\MBAM Server\Web\RecoveryDBConnectionString" is invalid. Verify the given registry key value. –or-

      -

      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Recovery database from IIS server using app pool credentials.

      +

      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Recovery database from IIS server using app pool credentials.

      110

      @@ -609,7 +609,7 @@ The following table contains messages and troubleshooting information for event

      QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the Compliance database. Message:{message} -or-

      QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the compliance database. Message:{message}

      This message indicates that compliance db connection string information at "HKLM\Software\Microsoft\MBAM Server\Web\ComplianceDBConnectionString" is invalid. Verify the value corresponding to above registry key. –or-

      -

      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Compliance database from IIS server using app pool credentials.

      +

      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Compliance database from IIS server using app pool credentials.

      111

      @@ -622,7 +622,7 @@ The following table contains messages and troubleshooting information for event

    • MBAM websites/webservices execution account(app pool account) could not run the GetVersion stored procedure on MBAMCompliance OR MBAMRecovery database

      • The message contained in the event will provide more details about the exception.

      -

      Refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](http://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the MBAM execution account (app pool account) could connect to MBAM compliance/recovery database and it has permissions in place to execute GetVersion stored procedure.

      +

      Refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the MBAM execution account (app pool account) could connect to MBAM compliance/recovery database and it has permissions in place to execute GetVersion stored procedure.

      112

      @@ -670,7 +670,7 @@ The following table contains messages and troubleshooting information for event   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).   diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md index 3d7c288953..14bf916364 100644 --- a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md +++ b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md @@ -105,7 +105,7 @@ Use the steps in the following sections to upgrade MBAM for the Stand-alone topo 4. Install and configure the MBAM 2.5 or 2.5 SP1 databases, reports, and web applications, in that order. The databases are upgraded in place. -5. Update the Group Policy Objects (GPOs) using the MBAM 2.5 Templates to leverage the new features in MBAM, such as enforced encryption. If you do not update the GPOs and the MBAM client to MBAM 2.5, earlier versions of MBAM clients will continue to report against your current GPOs with reduced functionality. See [How to Get MDOP Group Policy (.admx) Templates](http://www.microsoft.com/download/details.aspx?id=41183) to download the latest ADMX templates. +5. Update the Group Policy Objects (GPOs) using the MBAM 2.5 Templates to leverage the new features in MBAM, such as enforced encryption. If you do not update the GPOs and the MBAM client to MBAM 2.5, earlier versions of MBAM clients will continue to report against your current GPOs with reduced functionality. See [How to Get MDOP Group Policy (.admx) Templates](https://www.microsoft.com/download/details.aspx?id=41183) to download the latest ADMX templates. After you upgrade the MBAM Server infrastructure, the existing client computers continue to successfully report to the MBAM 2.5 or 2.5 SP1 Server, and recovery data continues to be stored. @@ -161,7 +161,7 @@ MBAM supports upgrades to the MBAM 2.5 Client from any earlier version of the M   ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).  diff --git a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md index 0e61567b46..8a48eb313c 100644 --- a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md +++ b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md @@ -92,7 +92,7 @@ The following server settings can be configured: - [How to: Configure a Port with an SSL Certificate](https://go.microsoft.com/fwlink/?LinkID=183315) - - [How to: Configure a Port with an SSL Certificate](http://msdn.microsoft.com/library/ms733791.aspx) + - [How to: Configure a Port with an SSL Certificate](https://msdn.microsoft.com/library/ms733791.aspx) 3. Click **OK**. diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md index b845f8d421..5178ad8c46 100644 --- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md @@ -73,34 +73,34 @@ UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/Set These are the data types for the UE-V application template schema. -**GUID** +**GUID** GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. -**FilenameString** +**FilenameString** FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). -**IDString** +**IDString** IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). -**TemplateVersion** +**TemplateVersion** TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. -**Empty** +**Empty** Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates. -**Author** +**Author** The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. -**Range** +**Range** Range defines an integer class consisting of two child elements: **Minimum** and **Maximum**. This data type is implemented in the ProcessVersion data type. If specified, both Minimum and Maximum values must be included. -**ProcessVersion** +**ProcessVersion** ProcessVersion defines a type with four child elements: **Major**, **Minor**, **Build**, and **Patch**. This data type is used by the Process element to populate its ProductVersion and FileVersion values. The data for this type is a Range value. The Major child element is mandatory and the others are optional. -**Architecture** +**Architecture** Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture. -**Process** +**Process** The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type: @@ -150,26 +150,26 @@ The Process data type is a container used to describe processes to be monitored   -**Processes** +**Processes** The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. -**Path** +**Path** Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”. Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. -**FileMask** +**FileMask** FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. -**RegistrySetting** +**RegistrySetting** RegistrySetting represents a container for registry keys and values and the associated desired behavior on the part of the UE-V Agent. Four child elements are defined within this type: **Path**, **Name**, **Exclude**, and a sequence of the values **Path** and **Name**. -**FileSetting** +**FileSetting** FileSetting contains parameters associated with files and files paths. Four child elements are defined: **Root**, **Path**, **FileMask**, and **Exclude**. Root is mandatory and the others are optional. -**Settings** +**Settings** Settings is a container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings described earlier. In addition, it can also contain the following child elements with behaviors described:
      @@ -266,7 +266,7 @@ This value is queried to determine if a new version of a template should be appl **Type: String** -Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). +Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). ### Processes and Process Element @@ -373,7 +373,7 @@ For example, in a suited application, it might be useful to provide reminders ab ``` syntax - + MyApplication.exe My Application Main Engine @@ -671,7 +671,7 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen - + @@ -708,7 +708,7 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen - + @@ -1011,34 +1011,34 @@ UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/Set These are the data types for the UE-V application template schema. -**GUID** +**GUID** GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. -**FilenameString** +**FilenameString** FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). -**IDString** +**IDString** IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). -**TemplateVersion** +**TemplateVersion** TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. -**Empty** +**Empty** Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates. -**Author** +**Author** The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. -**Range** +**Range** Range defines an integer class consisting of two child elements: **Minimum** and **Maximum**. This data type is implemented in the ProcessVersion data type. If specified, both Minimum and Maximum values must be included. -**ProcessVersion** +**ProcessVersion** ProcessVersion defines a type with four child elements: **Major**, **Minor**, **Build**, and **Patch**. This data type is used by the Process element to populate its ProductVersion and FileVersion values. The data for this type is a Range value. The Major child element is mandatory and the others are optional. -**Architecture** +**Architecture** Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture. -**Process** +**Process** The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type:
      @@ -1090,26 +1090,26 @@ The Process data type is a container used to describe processes to be monitored   -**Processes** +**Processes** The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. -**Path** +**Path** Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”. Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. -**FileMask** +**FileMask** FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. -**RegistrySetting** +**RegistrySetting** RegistrySetting represents a container for registry keys and values and the associated desired behavior on the part of the UE-V Agent. Four child elements are defined within this type: **Path**, **Name**, **Exclude**, and a sequence of the values **Path** and **Name**. -**FileSetting** +**FileSetting** FileSetting contains parameters associated with files and files paths. Four child elements are defined: **Root**, **Path**, **FileMask**, and **Exclude**. Root is mandatory and the others are optional. -**Settings** +**Settings** Settings is a container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings described earlier. In addition, it can also contain the following child elements with behaviors described:
      @@ -1203,7 +1203,7 @@ This value is queried to determine if a new version of a template should be appl **Type: String** -Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). +Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). ### Processes and Process Element @@ -1310,7 +1310,7 @@ For example, in a suited application, it might be useful to provide reminders ab ``` syntax - + MyApplication.exe My Application Main Engine diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md index 391e491fa5..43c909ff82 100644 --- a/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md +++ b/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md @@ -14,7 +14,7 @@ ms.date: 06/16/2016 # Configuring UE-V 2.x with Group Policy Objects -Some Microsoft User Experience Virtualization (UE-V) 2.0, 2.1, and 2.1 SP1 Group Policy settings can be defined for computers, and other Group Policy settings can be defined for users. For information about how to install UE-V Group Policy ADMX files, see [Installing the UE-V 2 Group Policy ADMX Templates](http://technet.microsoft.com/library/dn458891.aspx#admx). +Some Microsoft User Experience Virtualization (UE-V) 2.0, 2.1, and 2.1 SP1 Group Policy settings can be defined for computers, and other Group Policy settings can be defined for users. For information about how to install UE-V Group Policy ADMX files, see [Installing the UE-V 2 Group Policy ADMX Templates](https://technet.microsoft.com/library/dn458891.aspx#admx). The following policy settings can be configured for UE-V. @@ -169,7 +169,7 @@ In addition, Group Policy settings are available for many desktop applications a   -For more information about synchronizing Windows apps, see [Windows App List](http://technet.microsoft.com/library/dn458925.aspx#win8applist). +For more information about synchronizing Windows apps, see [Windows App List](https://technet.microsoft.com/library/dn458925.aspx#win8applist). **To configure computer-targeted Group Policy settings** diff --git a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md index 31551db716..80cd44d2e9 100644 --- a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md @@ -42,7 +42,7 @@ UE-V requires a location in which to store user settings in settings package fil If you don’t create a settings storage location, the UE-V Agent will use Active Directory (AD) by default. **Note**   -As a matter of [performance and capacity planning](http://technet.microsoft.com/library/dn458932.aspx#capacity) and to reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location. +As a matter of [performance and capacity planning](https://technet.microsoft.com/library/dn458932.aspx#capacity) and to reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location.   @@ -54,11 +54,11 @@ The settings storage location is defined by setting the SettingsStoragePath conf - When you [Deploy the UE-V Agent](#agent) through a command-line parameter or in a batch script -- Through [Group Policy](http://technet.microsoft.com/library/dn458893.aspx) settings +- Through [Group Policy](https://technet.microsoft.com/library/dn458893.aspx) settings -- With the [System Center Configuration Pack](http://technet.microsoft.com/library/dn458917.aspx) for UE-V +- With the [System Center Configuration Pack](https://technet.microsoft.com/library/dn458917.aspx) for UE-V -- After installation of the UE-V Agent, by using [Windows PowerShell or Windows Management Instrumentation (WMI)](http://technet.microsoft.com/library/dn458937.aspx) +- After installation of the UE-V Agent, by using [Windows PowerShell or Windows Management Instrumentation (WMI)](https://technet.microsoft.com/library/dn458937.aspx) The path must be in a universal naming convention (UNC) path of the server and share. For example, **\\\\Server\\Settingsshare\\**. This configuration option supports the use of variables to enable specific synchronization scenarios. For example, you can use the `%username%\%computername%` variables to preserve the end user settings experience in these scenarios: @@ -158,7 +158,7 @@ You want to figure out which configuration method you'll use to manage UE-V afte You can configure UE-V before, during, or after UE-V Agent installation, depending on the configuration method that you use. -- [Group Policy](http://technet.microsoft.com/library/dn458893.aspx)**:** You can use your existing Group Policy infrastructure to configure UE-V before or after UE-V Agent deployment. The UE-V Group Policy ADMX template enables the central management of common UE-V Agent configuration options, and it includes settings to configure UE-V synchronization. +- [Group Policy](https://technet.microsoft.com/library/dn458893.aspx)**:** You can use your existing Group Policy infrastructure to configure UE-V before or after UE-V Agent deployment. The UE-V Group Policy ADMX template enables the central management of common UE-V Agent configuration options, and it includes settings to configure UE-V synchronization. **Installing the UE-V Group Policy ADMX Templates:** Group Policy ADMX templates for UE-V configure the synchronization settings for the UE-V Agent and enable the central management of common UE-V Agent configuration settings by using an existing Group Policy infrastructure. @@ -168,9 +168,9 @@ You can configure UE-V before, during, or after UE-V Agent installation, dependi Windows Server 2012 and Windows Server 2012 R2 -- [Configuration Manager](http://technet.microsoft.com/library/dn458917.aspx)**:** The UE-V Configuration Pack lets you use the Compliance Settings feature of System Center Configuration Manager 2012 SP1 or later to apply consistent configurations across sites where UE-V and Configuration Manager are installed. +- [Configuration Manager](https://technet.microsoft.com/library/dn458917.aspx)**:** The UE-V Configuration Pack lets you use the Compliance Settings feature of System Center Configuration Manager 2012 SP1 or later to apply consistent configurations across sites where UE-V and Configuration Manager are installed. -- [Windows PowerShell and WMI](http://technet.microsoft.com/library/dn458937.aspx)**:** You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify configurations after you install the UE-V Agent. +- [Windows PowerShell and WMI](https://technet.microsoft.com/library/dn458937.aspx)**:** You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify configurations after you install the UE-V Agent. **Note**   Registry modification can result in data loss, or the computer becomes unresponsive. We recommend that you use other configuration methods. diff --git a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md index 65b8567965..6d433b417b 100644 --- a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md +++ b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md @@ -88,7 +88,7 @@ However, only changes to the HKEY\_CURRENT\_USER hive will be sync-ed. The UE-V Agent installs a default group of settings location templates for common Microsoft applications and Windows settings. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V Agent can be configured to use a settings template catalog to store the templates. In this case, you will need to include the default templates along with the custom templates in the settings template catalog. -When you [Deploy a UE-V Agent](http://technet.microsoft.com/library/dn458891.aspx#agent), you can use the command-line parameter `RegisterMSTemplates` to disable the registration of the default Microsoft templates. +When you [Deploy a UE-V Agent](https://technet.microsoft.com/library/dn458891.aspx#agent), you can use the command-line parameter `RegisterMSTemplates` to disable the registration of the default Microsoft templates. When you use Group Policy to configure the settings template catalog path, you can choose to replace the default Microsoft templates. If you configure the policy settings to replace the default Microsoft templates, all of the default Microsoft templates that are installed by the UE-V Agent are deleted and only the templates that are located in the settings template catalog are used. The UE-V Agent configuration setting parameter `RegisterMSTemplates` must be set to *true* in order to override the default Microsoft template. @@ -284,7 +284,7 @@ Use the UE-V Generator to create settings location templates for line-of-busines After you have created the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into production in the enterprise. -[Application Template Schema Reference for UE-V](http://technet.microsoft.com/library/dn763947.aspx) details the XML structure of the UE-V settings location template and provides guidance for editing these files. +[Application Template Schema Reference for UE-V](https://technet.microsoft.com/library/dn763947.aspx) details the XML structure of the UE-V settings location template and provides guidance for editing these files. ## Deploy the Custom Settings Location Templates diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index 28a058a570..70d85ed710 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -122,7 +122,7 @@ Also… ## Step 2: Deploy the Settings Storage Location for UE-V 2 -You’ll need to deploy a settings storage location, a standard network share where user settings are stored in a settings package file. When you create the settings storage share, you should limit access to users that require it. [Deploy a Settings Storage Location](http://technet.microsoft.com/library/dn458891.aspx#ssl) provides more detailed information. +You’ll need to deploy a settings storage location, a standard network share where user settings are stored in a settings package file. When you create the settings storage share, you should limit access to users that require it. [Deploy a Settings Storage Location](https://technet.microsoft.com/library/dn458891.aspx#ssl) provides more detailed information. **Create a network share** @@ -209,7 +209,7 @@ Run the AgentSetup.exe file from the command line to install the UE-V Agent. It AgentSetup.exe SettingsStoragePath=\\server\settingsshare\%username% ``` -You must specify the SettingsStoragePath command line parameter as the network share from Step 2. [Deploy a UE-V Agent](http://technet.microsoft.com/library/dn458891.aspx#agent) provides more detailed information. +You must specify the SettingsStoragePath command line parameter as the network share from Step 2. [Deploy a UE-V Agent](https://technet.microsoft.com/library/dn458891.aspx#agent) provides more detailed information. ## Step 4: Test Your UE-V 2 Evaluation Deployment diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 95edeaf0d2..8932147ff3 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -76,7 +76,7 @@ This diagram shows how deployed UE-V components work together to synchronize set +

      You can add or remove applications in the Windows app list by following the procedures shown [here](https://technet.microsoft.com/library/dn458925.aspx).

      Windows app list

      Settings for Windows apps are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows apps are enabled for settings synchronization using a managed list of apps. By default, this list includes most Windows apps.

      -

      You can add or remove applications in the Windows app list by following the procedures shown [here](http://technet.microsoft.com/library/dn458925.aspx).
      @@ -100,7 +100,7 @@ Use these UE-V components to create and manage custom templates for your third-p

      Settings template catalog

      The settings template catalog is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V Agent checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.

      -

      If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Configure a UE-V settings template catalog](http://technet.microsoft.com/library/dn458942.aspx#deploycatalogue).

      +

      If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Configure a UE-V settings template catalog](https://technet.microsoft.com/library/dn458942.aspx#deploycatalogue).

      @@ -112,7 +112,7 @@ Use these UE-V components to create and manage custom templates for your third-p ## Settings Synchronized by Default -UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](http://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). +UE-V synchronizes settings for these applications by default. For a complete list and more detailed information, see [Settings that are automatically synchronized in a UE-V deployment](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). Microsoft Office 2013 applications (UE-V 2.1 SP1 and 2.1) @@ -131,7 +131,7 @@ Many Windows desktop applications, such as Notepad Many Windows settings, such as desktop background or wallpaper **Note**   -You can also [customize UE-V to synchronize settings](http://technet.microsoft.com/library/dn458942.aspx) for applications other than those synchronized by default. +You can also [customize UE-V to synchronize settings](https://technet.microsoft.com/library/dn458942.aspx) for applications other than those synchronized by default.   @@ -301,10 +301,10 @@ For more information, and for late-breaking news that did not make it into the d ### More information -[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) +[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) Learn about the latest MDOP information and resources. -[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) +[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). ## Got a suggestion for UE-V? diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md index 15e567ef80..681806fa2d 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md @@ -132,72 +132,72 @@ This section contains hotfixes and KB articles for UE-V 2.0.

      2927019

      Hotfix Package 1 for Microsoft User Experience Virtualization 2.0

      -

      [support.microsoft.com/kb/2927019](http://support.microsoft.com/kb/2927019)

      +

      [support.microsoft.com/kb/2927019](https://support.microsoft.com/kb/2927019)

      2903501

      UE-V: User Experience Virtualization (UE-V) compatibility with user profiles

      -

      [support.microsoft.com/kb/2903501/EN-US](http://support.microsoft.com/kb/2903501/EN-US)

      +

      [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)

      2770042

      UE-V Registry Settings

      -

      [support.microsoft.com/kb/2770042/EN-US](http://support.microsoft.com/kb/2770042/EN-US)

      +

      [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)

      2847017

      UE-V settings replicated by Internet Explorer

      -

      [support.microsoft.com/kb/2847017/EN-US](http://support.microsoft.com/kb/2847017/EN-US)

      +

      [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)

      2930271

      Understanding the limitations of roaming Outlook signatures in Microsoft UE-V

      -

      [support.microsoft.com/kb/2930271/EN-US](http://support.microsoft.com/kb/2930271/EN-US)

      +

      [support.microsoft.com/kb/2930271/EN-US](https://support.microsoft.com/kb/2930271/EN-US)

      2769631

      How to repair a corrupted UE-V install

      -

      [support.microsoft.com/kb/2769631/EN-US](http://support.microsoft.com/kb/2769631/EN-US)

      +

      [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)

      2850989

      Migrating MAPI profiles with Microsoft UE-V is not supported

      -

      [support.microsoft.com/kb/2850989/EN-US](http://support.microsoft.com/kb/2850989/EN-US)

      +

      [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)

      2769586

      UE-V roams empty folders and registry keys

      -

      [support.microsoft.com/kb/2769586/EN-US](http://support.microsoft.com/kb/2769586/EN-US)

      +

      [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)

      2782997

      How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)

      -

      [support.microsoft.com/kb/2782997/EN-US](http://support.microsoft.com/kb/2782997/EN-US)

      +

      [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)

      2769570

      UE-V does not update the theme on RDS or VDI sessions

      -

      [support.microsoft.com/kb/2769570/EN-US](http://support.microsoft.com/kb/2769570/EN-US)

      +

      [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)

      2901856

      Application settings do not sync after you force a restart on a UE-V-enabled computer

      -

      [support.microsoft.com/kb/2901856/EN-US](http://support.microsoft.com/kb/2901856/EN-US)

      +

      [support.microsoft.com/kb/2901856/EN-US](https://support.microsoft.com/kb/2901856/EN-US)

      2850582

      How To Use Microsoft User Experience Virtualization With App-V Applications

      -

      [support.microsoft.com/kb/2850582/EN-US](http://support.microsoft.com/kb/2850582/EN-US)

      +

      [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)

      3041879

      Current file versions for Microsoft User Experience Virtualization

      -

      [support.microsoft.com/kb/3041879/EN-US](http://support.microsoft.com/kb/3041879/EN-US)

      +

      [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)

      2843592

      Information on User Experience Virtualization and High Availability

      -

      [support.microsoft.com/kb/2843592/EN-US](http://support.microsoft.com/kb/2843592/EN-US)

      +

      [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)

      diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md index 03144d5269..fda04bf393 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md @@ -153,62 +153,62 @@ This section contains hotfixes and KB articles for UE-V 2.1.

      3018608

      UE-V 2.1 - TemplateConsole.exe crashes when UE-V WMI classes are missing

      -

      [support.microsoft.com/kb/3018608/EN-US](http://support.microsoft.com/kb/3018608/EN-US)

      +

      [support.microsoft.com/kb/3018608/EN-US](https://support.microsoft.com/kb/3018608/EN-US)

      2903501

      UE-V: User Experience Virtualization (UE-V) compatibility with user profiles

      -

      [support.microsoft.com/kb/2903501/EN-US](http://support.microsoft.com/kb/2903501/EN-US)

      +

      [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)

      2770042

      UE-V Registry Settings

      -

      [support.microsoft.com/kb/2770042/EN-US](http://support.microsoft.com/kb/2770042/EN-US)

      +

      [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)

      2847017

      UE-V settings replicated by Internet Explorer

      -

      [support.microsoft.com/kb/2847017/EN-US](http://support.microsoft.com/kb/2847017/EN-US)

      +

      [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)

      2769631

      How to repair a corrupted UE-V install

      -

      [support.microsoft.com/kb/2769631/EN-US](http://support.microsoft.com/kb/2769631/EN-US)

      +

      [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)

      2850989

      Migrating MAPI profiles with Microsoft UE-V is not supported

      -

      [support.microsoft.com/kb/2850989/EN-US](http://support.microsoft.com/kb/2850989/EN-US)

      +

      [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)

      2769586

      UE-V roams empty folders and registry keys

      -

      [support.microsoft.com/kb/2769586/EN-US](http://support.microsoft.com/kb/2769586/EN-US)

      +

      [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)

      2782997

      How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)

      -

      [support.microsoft.com/kb/2782997/EN-US](http://support.microsoft.com/kb/2782997/EN-US)

      +

      [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)

      2769570

      UE-V does not update the theme on RDS or VDI sessions

      -

      [support.microsoft.com/kb/2769570/EN-US](http://support.microsoft.com/kb/2769570/EN-US)

      +

      [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)

      2850582

      How To Use Microsoft User Experience Virtualization With App-V Applications

      -

      [support.microsoft.com/kb/2850582/EN-US](http://support.microsoft.com/kb/2850582/EN-US)

      +

      [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)

      3041879

      Current file versions for Microsoft User Experience Virtualization

      -

      [support.microsoft.com/kb/3041879/EN-US](http://support.microsoft.com/kb/3041879/EN-US)

      +

      [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)

      2843592

      Information on User Experience Virtualization and High Availability

      -

      [support.microsoft.com/kb/2843592/EN-US](http://support.microsoft.com/kb/2843592/EN-US)

      +

      [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)

      diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md index 1de783ee2e..7b0cb4d3e4 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md @@ -136,8 +136,8 @@ WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have Occassionally on logoff, UE-V takes a long time to sync settings. Typically, this is due to a high latency network or incorrect use of Distrubuted File System (DFS). For DFS support, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://support.microsoft.com/en-us/kb/2533009) for further details. -WORKAROUND: Starting with HF03, a new registry key has been introduced -The following registry key provides a mechanism by which the maximum logoff delay can be specified +WORKAROUND: Starting with HF03, a new registry key has been introduced +The following registry key provides a mechanism by which the maximum logoff delay can be specified \\Software\\Microsoft\\UEV\\Agent\\Configuration\\LogOffWaitInterval See [UE-V registry settings](https://support.microsoft.com/en-us/kb/2770042) for further details @@ -164,62 +164,62 @@ This section contains hotfixes and KB articles for UE-V 2.1 SP1.

      3018608

      UE-V 2.1 - TemplateConsole.exe crashes when UE-V WMI classes are missing

      -

      [support.microsoft.com/kb/3018608/EN-US](http://support.microsoft.com/kb/3018608/EN-US)

      +

      [support.microsoft.com/kb/3018608/EN-US](https://support.microsoft.com/kb/3018608/EN-US)

      2903501

      UE-V: User Experience Virtualization (UE-V) compatibility with user profiles

      -

      [support.microsoft.com/kb/2903501/EN-US](http://support.microsoft.com/kb/2903501/EN-US)

      +

      [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)

      2770042

      UE-V Registry Settings

      -

      [support.microsoft.com/kb/2770042/EN-US](http://support.microsoft.com/kb/2770042/EN-US)

      +

      [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)

      2847017

      UE-V settings replicated by Internet Explorer

      -

      [support.microsoft.com/kb/2847017/EN-US](http://support.microsoft.com/kb/2847017/EN-US)

      +

      [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)

      2769631

      How to repair a corrupted UE-V install

      -

      [support.microsoft.com/kb/2769631/EN-US](http://support.microsoft.com/kb/2769631/EN-US)

      +

      [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)

      2850989

      Migrating MAPI profiles with Microsoft UE-V is not supported

      -

      [support.microsoft.com/kb/2850989/EN-US](http://support.microsoft.com/kb/2850989/EN-US)

      +

      [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)

      2769586

      UE-V roams empty folders and registry keys

      -

      [support.microsoft.com/kb/2769586/EN-US](http://support.microsoft.com/kb/2769586/EN-US)

      +

      [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)

      2782997

      How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)

      -

      [support.microsoft.com/kb/2782997/EN-US](http://support.microsoft.com/kb/2782997/EN-US)

      +

      [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)

      2769570

      UE-V does not update the theme on RDS or VDI sessions

      -

      [support.microsoft.com/kb/2769570/EN-US](http://support.microsoft.com/kb/2769570/EN-US)

      +

      [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)

      2850582

      How To Use Microsoft User Experience Virtualization With App-V Applications

      -

      [support.microsoft.com/kb/2850582/EN-US](http://support.microsoft.com/kb/2850582/EN-US)

      +

      [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)

      3041879

      Current file versions for Microsoft User Experience Virtualization

      -

      [support.microsoft.com/kb/3041879/EN-US](http://support.microsoft.com/kb/3041879/EN-US)

      +

      [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)

      2843592

      Information on User Experience Virtualization and High Availability

      -

      [support.microsoft.com/kb/2843592/EN-US](http://support.microsoft.com/kb/2843592/EN-US)

      +

      [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)

      diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md index 8aac3b863b..8c8ee9c750 100644 --- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md +++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md @@ -26,21 +26,21 @@ First, let’s look at the tasks you’ll do to deploy UE-V: Every UE-V deployment requires these activities: - - [Define a settings storage location](http://technet.microsoft.com/library/dn458891.aspx#ssl) + - [Define a settings storage location](https://technet.microsoft.com/library/dn458891.aspx#ssl) - - [Decide how to deploy the UE-V Agent and manage UE-V configurations](http://technet.microsoft.com/library/dn458891.aspx#config) + - [Decide how to deploy the UE-V Agent and manage UE-V configurations](https://technet.microsoft.com/library/dn458891.aspx#config) - - [Install the UE-V Agent](http://technet.microsoft.com/library/dn458891.aspx#agent) on every user computer that needs settings synchronized + - [Install the UE-V Agent](https://technet.microsoft.com/library/dn458891.aspx#agent) on every user computer that needs settings synchronized - Optionally, you can [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md) Planning will help you figure out whether you want UE-V to support the synchronization of settings for custom applications (third-party or line-of-business), which requires these UE-V features: - - [Install the UEV Generator](http://technet.microsoft.com/library/dn458942.aspx#uevgen) so you can create, edit, and validate the custom settings location templates required to synchronize custom application settings + - [Install the UEV Generator](https://technet.microsoft.com/library/dn458942.aspx#uevgen) so you can create, edit, and validate the custom settings location templates required to synchronize custom application settings - - [Create custom settings location templates](http://technet.microsoft.com/library/dn458942.aspx#createcustomtemplates) by using the UE-V Generator + - [Create custom settings location templates](https://technet.microsoft.com/library/dn458942.aspx#createcustomtemplates) by using the UE-V Generator - - [Deploy a UE-V settings template catalog](http://technet.microsoft.com/library/dn458942.aspx#deploycatalogue) that you use to store your custom settings location templates + - [Deploy a UE-V settings template catalog](https://technet.microsoft.com/library/dn458942.aspx#deploycatalogue) that you use to store your custom settings location templates This workflow diagram provides a high-level understanding of a UE-V deployment and the decisions that determine how you deploy UE-V in your enterprise. @@ -77,7 +77,7 @@ Windows desktop settings that are synchronized by default A statement of support for Windows app setting synchronization -See [User Experience Virtualization (UE-V) settings templates for Microsoft Office](http://www.microsoft.com/download/details.aspx?id=46367) to download a complete list of the specific Microsoft Office 2013, Microsoft Office 2010, and Microsoft Office 2007 settings that are synchronized by UE-V. +See [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367) to download a complete list of the specific Microsoft Office 2013, Microsoft Office 2010, and Microsoft Office 2007 settings that are synchronized by UE-V. ### Desktop applications synchronized by default in UE-V 2.1 and UE-V 2.1 SP1 @@ -102,7 +102,7 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of

      Microsoft Office 2010 applications

      -

      ([Download a list of all settings synced](http://www.microsoft.com/download/details.aspx?id=46367))

      +

      ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))

      Microsoft Word 2010

      Microsoft Excel 2010

      Microsoft Outlook 2010

      @@ -119,7 +119,7 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of

      Microsoft Office 2013 applications

      -

      ([Download a list of all settings synced](http://www.microsoft.com/download/details.aspx?id=46367))

      +

      ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))

      Microsoft Word 2013

      Microsoft Excel 2013

      Microsoft Outlook 2013

      @@ -191,7 +191,7 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo

      Microsoft Office 2007 applications

      -

      ([Download a list of all settings synced](http://www.microsoft.com/download/details.aspx?id=46367))

      +

      ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))

      Microsoft Access 2007

      Microsoft Communicator 2007

      Microsoft Excel 2007

      @@ -207,7 +207,7 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo

      Microsoft Office 2010 applications

      -

      ([Download a list of all settings synced](http://www.microsoft.com/download/details.aspx?id=46367))

      +

      ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))

      Microsoft Word 2010

      Microsoft Excel 2010

      Microsoft Outlook 2010

      @@ -504,9 +504,9 @@ Credentials are encrypted during synchronization.   -[Company Settings Center](http://technet.microsoft.com/library/dn458903.aspx)**:** Check the Roaming Credential Settings check box under Windows Settings to enable credential synchronization. Uncheck the box to disable it. This check box only appears in Company Settings Center if your account is not configured to synchronize settings using a Microsoft Account. +[Company Settings Center](https://technet.microsoft.com/library/dn458903.aspx)**:** Check the Roaming Credential Settings check box under Windows Settings to enable credential synchronization. Uncheck the box to disable it. This check box only appears in Company Settings Center if your account is not configured to synchronize settings using a Microsoft Account. -[PowerShell](http://technet.microsoft.com/library/dn458937.aspx)**:** This PowerShell cmdlet enables credential synchronization: +[PowerShell](https://technet.microsoft.com/library/dn458937.aspx)**:** This PowerShell cmdlet enables credential synchronization: ``` syntax Enable-UevTemplate RoamingCredentialSettings @@ -518,7 +518,7 @@ This PowerShell cmdlet disables credential synchronization: Disable-UevTemplate RoamingCredentialSettings ``` -[Group Policy](http://technet.microsoft.com/library/dn458893.aspx)**:** You must [deploy the latest MDOP ADMX template](https://go.microsoft.com/fwlink/p/?LinkId=393944) to enable credential synchronization through group policy. Credentials synchronization is managed with the Windows settings. To manage this feature with Group Policy, enable the Synchronize Windows settings policy. +[Group Policy](https://technet.microsoft.com/library/dn458893.aspx)**:** You must [deploy the latest MDOP ADMX template](https://go.microsoft.com/fwlink/p/?LinkId=393944) to enable credential synchronization through group policy. Credentials synchronization is managed with the Windows settings. To manage this feature with Group Policy, enable the Synchronize Windows settings policy. 1. Open Group Policy Editor and navigate to **User Configuration – Administrative Templates – Windows Components – Microsoft User Experience Virtualization**. @@ -552,7 +552,7 @@ UE-V manages Windows app settings synchronization in three ways: - **Unlisted Default Sync Behavior:** Determine the synchronization behavior of Windows apps that are not in the Windows app list. -For more information, see the [Windows App List](http://technet.microsoft.com/library/dn458925.aspx#win8applist). +For more information, see the [Windows App List](https://technet.microsoft.com/library/dn458925.aspx#win8applist). ### Custom UE-V settings location templates @@ -590,7 +590,7 @@ UE-V uses a Server Message Block (SMB) share for the storage of settings package To reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location. -By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy Objects](http://technet.microsoft.com/library/dn458893.aspx). +By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy Objects](https://technet.microsoft.com/library/dn458893.aspx). ### High Availability for UE-V @@ -598,15 +598,15 @@ The UE-V settings storage location and settings template catalog support storing - Format the storage volume with an NTFS file system. -- The share can use Distributed File System (DFS) but there are restrictions. -Specifically, Distributed File System Replication (DFS-R) single target configuration with or without a Distributed File System Namespace (DFS-N) is supported. +- The share can use Distributed File System (DFS) but there are restrictions. +Specifically, Distributed File System Replication (DFS-R) single target configuration with or without a Distributed File System Namespace (DFS-N) is supported. Likewise, only single target configuration is supported with DFS-N. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991) and also [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](https://support.microsoft.com/kb/2533009). In addition, because SYSVOL uses DFS-R for replication, SYSVOL cannot be used for UE-V data file replication. -- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the Settings Storage Location for UE-V 2.x](http://technet.microsoft.com/library/dn458891.aspx#ssl). +- Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the Settings Storage Location for UE-V 2.x](https://technet.microsoft.com/library/dn458891.aspx#ssl). - Use file server clustering along with the UE-V Agent to provide access to copies of user state data in the event of communications failures. @@ -742,7 +742,7 @@ The UE-V Agent synchronizes user settings for computers that are not always conn Enable this configuration through one of these methods: -- During UE-V installation, at the command prompt or in a batch file, set the AgentSetup.exe parameter *SyncMethod = None*. [Deploying the UE-V 2.x Agent](http://technet.microsoft.com/library/dn458891.aspx#agent) provides more information. +- During UE-V installation, at the command prompt or in a batch file, set the AgentSetup.exe parameter *SyncMethod = None*. [Deploying the UE-V 2.x Agent](https://technet.microsoft.com/library/dn458891.aspx#agent) provides more information. - After the UE-V installation, use the Settings Management feature in System Center 2012 Configuration Manager or the MDOP ADMX templates to push the *SyncMethod = None* configuration. @@ -765,7 +765,7 @@ If you set *SyncMethod = None*, any settings changes are saved directly to the s **Support for shared VDI sessions:** UE-V 2.1 and 2.1 SP1 provide support for VDI sessions that are shared among end users. You can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions. **Note**   -If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as [back-up/restore and last known good (LKG)](http://technet.microsoft.com/library/dn878331.aspx). +If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as [back-up/restore and last known good (LKG)](https://technet.microsoft.com/library/dn878331.aspx).   diff --git a/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md index 3680c97240..752d0190eb 100644 --- a/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/sync-methods-for-ue-v-2x-both-uevv2.md @@ -79,13 +79,13 @@ This table explains the changes to SyncMethod from UE-V v1.0 to v2.0 to v2.1, as You can configure the sync method in these ways: -- When you [Deploy the UE-V Agent](http://technet.microsoft.com/library/dn458891.aspx#agent) through a command-line parameter or in a batch script +- When you [Deploy the UE-V Agent](https://technet.microsoft.com/library/dn458891.aspx#agent) through a command-line parameter or in a batch script -- Through [Group Policy](http://technet.microsoft.com/library/dn458893.aspx) settings +- Through [Group Policy](https://technet.microsoft.com/library/dn458893.aspx) settings -- With the [System Center Configuration Pack](http://technet.microsoft.com/library/dn458917.aspx) for UE-V +- With the [System Center Configuration Pack](https://technet.microsoft.com/library/dn458917.aspx) for UE-V -- After installation of the UE-V Agent, by using [Windows PowerShell or Windows Management Instrumentation (WMI)](http://technet.microsoft.com/library/dn458937.aspx) +- After installation of the UE-V Agent, by using [Windows PowerShell or Windows Management Instrumentation (WMI)](https://technet.microsoft.com/library/dn458937.aspx) ## Got a suggestion for UE-V? diff --git a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md index bcff8113a3..349fdff40a 100644 --- a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md @@ -37,7 +37,7 @@ The following table explains the trigger events for classic applications and Win

      Windows Logon

      • Application and Windows settings are imported to the local cache from the settings storage location.

        • -

      • [Asynchronous Windows settings](http://technet.microsoft.com/library/dn458932.aspx#autosyncsettings2) are applied.

        • +

      • [Asynchronous Windows settings](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings2) are applied.

      • Synchronous Windows settings will be applied during the next Windows logon.

      • Application settings will be applied when the application starts.

      @@ -91,7 +91,7 @@ The following table explains the trigger events for classic applications and Win

    • Asynchronous Windows settings are applied directly.

    • Application settings are applied when the application starts.

    • Both asynchronous and synchronous Windows settings are applied during the next Windows logon.

      • -

    • Windows app (AppX) settings are applied during the next refresh. See [Monitor Application Settings](http://technet.microsoft.com/library/dn458944.aspx) for more information.

      • +

    • Windows app (AppX) settings are applied during the next refresh. See [Monitor Application Settings](https://technet.microsoft.com/library/dn458944.aspx) for more information.

      • NA

      @@ -117,7 +117,7 @@ Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microso [Changing the Frequency of UE-V 2.x Scheduled Tasks](changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md) -[Choose the Configuration Method for UE-V 2.x](http://technet.microsoft.com/library/dn458891.aspx#config) +[Choose the Configuration Method for UE-V 2.x](https://technet.microsoft.com/library/dn458891.aspx#config)   diff --git a/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md b/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md index 50221baf3c..f81fd70279 100644 --- a/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md +++ b/mdop/uev-v2/synchronizing-office-2013-with-ue-v-20-both-uevv2.md @@ -111,7 +111,7 @@ You can deploy UE-V settings location template with the following methods: For more information using UE-V and Windows PowerShell, see [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md). -- **Registering template via Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office 2013 template into the folder defined in the UE-V Agent. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploying the Settings Template Catalog for UE-V 2](http://technet.microsoft.com/library/dn458942.aspx#deploycatalogue). +- **Registering template via Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office 2013 template into the folder defined in the UE-V Agent. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploying the Settings Template Catalog for UE-V 2](https://technet.microsoft.com/library/dn458942.aspx#deploycatalogue). - **Registering template via Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, then recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to your clients. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2](https://go.microsoft.com/fwlink/?LinkId=317263). diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md index ae5cac69a9..881a2d0c8b 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md @@ -34,7 +34,7 @@ To enable settings synchronization using UE-V 2.1, do one of the following: - Do not enable the Office 365 synchronization experience during Office 2013 installation -UE-V 2.1 ships [Office 2013 and Office 2010 templates](http://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). This release removes the Office 2007 templates. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](https://go.microsoft.com/fwlink/p/?LinkID=246589). +UE-V 2.1 ships [Office 2013 and Office 2010 templates](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). This release removes the Office 2007 templates. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](https://go.microsoft.com/fwlink/p/?LinkID=246589). ## Fix for Distributed File System Namespace Users @@ -50,7 +50,7 @@ Set-UevConfiguration -DisableSyncProviderPing ## Synchronization for Credentials -UE-V 2.1 gives customers the ability to synchronize credentials and certificates stored in the Windows Credential Manager. This component is disabled by default. Enabling this component lets users keep their domain credentials and certificates in sync. Users can sign in one time on a device, and these credentials will roam for that user across all of their UE-V enabled devices. [Manage Credentials with UE-V 2.1](http://technet.microsoft.com/library/dn458932.aspx#creds) provides more information. +UE-V 2.1 gives customers the ability to synchronize credentials and certificates stored in the Windows Credential Manager. This component is disabled by default. Enabling this component lets users keep their domain credentials and certificates in sync. Users can sign in one time on a device, and these credentials will roam for that user across all of their UE-V enabled devices. [Manage Credentials with UE-V 2.1](https://technet.microsoft.com/library/dn458932.aspx#creds) provides more information. **Note**   In Windows 8 and later, Credential Manager contains web credentials. These credentials are not synchronized between users’ devices. @@ -65,12 +65,12 @@ UE-V detects if “Sync settings with OneDrive”, also known as Microsoft Accou ## Support for the SyncMethod External -A new [SyncMethod configuration](http://technet.microsoft.com/library/dn554321.aspx) called **External** specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. +A new [SyncMethod configuration](https://technet.microsoft.com/library/dn554321.aspx) called **External** specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access. ## Enhanced Support for VDI Mode -UE-V 2.1 includes [support for VDI sessions](http://technet.microsoft.com/library/dn458932.aspx#vdi) that are shared among end users. As an administrator, you can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions. +UE-V 2.1 includes [support for VDI sessions](https://technet.microsoft.com/library/dn458932.aspx#vdi) that are shared among end users. As an administrator, you can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions. **Note**   If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as back-up/restore and LKG. diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md index 6cb5d4878e..6677e1864c 100644 --- a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md +++ b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md @@ -73,7 +73,7 @@ To enable settings synchronization using UE-V 2.1, do one of the following: - Do not enable the Office 365 synchronization experience during Office 2013 installation -UE-V 2.1 ships [Office 2013 and Office 2010 templates](http://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). This release removes the Office 2007 templates. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](https://go.microsoft.com/fwlink/p/?LinkID=246589). +UE-V 2.1 ships [Office 2013 and Office 2010 templates](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings). This release removes the Office 2007 templates. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get the templates from the UE-V template gallery located [here](https://go.microsoft.com/fwlink/p/?LinkID=246589). ## Got a suggestion for UE-V? diff --git a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md index b08324cf77..1bfb3b6b04 100644 --- a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md +++ b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md @@ -108,7 +108,7 @@ If you edit a UE-V 1.0 template by using the UE-V 2 Generator, the template is a 2. Open the settings location template file with an XML editor. -3. Edit the settings location template file. All changes must conform to the UE-V schema file that is defined in [SettingsLocationTempate.xsd](http://technet.microsoft.com/library/dn763947.aspx). By default, a copy of the .xsd file is located in \\ProgramData\\Microsoft\\UEV\\Templates. +3. Edit the settings location template file. All changes must conform to the UE-V schema file that is defined in [SettingsLocationTempate.xsd](https://technet.microsoft.com/library/dn763947.aspx). By default, a copy of the .xsd file is located in \\ProgramData\\Microsoft\\UEV\\Templates. 4. Increment the **Version** number for the settings location template. diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index 4815821e0a..0aa8fe3acc 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: store author: TrudyHa ms.author: TrudyHa -ms.date: 11/01/2017 +ms.date: 08/01/2017 ms.topic: conceptual ms.localizationpriority: medium --- @@ -43,22 +43,31 @@ There are a couple of things we need to know when you pay for apps. You can add **To manage Allow users to shop setting** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, and then click **Settings**. -3. On **Shop**, turn on or turn off **Allow users to shop**. +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**. ![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png) +## Allow app requests + +People in your org can request license for apps that they need, or that others need. When **All app requests** is turned on, app requests are sent to org admins. Admins for your tenant will receive an email with the request, and can decide about making the purchase. + +**To manage All app requests** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) +2. Select **Manage**, and then select **Settings**. +3. On **Shop**, under **Shopping behavior** turn on or turn off **Allow app requests**. + ## Acquire apps **To acquire an app** 1. Sign in to http://businessstore.microsoft.com -2. Click **Shop**, or use Search to find an app. -3. Click the app you want to purchase. +2. Select **Shop for my group**, or use Search to find an app. +3. Select the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. -5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. -6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one. -7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**. +5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and select **Next**. +6. If you don’t have a payment method saved in **Billing & payments**, we will prompt you for one. +7. Add your credit card or debit card info, and select **Next**. Your card info is saved as a payment option on **Billing & payments - Payment methods**. -You’ll also need to have your business address saved on **Billing - Account profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). +You’ll also need to have your business address saved on **My organization - Profile**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://docs.microsoft.com/microsoft-store/update-microsoft-store-for-business-account-settings#organization-tax-information). Microsoft Store adds the app to your inventory. From **Products & services**, you can: - Distribute the app: add to private store, or assign licenses @@ -67,12 +76,4 @@ Microsoft Store adds the app to your inventory. From **Products & services**, yo For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md). -For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). - -## Request apps -People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase. - -**To manage Allow app requests** -1. Sign in to http://businessstore.microsoft.com -2. Click **Manage**, click **Settings**, and then click **Distribute**. -3. Under **Private store** turn on, or turn off **Allow app requests**. \ No newline at end of file +For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). \ No newline at end of file diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index 8c447d9f6a..dbd5c9acfb 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -1,6 +1,6 @@ --- title: Manage Windows device deployment with Windows Autopilot Deployment -description: Add an Autopilot profile to devices. Autopilot profiles control what is included in Windows set up experience for your employees. +description: Add an Autopilot profile to devices. Autopilot profiles control what is included in Windows set up experience for your employees. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -24,44 +24,44 @@ Watch this video to learn more about Windows Autopilot in Micrsoft Store for Bus > [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false] ## What is Windows Autopilot? -In Microsoft Store for Business, you can manage devices for your organization and apply an *Autopilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. +In Microsoft Store for Business, you can manage devices for your organization and apply an *Autopilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. -You can create and apply Autopilot deployment profiles to these devices. The overall process looks like this. +You can create and apply Autopilot deployment profiles to these devices. The overall process looks like this. ![Block diagram with main steps for using Autopilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png) Figure 1 - Windows Autopilot Deployment Program process -Autopilot deployment profiles have two main parts: default settings that can't be changed, and optional settings that you can include. +Autopilot deployment profiles have two main parts: default settings that can't be changed, and optional settings that you can include. ### Autopilot deployment profiles - default settings These settings are configured with all Autopilot deployment profiles: - Skip Cortana, OneDrive, and OEM registration setup pages - Automatically setup for work or school -- Sign in experience with company or school brand +- Sign in experience with company or school brand ### Autopilot deployment profiles - optional settings These settings are off by default. You can turn them on for your Autopilot deployment profiles: - Skip privacy settings ### Support for Autopilot profile settings -Autopilot profile settings are supported beginning with the version of Windows they were introduced in. This table summarizes the settings and what they are supported on. +Autopilot profile settings are supported beginning with the version of Windows they were introduced in. This table summarizes the settings and what they are supported on. | Setting | Supported on | | ------- | ------------- | | Deployment default features| Windows 10, version 1703 or later | | Skip privacy settings | Windows 10, version 1703 or later | -| Disable local admin account creation on the device | Windows 10, version 1703 or later | +| Disable local admin account creation on the device | Windows 10, version 1703 or later | | Skip End User License Agreement (EULA) | Windows 10, version 1709 or later.
      [Learn about Windows Autopilot EULA dismissal](https://docs.microsoft.com/windows/deployment/Windows-Autopilot-EULA-note) | ## Windows Autopilot deployment profiles in Microsoft Store for Business and Education You can manage new devices in Microsoft Store for Business or Microsoft Store for Education. Devices need to meet these requirements: - Windows 10, version 1703 or later -- New devices that have not been through Windows out-of-box experience. +- New devices that have not been through Windows out-of-box experience. ## Add devices and apply Autopilot deployment profile -To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains specific information about the devices. You should be able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices. +To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains specific information about the devices. You should be able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices. ### Device information file format Columns in the device information file need to use this naming and be in this order: @@ -73,61 +73,61 @@ Here's a sample device information file: ![Notepad file showing example entries for Column A (Device Serial Number), Column B (Windows Product ID), and Column C (Hardware Hash).](images/msfb-autopilot-csv.png) -When you add devices, you need to add them to an *Autopilot deployment group*. Use these groups to apply Autopilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an Autopilot deployment group. +When you add devices, you need to add them to an *Autopilot deployment group*. Use these groups to apply Autopilot deployment profiles to a group of devices. The first time you add devices to a group, you'll need to create an Autopilot deployment group. > [!NOTE] -> You can only add devices to a group when you add devices to **Microsoft Store for Business and Education**. If you decide to reorganize devices into different groups, you'll need to delete them from **Devices** in **Microsoft Store**, and add them again. +> You can only add devices to a group when you add devices to **Microsoft Store for Business and Education**. If you decide to reorganize devices into different groups, you'll need to delete them from **Devices** in **Microsoft Store**, and add them again. **Add and group devices** -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. -3. Click **Add devices**, navigate to the *.csv file and select it. +3. Click **Add devices**, navigate to the *.csv file and select it. 4. Type a name for a new Autopilot deployment group, or choose one from the list, and then click **Add**.
      -If you don't add devices to a group, you can select the individual devices to apply a profile to.
      +If you don't add devices to a group, you can select the individual devices to apply a profile to.
      ![Screenshot of Add devices to a group dialog. You can create a new group, or select a current group.](images/add-devices.png)
      - -5. Click the devices or Autopilot deployment group that you want to manage. You need to select devices before you can apply an Autopilot deployment profile. You can switch between seeing groups or devices by clicking **View groups** or **View devices**. + +5. Click the devices or Autopilot deployment group that you want to manage. You need to select devices before you can apply an Autopilot deployment profile. You can switch between seeing groups or devices by clicking **View groups** or **View devices**. **Apply Autopilot deployment profile** -1. When you have devices selected, click **Autopilot deployment**. +1. When you have devices selected, click **Autopilot deployment**. 2. Choose the Autopilot deployment profile to apply to the selected devices. - + > [!NOTE] > The first time you use Autopilot deployment profiles, you'll need to create one. See [Create Autopilot profile](#create-autopilot-profile). - + 3. Microsoft Store for Business applies the profile to your selected devices, and shows the profile name on **Devices**. ## Manage Autopilot deployment profiles -You can manage the Autopilot deployment profiles created in Microsoft Store. You can create a new profile, edit, or delete a profile. +You can manage the Autopilot deployment profiles created in Microsoft Store. You can create a new profile, edit, or delete a profile. ### Create Autopilot profile -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. -3. Click **Autopilot deployment**, and then click **Create new profile**. +3. Click **Autopilot deployment**, and then click **Create new profile**. 4. Name the profile, choose the settings to include, and then click **Create**.
      -The new profile is added to the **Autopilot deployment** list. +The new profile is added to the **Autopilot deployment** list. ### Edit or delete Autopilot profile -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Devices**. 3. Click **Autopilot deployment**, click **Edit your profiles**, and then choose the profile to edit. TBD: art -4. Change settings for the profile, and then click **Save**.
      +4. Change settings for the profile, and then click **Save**.
      -or-
      -Click **Delete profile** to delete the profile. +Click **Delete profile** to delete the profile. ## Apply a different Autopilot deployment profile to devices -After you've applied an Autopilot deployment profile to a device, if you decide to apply a different profile, you can remove the profile and apply a new profile. +After you've applied an Autopilot deployment profile to a device, if you decide to apply a different profile, you can remove the profile and apply a new profile. > [!NOTE] -> The new profile will only be applied if the device has not been started, and gone through the out-of-box experience. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. +> The new profile will only be applied if the device has not been started, and gone through the out-of-box experience. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. ## Autopilot device information file error messages -Here's info on some of the errors you might see while working with Autopilot deployment profiles in **Microsoft Store for Business and Education**. +Here's info on some of the errors you might see while working with Autopilot deployment profiles in **Microsoft Store for Business and Education**. -| Message Id | Message explanation | +| Message Id | Message explanation | | ---------- | ------------------- | | wadp001 | Check your file, or ask your device partner for a complete .csv file. This file is missing Serial Number and Product Id info. | | wadp002 | Check your file, or ask your device partner for updated hardware hash info in the .csv file. Hardware hash info is invalid in the current .csv file. | diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index 247ff479fa..4ffb3b7e72 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -86,7 +86,7 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr **To sign a catalog file with Device Guard signing portal** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). 2. Click **Settings**, click **Store settings**, and then click **Device Guard**. 3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files). 4. After the files are uploaded, click **Sign** to sign the catalog files. @@ -94,7 +94,7 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr - signed catalog file - default policy - root certificate for your organization - + When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index b15ad00612..62db55062d 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -19,7 +19,7 @@ ms.date: 06/07/2018 - Windows 10 - Windows 10 Mobile -You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. +You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses. @@ -40,7 +40,7 @@ The last modified date tracks changes about the app as an item in your inventory - Reclaim license - Refund order (applies to purchased apps, not free apps) -The last modified date does not correspond to when an app was last updated in Microsoft Store. It tracks activity for that app, as an item in your inventory. +The last modified date does not correspond to when an app was last updated in Microsoft Store. It tracks activity for that app, as an item in your inventory. ## Find apps in your inventory @@ -51,8 +51,8 @@ There are a couple of ways to find specific apps, or groups of apps in your inve - **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model). - **Supported devices** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory. - **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps. -- **Product type** - Product categories, such as app, or game. -- **Private store** - Whether or not the app is in the private store, or status if the app is being added or removed from private store. +- **Product type** - Product categories, such as app, or game. +- **Private store** - Whether or not the app is in the private store, or status if the app is being added or removed from private store. ## Manage apps in your inventory Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table. @@ -99,17 +99,17 @@ Another way to distribute apps is by assigning them to people in your organizati If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store. **To remove an app from the private store** - -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). + +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Products & services**. 3. Find an app, click the ellipses, choose **Remove from private store**, and then click **Remove**. -4. Choose the private store collection, and then under **In collection**, switch to **Off**. +4. Choose the private store collection, and then under **In collection**, switch to **Off**. -The app will still be in your inventory, but your employees will not have access to the app from your private store. +The app will still be in your inventory, but your employees will not have access to the app from your private store. **To assign an app to an employee** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. 3. Find an app, click the ellipses, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. @@ -124,7 +124,7 @@ For each app in your inventory, you can view and manage license details. This gi 1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. -3. Click an app you want to manage. +3. Click an app you want to manage. 4. On the app page, you'll see the names of people in your organization who have installed the app and are using one of the licenses. From here, you can: - Assign the app to other people in your organization. @@ -147,16 +147,16 @@ Microsoft Store updates the list of assigned licenses. Microsoft Store updates the list of assigned licenses. ## Purchase additional licenses -You can purchase additional licenses for apps in your Inventory. +You can purchase additional licenses for apps in your Inventory. **To purchase additional app licenses** 1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com) 2. Click **Manage**, and then choose **Apps & software**. -3. From **Apps & software**, click an app. -4. On the app page, click **Buy more** for additional licenses, or click **Assign users** to manage your current licenses. +3. From **Apps & software**, click an app. +4. On the app page, click **Buy more** for additional licenses, or click **Assign users** to manage your current licenses. -You'll have a summary of current license availability. +You'll have a summary of current license availability. ## Download offline-licensed app Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store. @@ -171,9 +171,9 @@ For more information about online and offline licenses, see [Apps in the Microso For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md). -## Manage products programmatically +## Manage products programmatically -Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business). +Microsoft Store for Business and Education provides a set of Admin management APIs. If you orgranization develops scripts or tools, these APIs allow Admins to programmatically manage items in **Apps & software**. For more information, see [REST API reference for Microsoft Store for Business](https://docs.microsoft.com/windows/client-management/mdm/rest-api-reference-windows-store-for-business). You can download a preview PoweShell script that uses REST APIs. The script is available from PowerShell Gallery. You can use to the script to: - View items in inventory (**Apps & software**) @@ -181,4 +181,4 @@ You can download a preview PoweShell script that uses REST APIs. The script is a - Perform bulk options using .csv files - this automates license management for customers with large numbers of licenses > [!NOTE] -> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell. \ No newline at end of file +> The Microsoft Store for Business and Education Admin role is required to manage products and to use the MSStore module. This requires advanced knowledge of PowerShell. \ No newline at end of file diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index de12fe9dbc..502bdc4c27 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -30,17 +30,17 @@ Your management tool needs to be installed and configured with Azure AD, in the 4. Click **Mobility (MDM and MAM)**.   3. Click **+Add Applications**, find the application, and add it to your directory. -After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure. +After your management tool is added to your Azure AD directory, you can configure it to work with Microsoft Store. You can configure multiple management tools - just repeat the following procedure. **To configure a management tool in Microsoft Store for Business** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, click **Settings**. +1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com) +2. Click **Manage**, click **Settings**. 3. Under **Distribute**, click **Management tools**. 3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.** Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics: - [Manage apps you purchased from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune-classic/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune) -- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) For third-party MDM providers or management servers, check your product documentation. \ No newline at end of file diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 2f445c4301..eefb7fd379 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -45,13 +45,13 @@ You can't distribute offline-licensed apps directly from Microsoft Store. Once y - [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
      -For third-party MDM providers or management servers, check your product documentation. +For third-party MDM providers or management servers, check your product documentation. ## Download an offline-licensed app There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. - **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. @@ -62,19 +62,19 @@ There are several items to download or create for offline-licensed apps. The app **To download an offline-licensed app** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Refine results by **License type** to show apps with offline licenses. 4. Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**. - - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. - - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required. - - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional. - + - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. + - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. + - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required. + - **To download an app framework**: Find the framework you need to support your app package, and click **Download**. This is optional. + > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - +   diff --git a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md index 37ab81c66d..4967eb20a1 100644 --- a/store-for-business/manage-mpsa-software-microsoft-store-for-business.md +++ b/store-for-business/manage-mpsa-software-microsoft-store-for-business.md @@ -19,23 +19,23 @@ ms.date: 3/20/2018 - Windows 10 - Windows 10 Mobile -Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location. +Software purchased with the Microsoft Products and Services Agreement (MPSA) can now be managed in Microsoft Store for Business. This allows customers to manage online software purchases in one location. -There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business. +There are a couple of things you might need to set up to manage MPSA software purchases in Store for Business. -**To manage MPSA software in Microsoft Store for Business** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com). +**To manage MPSA software in Microsoft Store for Business** +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). 2. Click **Manage**, and then click **My Organization**. -3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to. +3. Click **Connected tenants** to see purchasing accounts and the tenants that they are connected to. ## Add tenant -The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain. +The tenant or tenants that are added to your purchasing account control how you can distribute software to people in your organization. If there isn't a tenant listed for your purchasing account, you'll need to add one before you can use or manage the software you've purchased. When we give you a list to choose from, tenants are grouped by domain. -**To add a tenant to a purchasing account** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com). +**To add a tenant to a purchasing account** +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). 2. Click **Manage**, and then click **My Organization**. 3. Click **Connected tenants**, and then click the ellipses for a purchasing account without a tenant listed. -4. Click **Choose a tenant**, and then click **Submit**. +4. Click **Choose a tenant**, and then click **Submit**. If you don't see your tenant in the list, you can add the name of your tenant @@ -43,19 +43,19 @@ If you don't see your tenant in the list, you can add the name of your tenant 1. On **Add a tenant**, click **Don't see your tenant?**. 2. Enter a domain name, and then click **Next**, and then click **Done**. -You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**. +You'll need to get permissions for the admin that manages the domain you want to add. We'll take you to Business Center Portal where you can manage permissions and roles. The admin will need to be the **Account Manager**. ## Add global admin In some cases, we might not have info on who the global admin is for the tenant that you select. It might be that the tenant is unmanaged, and you'll need to identify a global admin. Or, you might only need to share account info for the global admin. If you need to nominate someone to be the global admin, they need sufficient permissions: - someone who can distribute sofware -- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role +- in Business Center Portal (BCP), it should be someone with **Agreement Admin** role **To add a global admin to a tenant** -We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**. +We'll ask for a global admin if we need that info when you add a tenant to a purchasing account. You'd see the request for a global admin before returning to **Store for Business**. - On **Add a Global Admin**, click **Make me the Global Admin**, and then click **Submit**. -or- -- On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**. \ No newline at end of file +- On **Add a Global Admin**, type a name in **Invite someone else**, and then click **Submit**. \ No newline at end of file diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 12d927fce2..66650f1c89 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -1,6 +1,6 @@ --- title: Manage app orders in Microsoft Store for Business or Microsoft Store for Education (Windows 10) -description: You can view your order history with Micrsoft Store for Business or Micrsoft Store for Education. +description: You can view your order history with Micrsoft Store for Business or Micrsoft Store for Education. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,14 +14,14 @@ ms.date: 11/10/2017 # Manage app orders in Microsoft Store for Business and Education -After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. +After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. **Order history** lists orders in chronological order and shows: - Date ordered - Product name - Product publisher - Total cost -- Order status. +- Order status. Click to expand an order, and the following info is available: - Who purchased the app @@ -32,32 +32,32 @@ Click to expand an order, and the following info is available: ## Invoices -Invoices for orders are available approximately 24 hours after your purchase. The link opens a .pdf that you can save for your records. +Invoices for orders are available approximately 24 hours after your purchase. The link opens a .pdf that you can save for your records. ## Refund an order -Refunds work a little differently for free apps, and apps that have a price. In both cases, you must reclaim licenses before requesting a refund. +Refunds work a little differently for free apps, and apps that have a price. In both cases, you must reclaim licenses before requesting a refund. **Refunds for free apps** - - For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory. - + + For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory. + **Refunds for apps that have a price** - + There are a few requirements for apps that have a price: - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. + - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** -Reclaim licenses, and then request a refund. If you haven't assigned licenses, start on step 5. -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +Reclaim licenses, and then request a refund. If you haven't assigned licenses, start on step 5. +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Find the app you want to refund, click the ellipses under **Actions**, and then choose **View license details**. -4. Select the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. +4. Select the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. 5. Click **Order history**, click the order you want to refund, and click **Refund order**. -For free apps, the app will be removed from your inventory in **Apps & software**. +For free apps, the app will be removed from your inventory in **Apps & software**. -For apps with a price, your payment option will be refunded with the cost of the app, and the app will be removed from your inventory. +For apps with a price, your payment option will be refunded with the cost of the app, and the app will be removed from your inventory. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 1462bb3ee3..ee4baa3b88 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -31,7 +31,7 @@ You can change the name of your private store in Microsoft Store. ## Change private store name **To change the name of your private store** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Settings**, click **Distribute**. 3. In the **Private store** section, click **Change**. 4. Type a new display name for your private store, and click **Save**. @@ -39,14 +39,14 @@ You can change the name of your private store in Microsoft Store. ![Image showing Private store dialog used to change private store display name.](images/wsfb-renameprivatestore.png) ## Private store collections -You can create collections of apps within your private store. Collections allow you to group or categorize apps - you might want a group of apps for different job functions in your company, or classes in your school. +You can create collections of apps within your private store. Collections allow you to group or categorize apps - you might want a group of apps for different job functions in your company, or classes in your school. **To add a Collection to your private store** You can add a collection to your private store from the private store, or from the details page for an app. -**From private store** -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +**From private store** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click your private store.
      ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png) @@ -55,16 +55,16 @@ You can add a collection to your private store from the private store, or from t ![Image showing Add a Collection.](images/msfb-add-collection.png) 4. Type a name for your collection, and then click **Next**. -5. Add at least one product to your collection, and then click **Done**. You can search for apps and refine results based on the source of the app, or the supported devices. +5. Add at least one product to your collection, and then click **Done**. You can search for apps and refine results based on the source of the app, or the supported devices. -> [!NOTE] -> New collections require at least one app, or they will not be created. +> [!NOTE] +> New collections require at least one app, or they will not be created. -**From app details page** -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Products & services**. -3. Under **Apps & software**, choose an app you want to include in a new collection. -4. Under **Private Store Collections**, click **Add a collection**. +**From app details page** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, and then click **Products & services**. +3. Under **Apps & software**, choose an app you want to include in a new collection. +4. Under **Private Store Collections**, click **Add a collection**. ![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png) @@ -74,34 +74,34 @@ You can add a collection to your private store from the private store, or from t Currently, changes to collections will generally show within minutes in the Microsoft Store app on Windows 10. In some cases, it may take up an hour. ## Edit Collections -If you've already added a Collection to your private store, you can easily add and remove products, or rename the collection. +If you've already added a Collection to your private store, you can easily add and remove products, or rename the collection. -**To add or remove products from a collection** -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +**To add or remove products from a collection** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click your private store.
      ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png) -3. Click the ellipses next to the collection name, and click **Edit collection**. -4. Add or remove products from the collection, and then click **Done**. +3. Click the ellipses next to the collection name, and click **Edit collection**. +4. Add or remove products from the collection, and then click **Done**. -You can also add an app to a collection from the app details page. -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Products & services**. -3. Under **Apps & software**, choose an app you want to include in a new collection. +You can also add an app to a collection from the app details page. +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, and then click **Products & services**. +3. Under **Apps & software**, choose an app you want to include in a new collection. 4. Under **Private Store Collections**, turn on the collection you want to add the app to. - ![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png) + ![Image showing app details page with Add a Collection.](images/msfb-ps-collection-idp.png) ## Private store performance -We've recently made performance improvements for changes in the private store. This table includes common actions, and the current estimate for amount of time required for the change. +We've recently made performance improvements for changes in the private store. This table includes common actions, and the current estimate for amount of time required for the change. | Action | Estimated time | | ------------------------------------------------------ | -------------- | | Add a product to the private store
      - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory.
      - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab
      - 36 hours: searchable in private store
      - 36 hours: searchable in private store tab | -| Remove a product from private store | - 15 minutes: private store tab
      - 36 hours: searchable in private store | +| Remove a product from private store | - 15 minutes: private store tab
      - 36 hours: searchable in private store | | Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab
      - 36 hours: searchable in private store | | Create a new collection | 15 minutes| | Edit or remove a collection | 15 minutes | | Create private store tab | 4-6 hours | -| Rename private store tab | 4-6 hours | +| Rename private store tab | 4-6 hours | diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 889c27f140..4b53678c9c 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -1,6 +1,6 @@ --- title: Microsoft Store for Business and Education PowerShell module - preview -description: Preview version of PowerShell module +description: Preview version of PowerShell module ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -42,16 +42,16 @@ All of the **Microsoft Store for Business and Education** PowerShell cmdlets fol ## Install Microsoft Store for Business and Education PowerShell module > [!NOTE] -> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](http://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default). +> Installing **Microsoft Store for Business and Education** PowerShell model using **PowerShellGet** requires [Windows Management Framework 5.0](https://www.microsoft.com/download/details.aspx?id=48729). The framework is included with Windows 10 by default). To install **Microsoft Store for Business and Education PowerShell** with PowerShellGet, run this command: ```powershell # Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery -Install-Module -Name MSStore +Install-Module -Name MSStore -``` +``` ## Import Microsoft Store for Business and Education PowerShell module into the PowerShell session Once you install the module on your Windows 10 device, you will need to then import it into each PowerShell session you start. @@ -63,7 +63,7 @@ Import-Module -Name MSStore ``` -Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module. +Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module. To authorize the PowerShell module, run this command. You'll need to sign-in with your work or school account, and authorize the module to access your tenant. @@ -76,7 +76,7 @@ Grant-MSStoreClientAppAccess You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used. ## View items in Products and Services -Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. +Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview. ```powershell # View items in inventory (Apps & software) @@ -105,17 +105,17 @@ Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 > [!Important] > Microsoft Store for Business and Education identifies Minecraft: Education Edition license types using a combination of Product ID and SKU ID. To manage license assignments for your Minecraft: Education Edition, you need to specify Product and SKU IDs for the licenses you want to manage in the cmdlet. The following table lists the Product and SKU IDs. - + | License Type | Product ID | SKU ID | | ------------ | -----------| -------| | Purchased through Microsoft Store for Business and Education with a credit card | CFQ7TTC0K5DR | 0001 | | Purchased through Microsoft Store for Business and Education with an invoice | CFQ7TTC0K5DR | 0004 | | Purchased through Microsoft Volume Licensing Agreement | CFQ7TTC0K5DR | 0002 | -| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 | +| Acquired through Windows 10 device promotion | CFQ7TTC0K5DR | 0005 | ## Assign or reclaim products -Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org. +Once you have enumerated items in **Products and Service**, you can assign or reclaim licenses to and from people in your org. These commands assign a product to a user and then reclaim it. @@ -131,7 +131,7 @@ Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user ``` ## Assign or reclaim a product with a .csv file -You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. +You can also use the PowerShell module to perform bulk operations on items in **Product and Services**. You'll need a .CSV file with at least one column for “Principal Names” (for example, user@host.com). You can create such a CSV using the AzureAD PowerShell Module. **To assign or reclaim seats in bulk:** @@ -147,7 +147,7 @@ Remove-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C: ``` ## Uninstall Microsoft Store for Business and Education PowerShell module -You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command. +You can remove **Microsoft Store for Business and Education PowerShell** from your computer by running the following PowerShell Command. ```powershell # Uninstall the MSStore Module diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index f9d2591ffe..67c65aeebb 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 6/28/2018 +ms.date: 08/29/2018 --- # Microsoft Store for Business and Education release history @@ -17,6 +17,13 @@ Microsoft Store for Business and Education regularly releases new and improved f Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## July 2018 +- Bug fixes and permformance improvements. + +## June 2018 +- **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. +- **Performance improvements in private store** - We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) + ## May 2018 - **Immersive Reader app available in Microsoft Store for Education** - This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. @@ -40,15 +47,12 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 - - Bug fixes and permformance improvements. ## November 2017 - - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 - - Bug fixes and permformance improvements. ## September 2017 diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 6dad7ccd03..22e03ceda8 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -10,7 +10,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 3/30/2018 +ms.date: 8/7/2018 --- # Roles and permissions in Microsoft Store for Business and Education @@ -31,10 +31,11 @@ This table lists the global user accounts and the permissions they have in Micro | | Global Administrator | Billing Administrator | | ------------------------------ | --------------------- | --------------------- | -| Sign up for Microsoft Store for Business and Education | X | | +| Sign up for Microsoft Store for Business and Education | X | | Modify company profile settings | X | | | Acquire apps | X | X | | Distribute apps | X | X | +| Purchase subscription-based software | X | X |   - **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. @@ -43,7 +44,7 @@ This table lists the global user accounts and the permissions they have in Micro ## Microsoft Store roles and permissions -Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. +Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store. This table lists the roles and their permissions. diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index 29c8a0abe7..f9feb738d7 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -32,7 +32,7 @@ Before you get started, be sure to review these best practices: **To sign a code integrity policy** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, click **Store settings**, and then click **Device Guard**. 3. Click **Upload** to upload your code integrity policy. 4. After the files are uploaded, click **Sign** to sign the code integrity policy. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 9b5502382f..3ac104dedf 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -22,22 +22,22 @@ ms.date: 10/17/2017 The **Payments & billing** page in Microsoft Store for Business allows you to manage organization information, billing information, and payment options. The organization information and payment options are required before you can acquire apps that have a price. ## Organization information - + We need your business address, email contact, and tax-exemption certificates that apply to your country or locale. - + ### Business address and email contact -Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address. +Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address. -We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. -We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. +We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. **To update Organization information** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**. -## Organization tax information +## Organization tax information Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: - Austria - Belgium @@ -72,7 +72,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business - Switzerland - United Kingdom -These countries can provide their VAT number or local equivalent in **Payments & billing**. +These countries can provide their VAT number or local equivalent in **Payments & billing**. |Market| Tax identifier | |------|----------------| @@ -84,9 +84,9 @@ These countries can provide their VAT number or local equivalent in **Payments & | Monaco | VAT ID (optional) | | Taiwan | VAT ID (optional) | -### Tax-exempt status +### Tax-exempt status -If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization. +If you qualify for tax-exempt status in your market, start a service request to establish tax exempt status for your organization. **To start a service request** 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com). @@ -98,14 +98,14 @@ You’ll need this documentation: |------------------|----------------| | United States | Sales Tax Exemption Certificate | | Canada | Certificate of Exemption (or equivalent letter of authorization) | -| Ireland | 13B/56A Tax Exemption Certificate| +| Ireland | 13B/56A Tax Exemption Certificate| | International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities | ### Calculating tax -Sales taxes are calculated against the unit price, and then aggregated. - +Sales taxes are calculated against the unit price, and then aggregated. + For example:
      (unit price X tax rate) X quantity = total sales tax @@ -114,36 +114,36 @@ For example:
      ($1.29 X .095) X 100 = $12.25 ## Payment options -You can purchase apps from Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: -1. VISA -2. MasterCard -3. Discover -4. American Express +You can purchase apps from Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: +1. VISA +2. MasterCard +3. Discover +4. American Express 5. Japan Commercial Bureau (JCB) > [!NOTE] > Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region. -**To add a new payment option** +**To add a new payment option** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Billing**, and then click **Payments methods**. -3. Click **Add a payment options**, and then select the type of credit card that you want to add. -4. Add information to required fields, and then click **Next**. +1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Click **Add a payment options**, and then select the type of credit card that you want to add. +4. Add information to required fields, and then click **Next**. -Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. +Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. > [!NOTE] -> When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation. +> When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation. -**To update a payment option** +**To update a payment option** + +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Select the payment option that you want to update, and then click **Update**. +4. Enter any updated information in the appropriate fields, and then click **Next**. +Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, click **Billing**, and then click **Payments methods**. -3. Select the payment option that you want to update, and then click **Update**. -4. Enter any updated information in the appropriate fields, and then click **Next**. -Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. - > [!NOTE] > Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. @@ -151,15 +151,15 @@ Once you click **Next**, the information you provided will be validated with a Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on Microsoft Store for Business licensing model, see [licensing model](https://docs.microsoft.com/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). -Admins can decide whether or not offline licenses are shown for apps in Microsoft Store. +Admins can decide whether or not offline licenses are shown for apps in Microsoft Store. **To set offline license visibility** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Settings - Shop**. +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, and then click **Settings - Shop**. 3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps. You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. -- Distribute the app through a management tool. +- Distribute the app through a management tool. For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). \ No newline at end of file diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index ecb95fbfa9..efce0d7fd7 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 6/28/2018 +ms.date: 08/29/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,14 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**June 2018** - +**August 2018** | | | -|--------------------------------------|---------------------------------| -| ![Private store icon](images/private-store-icon.png) |**Change order within private store collection**

      Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection.

      **Applies to**:
      Microsoft Store for Business
      Microsoft Store for Education | -| ![performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**

      We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them.

      [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)

      **Applies to**:
      Microsoft Store for Business
      Microsoft Store for Education | - - +|-----------------------|---------------------------------| +| ![Private store performance icon](images/perf-improvement-icon.png) |**App requests**

      People in your organization can make requests for apps that they need. They can also request them on behalf of other people. Admins review requests and can decide on purchases.

      [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)

      **Applies to**:
      Microsoft Store for Business
      Microsoft Store for Education | @@ -120,9 +94,9 @@ The **PackageId** is the same value as exists in the Manifest file. ``` -**Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the : +**Subsystems**: AppExtensions and other subsystems are arranged as subnodes under ``, as shown in the following example. -``` +```xml .. @@ -131,19 +105,21 @@ The **PackageId** is the same value as exists in the Manifest file. ``` -Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples. +Each subsystem can be enabled/disabled using the **Enabled** attribute. The following sections describe the various subsystems and usage samples. -**Extensions:** +### Dynamic User Configuration file extensions -Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM +Extension Subsystems control extensions. These subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. -Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. +Extension Subsystems can be enabled and disabled independently of the content.  Therefore, if Shortcuts are enabled, the client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an `` node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. -Example using the shortcuts subsystem: +### Examples of the shortcuts subsystem -**Example 1**
      If the user defined this in either the dynamic or deployment config file: +#### Example 1 -``` +Content will be ignored if the user defined the following in either the dynamic or deployment config file: + +```xml                                                                         ``` -Content in the manifest will be ignored.    +#### Example 2 -**Example 2**
      If the user defined only the following: +Content in the manifest will be integrated during publishing if the user defined only the following: + +```xml                             `` - -Then the content in the Manifest will be integrated during publishing. - -**Example 3**
      If the user defines the following - ``` + +#### Example 3 + +All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following: + +```xml                                                                                                     ``` -Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated. +### Supported Extension Subsystems -The supported Extension Subsystems are: +**Shortcuts**: This controls shortcuts that will be integrated into the local system. The following example has two shortcuts: -**Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts: - -``` +```xml   @@ -209,9 +186,9 @@ The supported Extension Subsystems are: ``` -**File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below: +**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this susbsystem). The following is an example of a FileType association: -``` +```xml @@ -275,9 +252,9 @@ The supported Extension Subsystems are: ``` -**URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”. +**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” ptrotocol. -``` +```xml @@ -322,17 +299,17 @@ The supported Extension Subsystems are:   ``` -**Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. +**Software Clients**: Allows the app to register as an email client, news reader, or media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases, you only need to enable and disable it. There's also a control that lets you enable or disable the email client only in case you want all the other clients to remain as they are. -``` +```xml   ``` -**AppPaths**: If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe. +**AppPaths**: If an application, such as contoso.exe, is registered with an apppath name of “myapp”, this subsystem lets you open the app by entering “myapp” into the run menu. -``` +```xml @@ -349,21 +326,25 @@ The supported Extension Subsystems are: ``` -**COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. - -` ` - -**Other Settings**: - -In addition to Extensions, other subsystems can be enabled/disabled and edited: - -**Virtual Kernel Objects**: - -` ` - -**Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU +**COM**: Allows an Application to register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. +```xml + ``` + +### Other settings for Dynamic User Configuration file + +In addition to Extensions, the following other subsystems can be enabled/disabled and edited. + +#### Virtual Kernel Objects + +```xml + +```xml + +**Virtual Registry**: use this if you want to set a registry in the Virtual Registry within HKCU. + +```xml @@ -375,17 +356,21 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:   ``` -**Virtual File System** - -`       ` - -**Virtual Fonts** - -`       ` - -**Virtual Environment Variables** +#### Virtual File System +```xml +       ``` + +#### Virtual Fonts + +```xml +       +``` + +#### Virtual Environment Variables + +```xml         @@ -397,32 +382,39 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:          ``` -**Virtual services** - -`       ` - -**UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used. - -### Dynamic Deployment Configuration file - -**Header** - The header of a Deployment Configuration file is as follows: +#### Virtual services +```xml +       ``` + +#### UserScripts + +Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Please refer to a sample User Configuration file output by the sequencer to see a sample script. See the [Scripts](appv-dynamic-configuration.md#scripts) section for more information about the various triggers you can use to set up scripts. + +## Dynamic Deployment Configuration file + +### Dynamic Deployment Configuration file header + +The header of a Deployment Configuration file should look something like this: + +```xml ``` -The **PackageId** is the same value as exists in the manifest file. +The **PackageId** is the same value as the one that exists in the Manifest file. -**Body** - The body of the deployment configuration file includes two sections: +### Dynamic Deployment Configuration file body -- User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +The body of the deployment configuration file includes two sections: -- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. +- The User Configuration section allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +- The Machine Configuration section contains information that can only be configured for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. -``` +```xml -  .. +.. .. @@ -432,13 +424,15 @@ The **PackageId** is the same value as exists in the manifest file. ``` -**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file. +User Configuration: see [Dynamic User Configuration](appv-dynamic-configuration.md#dynamic-user-configuration) for more information about this section. -Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element +Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections. -1. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under : +#### Subsystems -``` +AppExtensions and other subsystems are arranged as subnodes under ``: + +```xml     .. @@ -447,15 +441,17 @@ Machine Configuration - the Machine configuration section of the Deployment Conf ``` -The following section displays the various subsystems and usage samples. +The following section describes the various subsystems and usage samples. -**Extensions**: +#### Extensions -Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section. +Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration. -**Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types.  This extension also makes the virtual application visible in the Set Default Programs UI.: +#### Application Capabilities -``` +Used by default programs in the Windows OS interface, the Application Capabilities extension allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI. + +```xml       @@ -491,13 +487,13 @@ Some subsystems (Extension Subsystems) control Extensions which can only apply t ``` -**Other Settings**: +#### Other settings for Dynamic Deployment Configuration file -In addition to Extensions, other subsystems can be edited: +You can edit other subsystems in addition to extensions: -**Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine +- Machine-wide Virtual Registry: use this when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine. -``` +```xml   @@ -509,9 +505,9 @@ In addition to Extensions, other subsystems can be edited: ``` -**Machine Wide Virtual Kernel Objects** +- Machine-wide Virtual Kernel Objects -``` +```xml     @@ -519,23 +515,23 @@ In addition to Extensions, other subsystems can be edited: ``` -**ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch. +- ProductSourceURLOptOut: Indicates whether the URL for the package can be modified globally through PackageSourceRoot to support branch office scenarios. It's set to False by default. Changes to the value take effect on the next launch. -``` +```xml -   ..  +   ..      .. ``` -**MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used +- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, please see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts. -**TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated. +- TerminateChildProcess: you can use this to specify that an application executable's child processes will be terminated when the application.exe process is terminated. -``` +```xml -   ..    +   ..              @@ -549,113 +545,33 @@ In addition to Extensions, other subsystems can be edited: The following table describes the various script events and the context under which they can be run. - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Script Execution TimeCan be specified in Deployment ConfigurationCan be specified in User ConfigurationCan run in the Virtual Environment of the packageCan be run in the context of a specific applicationRuns in system/user context: (Deployment Configuration, User Configuration)

      AddPackage

      X

      (SYSTEM, N/A)

      PublishPackage

      X

      X

      (SYSTEM, User)

      UnpublishPackage

      X

      X

      (SYSTEM, User)

      RemovePackage

      X

      (SYSTEM, N/A)

      StartProcess

      X

      X

      X

      X

      (User, User)

      ExitProcess

      X

      X

      X

      (User, User)

      StartVirtualEnvironment

      X

      X

      X

      (User, User)

      TerminateVirtualEnvironment

      X

      X

      (User, User)

      - -  +|Script execution time|Can be specified in Deployment Configuration|Can be specified in User Configuration|Can run in the package's virtual environment|Can be run in the context of a specific application|Runs in system/user context: (Deployment Configuration, User Configuration)| +|---|:---:|:---:|:---:|:---:|:---:| +|AddPackage|X||||(SYSTEM, N/A)| +|PublishPackage|X|X|||(SYSTEM, User)| +|UnpublishPackage|X|X|||(SYSTEM, User)| +|RemovePackage|X||||(SYSTEM, N/A)| +|StartProcess|X|X|X|X|(User, User)| +|ExitProcess|X|X||X|(User, User)| +|StartVirtualEnvironment|X|X|X||(User, User)| +|TerminateVirtualEnvironment|X|X|||(User, User)| ### Using multiple scripts on a single event trigger App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. -**How to use multiple scripts on a single event trigger:** +#### How to use multiple scripts on a single event trigger -For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. +For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application will run each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. -**Note**   -We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file. +>[!NOTE] +>We recommended you first run the multi-script line from a command prompt to make sure all arguments are built correctly before adding them to the deployment configuration file. -  - -**Example script and parameter descriptions** +#### Example script and parameter descriptions Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run. -``` syntax +```xml ScriptRunner.exe @@ -669,78 +585,29 @@ Using the following example file and table, modify the deployment or user config ``` - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
      Parameter in the example fileDescription

      Name of the event trigger for which you are running a script, such as adding a package or publishing a package.

      ScriptRunner.exe

      The script launcher application that is included in the App-V client.

      -
      -Note   -

      Although ScriptRunner.exe is included in the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.

      -
      -
      -  -
      
--appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
+|Parameter in the example file|Description|
+|---|---|
+|``|Name of the event trigger you're running a script for, such as when adding or publishing a package.|
+|`ScriptRunner.exe`|The script launcher application included in the App-V client.

      Although ScriptRunner.exe is included in the App-V client, the App-V client's location must be in %path% or ScriptRunner won't run. `ScriptRunner.exe` is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.|
+|`-appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10`

      `-appvscript script2.vbs arg1 arg2`

      `-appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror`|`-appvscript`—token that represents the actual script you want to run.
      `script1.exe`—name of the script you want to run.
      `arg1 arg2`—arguments for the script you want to run.
      `-appvscriptrunnerparameters`—token that represents the execution options for script1.exe.
      `-wait`—token that tells ScriptRunner to wait for execution of script1.exe to finish before proceeding to the next script.
      `-timeout=x`—token that informs ScriptRunner to stop running the current script after *x* number of seconds. All other specified scripts will still run.
      `-rollbackonerror`—token that tells ScriptRunner to stop running all scripts that haven't yet run and roll back an error to the App-V client.|
+|``|Waits for overall completion of ScriptRunner.exe.

      Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

      If any individual script reported an error and rollbackonerror was set to True, then ScriptRunner should report the error to App-V client.|
 
--appvscript script2.vbs arg1 arg2
-
--appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
-

      -appvscript - Token that represents the actual script that you want to run.

      -

      script1.exe – Name of the script that you want to run.

      -

      arg1 arg2 – Arguments for the script that you want to run.

      -

      -appvscriptrunnerparameters – Token that represents the execution options for script1.exe

      -

      -wait – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script.

      -

      -timeout=x – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts will still run.

      -

      -rollbackonerror – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.

      Waits for overall completion of ScriptRunner.exe.

      -

      Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

      -

      If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client.

      - -  - -ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run. +ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type isn't associated with any of the computer's applications, the script won't run. ### Create a Dynamic Configuration file using an App-V Manifest file -You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V Management Console or sequencing a package, which will be generated with 2 sample files. +You can create the Dynamic Configuration file using one of three methods: manually, using the App-V Management Console, or by sequencing a package, which will generate a package with two sample files. -For more information about how to create the file using the App-V Management Console see, [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md). +For more information about how to create the file using the App-V Management Console, see [How to create a Custom Configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md). -To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. +To create the file manually, you can combine the components listed in the previous sections into a single file. However, we recommend you use files generated by the sequencer instead of manually created ones. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) - -[How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) - -[Operations for App-V](appv-operations.md) +- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) +- [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) +- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 3ae3740c77..803d11d76e 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -8,25 +8,22 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 --- +# How to enable only administrators to publish packages by using an ESD - -# How to Enable Only Administrators to Publish Packages by Using an ESD - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. -**To enable only administrators to publish or unpublish packages** +Here's how to enable only administrators to publish or unpublish packages: -1. Navigate to the following Group Policy Object node: +1. Navigate to the following Group Policy Object node: - **Computer Configuration > Administrative Templates > System > App-V > Publishing**. + **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**. -2. Enable the **Require publish as administrator** Group Policy setting. +2. Enable the **Require publish as administrator** Group Policy setting. - To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs). + To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index c21abca90a..b6df634063 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -8,8 +8,6 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 --- - - # How to Enable Reporting on the App-V Client by Using Windows PowerShell **Applies to** diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index ff0ad45667..0696778b9f 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -35,7 +35,7 @@ Check out these articles for more information about how to configure the App-V c * [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) * [How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md) * [Using the client management console](appv-using-the-client-management-console.md) -* [How to configure the client to receive package and connection group updates From the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) +* [How to configure the client to receive package and connection group updates from the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 857938e467..3642e254c5 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -6,64 +6,61 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # Application Virtualization (App-V) for Windows 10 overview -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 -The topics in this section provide information and step-by-step procedures to help you administer App-V and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users. +The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users. -[Getting Started with App-V](appv-getting-started.md) +[Getting started with App-V](appv-getting-started.md) - [What's new in App-V](appv-about-appv.md) - [Evaluating App-V](appv-evaluating-appv.md) -- [High Level Architecture for App-V](appv-high-level-architecture.md) +- [High-level architecture for App-V](appv-high-level-architecture.md) [Planning for App-V](appv-planning-for-appv.md) -- [Preparing Your Environment for App-V](appv-preparing-your-environment.md) -- [App-V Prerequisites](appv-prerequisites.md) -- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md) -- [App-V Supported Configurations](appv-supported-configurations.md) -- [App-V Planning Checklist](appv-planning-checklist.md) +- [Preparing your environment for App-V](appv-preparing-your-environment.md) +- [App-V prerequisites](appv-prerequisites.md) +- [Planning to deploy App-V](appv-planning-to-deploy-appv.md) +- [App-V supported configurations](appv-supported-configurations.md) +- [App-V planning checklist](appv-planning-checklist.md) [Deploying App-V](appv-deploying-appv.md) -- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md) +- [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) - [Deploying the App-V Server](appv-deploying-the-appv-server.md) -- [App-V Deployment Checklist](appv-deployment-checklist.md) -- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md) -- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md) -- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) +- [App-V deployment checklist](appv-deployment-checklist.md) +- [Deploying Microsoft Office 2016 by using App-V](appv-deploying-microsoft-office-2016-with-appv.md) +- [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) +- [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) [Operations for App-V](appv-operations.md) -- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) +- [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md) - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) -- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) -- [Managing Connection Groups](appv-managing-connection-groups.md) -- [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) +- [Administering App-V Virtual Applications by using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) +- [Managing connection groups](appv-managing-connection-groups.md) +- [Deploying App-V packages by using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) -- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) -- [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) +- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) +- [Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md) - [Maintaining App-V](appv-maintaining-appv.md) -- [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) [Troubleshooting App-V](appv-troubleshooting.md) -[Technical Reference for App-V](appv-technical-reference.md) +[Technical reference for App-V](appv-technical-reference.md) -- [Performance Guidance for Application Virtualization](appv-performance-guidance.md) -- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) -- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) -- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) +- [Performance guidance for Application Virtualization](appv-performance-guidance.md) +- [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md) +- [Viewing App-V Server publishing metadata](appv-viewing-appv-server-publishing-metadata.md) +- [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 2a510d8f89..f914466f82 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -6,172 +6,90 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help +>Applies to: Windows 10, version 1607 -# How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help +## Requirements for using Windows PowerShell cmdlets -**Applies to** -- Windows 10, version 1607 +This section will tell you what you'll need to use the PowerShell cmdlets. -What this topic covers: +### How to let users access PowerShell cmdlets -- [Requirements for using Windows PowerShell cmdlets](#bkmk-reqs-using-posh) +You can grant your users access to PowerShell cmdlets through one of the following methods: -- [Loading the Windows PowerShell cmdlets](#bkmk-load-cmdlets) +* While you're deploying and configuring the App-V server, specify an Active Directory group or individual user with permissions to manage the App-V environment. For more information, see [How to deploy the App-V Server](appv-deploy-the-appv-server.md). +* After you've deployed the App-V server, you can use the App-V Management console to add an additional Active Directory group or user. For more information, see [How to add or remove an administrator by using the Management console](appv-add-or-remove-an-administrator-with-the-management-console.md). -- [Getting help for the Windows PowerShell cmdlets](#bkmk-get-cmdlet-help) +### Elevated command prompt -- [Displaying the help for a Windows PowerShell cmdlet](#bkmk-display-help-cmdlet) +You'll need an elevated command prompt to run the following cmdlets: -## Requirements for using Windows PowerShell cmdlets +* **Add-AppvClientPackage** +* **Remove-AppvClientPackage** +* **Set-AppvClientConfiguration** +* **Add-AppvClientConnectionGroup** +* **Remove-AppvClientConnectionGroup** +* **Add-AppvPublishingServer** +* **Remove-AppvPublishingServer** +* **Send-AppvClientReport** +* **Set-AppvClientMode** +* **Set-AppvClientPackage** +* **Set-AppvPublishingServer** +### Other cmdlets -Review the following requirements for using the Windows PowerShell cmdlets: +The following cmdlets are ones that end-users can run unless you configure them to require an elevated command prompt. - ---- - - - - - - - - - - - - - - - - - - - - -
      RequirementDetails

      Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:

        -

      • When you are deploying and configuring the App-V Server:

        -

        Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).

        • -

      • After you’ve deployed the App-V Server:

        -

        Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md).

        • -

      Cmdlets that require an elevated command prompt

        -

      • Add-AppvClientPackage

        • -

      • Remove-AppvClientPackage

        • -

      • Set-AppvClientConfiguration

        • -

      • Add-AppvClientConnectionGroup

        • -

      • Remove-AppvClientConnectionGroup

        • -

      • Add-AppvPublishingServer

        • -

      • Remove-AppvPublishingServer

        • -

      • Send-AppvClientReport

        • -

      • Set-AppvClientMode

        • -

      • Set-AppvClientPackage

        • -

      • Set-AppvPublishingServer

        • -

      Cmdlets that end users can run, unless you configure them to require an elevated command prompt

        -

      • Publish-AppvClientPackage

        • -

      • Unpublish-AppvClientPackage

        • -
      -

      To configure these cmdlets to require an elevated command prompt, use one of the following methods:

      -
        -

      • Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.

        -

        For more information, see:
        [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
        [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).

        • -

      • Enable the “Require publish as administrator” Group Policy setting for App-V Clients.

        -

        For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)

        • -
      -
      +* **Publish-AppvClientPackage** +* **Unpublish-AppvClientPackage** -  +To configure these cmdlets to require an elevated command prompt, use one of the following methods: -## Loading the Windows PowerShell cmdlets +* Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter. For more information, see the following resources: + * [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) + * [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending) +* Enable the **Require publish as administrator** Group Policy setting for App-V Clients. For more information, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). +## Loading the Windows PowerShell cmdlets To load the Windows PowerShell cmdlet modules: -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +2. Enter one of the following cmdlets to load a list of usable cmdlets for the module you want: -2. Type one of the following commands to load the cmdlets for the module you want: +|App-v component|Cmdlet to enter| +|---|---| +|App-V Server|**Import-Module AppvServer**| +|App-V Sequencer|**Import-Module AppvSequencer**| +|App-V Client|**Import-Module AppvClient**| - ---- - - - - - - - - - - - - - - - - - - - - -
      App-V componentCommand to type

      App-V Server

      Import-Module AppvServer

      App-V Sequencer

      Import-Module AppvSequencer

      App-V Client

      Import-Module AppvClient

      - -  - -## Getting help for the Windows PowerShell cmdlets +## Getting help for the Windows PowerShell cmdlets Starting in App-V 5.0 SP3, cmdlet help is available in two formats: -- **As a downloadable module**: To download the latest help after downloading the cmdlet module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE), and type one of the following commands: +* As a downloadable module in PowerShell. To access the module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE) and enter one of the cmdlets from the following table. - ---- - - - - - - - - - - - - - - - - - - - - -
      App-V componentCommand to type

      App-V Server

      Update-Help -Module AppvServer

      App-V Sequencer

      Update-Help -Module AppvSequencer

      App-V Client

      Update-Help -Module AppvClient

      +|App-v component|Cmdlet to enter| +|---|---| +|App-V Server|**Update-Help -Module AppvServer**| +|App-V Sequencer|**Update-Help -Module AppvSequencer**| +|App-V Client|**Update-Help -Module AppvClient**| -
      - -- **On TechNet as web pages**: See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx). - -## Displaying the help for a Windows PowerShell cmdlet +* Online in the [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/en-us/powershell/mdop/get-started?view=win-mdop2-ps). +## Displaying the help for a Windows PowerShell cmdlet To display help for a specific Windows PowerShell cmdlet: -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). - -2. Type **Get-Help** <*cmdlet*>, for example, **Get-Help Publish-AppvClientPackage**. - +1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +2. Enter **Get-Help** followed by the cmdlet you need help with. For example: + ```PowerShell + Get-Help Publish-AppvClientPackage + ``` ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 3db885c191..f98668cea5 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -6,45 +6,30 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # Maintaining App-V -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. ## Moving the App-V server -The App-V server connects to the App-V database. Therefore you can install the management component on any computer on the network and then connect it to the App-V database. +The App-V server connects to the App-V database, which means you can install the management component and connect it to the App-V database on any computer on the network. For more information, see [How to move the App-V server to another computer](appv-move-the-appv-server-to-another-computer.md). -[How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md) +## Determine if an App-V application is running virtualized -## Determine if an App-V Application is Running Virtualized +Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace (PID stands for process ID). To find the process ID of the process you're currently using, enter the Windows API **GetCurrentProcessId()**. +For example, let's say the process ID is 4052. If you can successfully open a named Event object called **AppVVirtual-4052** with the **OpenEvent()** API in the default read access namespace, then the application is virtual. If the **OpenEvent()** call fails, the application isn't virtual. -Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace. For example, Windows API **GetCurrentProcessId()** can be used to obtain the current process's ID, for example 4052, and then if a named Event object called **AppVVirtual-4052** can be successfully opened using **OpenEvent()** in the default namespace for read access, then the application is virtual. If the **OpenEvent()** call fails, the application is not virtual. - -Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V 5.1 and later, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized. +Additionally, ISVs who want to explicitly virtualize or not virtualize calls on specific APIs with App-V 5.1 and later can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module to hint to a downstream component whether the call should be virtualized or not. ## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Other resources for maintaining App-V - -[Operations for App-V](appv-operations.md) - -  - -  - - - - - +* [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index e3c9eca586..dc187289aa 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,283 +1,171 @@ --- -title: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell (Windows 10) -description: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell +title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) +description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/24/2018 --- +# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell +The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. -**Applies to** -- Windows 10, version 1607 +## Return a list of packages +Enter the **Get-AppvClientPackage** cmdlet to return a list of packages entitled to a specific user. Its parameters are *-Name*, *-Version*, *-PackageID*, and *-VersionID*. -The following sections explain how to perform various management tasks on a stand-alone client computer by using Windows PowerShell: +For example: -- [To return a list of packages](#bkmk-return-pkgs-standalone-posh) +```PowerShell +Get-AppvClientPackage –Name “ContosoApplication” -Version 2 +``` -- [To add a package](#bkmk-add-pkgs-standalone-posh) +## Add a package -- [To publish a package](#bkmk-pub-pkg-standalone-posh) +Use the **Add-AppvClientPackage** cmdlet to add a package to a computer. -- [To publish a package to a specific user](#bkmk-pub-pkg-a-user-standalone-posh) +>[!IMPORTANT] +>This example only adds a package. It does not publish the package to the user or the computer. -- [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh) +For example: -- [To unpublish an existing package](#bkmk-unpub-pkg-standalone-posh) +```PowerShell +$Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv +``` -- [To unpublish a package for a specific user](#bkmk-unpub-pkg-specfc-use) +## Publish a package -- [To remove an existing package](#bkmk-remove-pkg-standalone-posh) +Use the **Publish-AppvClientPackage** cmdlet to publish a package that has been added to either a specific user or globally to any user on the computer. -- [To enable only administrators to publish or unpublish packages](#bkmk-admins-pub-pkgs) +Enter the cmdlet with the application name to publish it to the user. -- [Understanding pending packages (UserPending and GlobalPending)](#bkmk-understd-pend-pkgs) +```PowerShell +Publish-AppvClientPackage “ContosoApplication” +``` -## To return a list of packages +To publish the application globally, just add the *-Global* parameter. +```Powershell +Publish-AppvClientPackage “ContosoApplication” -Global +``` -Use the following information to return a list of packages that are entitled to a specific user: +## Publish a package to a specific user -**Cmdlet**: Get-AppvClientPackage +>[!NOTE]   +>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. -**Parameters**: -Name -Version -PackageID -VersionID - -**Example**: Get-AppvClientPackage –Name “ContosoApplication” -Version 2 - -## To add a package - - -Use the following information to add a package to a computer. - -**Important**   -This example only adds a package. It does not publish the package to the user or the computer. - -  - -**Cmdlet**: Add-AppvClientPackage - -**Example**: $Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv - -## To publish a package - - -Use the following information to publish a package that has been added to a specific user or globally to any user on the computer. - - ---- - - - - - - - - - - - - - - - - -
      Publishing methodCmdlet and example

      Publishing to the user

      Cmdlet: Publish-AppvClientPackage

      -

      Example: Publish-AppvClientPackage “ContosoApplication”

      Publishing globally

      Cmdlet: Publish-AppvClientPackage

      -

      Example: Publish-AppvClientPackage “ContosoApplication” -Global

      - -  - -## To publish a package to a specific user - - -**Note**   -You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -  - -An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID). +An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). To use this parameter: -- You can run this cmdlet from the user or administrator session. +- You can run this cmdlet from the user or administrator session. +- You must be logged in with administrative credentials to use the parameter. +- The end user must be signed in. +- You must provide the end user’s security identifier (SID). -- You must be logged in with administrative credentials to use the parameter. +For example: -- The end user must be logged in. +```PowerShell +Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +``` -- You must provide the end user’s security identifier (SID). +## Add and publish a package -**Cmdlet**: Publish-AppvClientPackage +Use the **Add-AppvClientPackage** cmdlet to add a package to a computer and publish it to the user. -**Example**: Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +For example: -## To add and publish a package +```PowerShell +Add-AppvClientPackage | Publish-AppvClientPackage +``` +## Unpublish an existing package -Use the following information to add a package to a computer and publish it to the user. +Use the **Unpublish-AppvClientPackage** cmdlet to unpublish a package which has been entitled to a user but not remove the package from the computer. -**Cmdlet**: Add-AppvClientPackage +For example: -**Example**: Add-AppvClientPackage \\\\path\\to\\appv\\package.appv | Publish-AppvClientPackage +```PowerShell +Unpublish-AppvClientPackage “ContosoApplication” +``` -## To unpublish an existing package +## Unpublish a package for a specific user +>[!NOTE] +>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. -Use the following information to unpublish a package which has been entitled to a user but not remove the package from the computer. - -**Cmdlet**: Unpublish-AppvClientPackage - -**Example**: Unpublish-AppvClientPackage “ContosoApplication” - -## To unpublish a package for a specific user - - -**Note**   -You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -  - -An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID). +An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). To use this parameter: -- You can run this cmdlet from the user or administrator session. +- You can run this cmdlet from the user or administrator session. +- You must sign in with administrative credentials to use the parameter. +- The end user must be signed in. +- You must provide the end user’s security identifier (SID). -- You must be logged in with administrative credentials to use the parameter. +For example: -- The end user must be logged in. +```PowerShell +Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +``` -- You must provide the end user’s security identifier (SID). +## Remove an existing package -**Cmdlet**: Unpublish-AppvClientPackage +Use the **Remove-AppvClientPackage** cmdlet to remove a package from the computer. -**Example**: Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +For example: -## To remove an existing package +```PowerShell +Remove-AppvClientPackage “ContosoApplication” +``` +>[!NOTE] +>App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/). -Use the following information to remove a package from the computer. +## Enable only administrators to publish or unpublish packages -**Cmdlet**: Remove-AppvClientPackage +Starting in App-V 5.0 SP3, you can use the **Set-AppvClientConfiguration** cmdlet and *-RequirePublishAsAdmin* parameter to enable only administrators (not end users) to publish or unpublish packages. -**Example**: Remove-AppvClientPackage “ContosoApplication” +You can set the *-RequirePublishAsAdmin* parameter to the following values: -**Note**   -App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/). +- 0: False +- 1: True -  +For example: -## To enable only administrators to publish or unpublish packages +```PowerShell +Set-AppvClientConfiguration –RequirePublishAsAdmin1 +``` -Starting in App-V 5.0 SP3, you can use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages: +To use the App-V Management console to set this configuration, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). - ---- - - - - - - - - - - -

      Cmdlet

      Set-AppvClientConfiguration

      Parameter

      -RequirePublishAsAdmin

      -

      Parameter values:

      -
        -

      • 0 - False

        • -

      • 1 - True

        • -
      -

      Example:: Set-AppvClientConfiguration –RequirePublishAsAdmin1

      +## About pending packages: UserPending and GlobalPending -  +Starting in App-V 5.0 SP2, if you run a Windows PowerShell cmdlet that affects a package currently in use, the task you're trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows: -To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md). - -## Understanding pending packages (UserPending and GlobalPending) - - -**Starting in App-V 5.0 SP2**: If you run a Windows PowerShell cmdlet that affects a package that is currently in use, the task that you are trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows: - - ---- - - - - - - - - - - - - - - - - -
      Cmdlet output itemDescription

      UserPending

      Indicates whether the listed package has a pending task that is being applied to the user:

      -
        -

      • True

        • -

      • False

        • -

      GlobalPending

      Indicates whether the listed package has a pending task that is being applied globally to the computer:

      -
        -

      • True

        • -

      • False

        • -
      - -  +|Cmdlet output item|Description| +|---|---| +|UserPending|Indicates whether the listed package has a pending task that is being applied to the user:
      - True
      - False| +|GlobalPending|Indicates whether the listed package has a pending task that is being applied globally to the computer:
      - True
      - False| The pending task will run later, according to the following rules: - ---- - - - - - - - - - - - - - - - - -
      Task typeApplicable rule

      User-based task, e.g., publishing a package to a user

      The pending task will be performed after the user logs off and then logs back on.

      Globally based task, e.g., enabling a connection group globally

      The pending task will be performed when the computer is shut down and then restarted.

      +|Task type|Applicable rule| +|---|---| +|User-based
      (for example, publishing a package to a user)|The pending task will be performed after the user logs off and then logs back on.| +|Globally based
      (for example, enabling a connection group globally)|The pending task will be performed when the computer is shut down and then restarted.| For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) - +- [Operations for App-V](appv-operations.md) +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 739de9f0a3..cebbaac7ad 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -6,29 +6,25 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # How to Publish a Connection Group -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 After you create a connection group, you must publish it to computers that run the App-V client. -**To publish a connection group** +## Publish a connection group -1. Open the App-V Management Console, and select **CONNECTION GROUPS**. +1. Open the App-V Management Console and select **CONNECTION GROUPS**. -2. Right-click the connection group to be published, and select **publish**. +2. Right-click the connection group to be published, and select **publish**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Managing Connection Groups](appv-managing-connection-groups.md) +* [Operations for App-V](appv-operations.md) +* [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index fb9ad9b19f..8451509577 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,51 +1,45 @@ --- -title: How to Publish a Package by Using the Management Console (Windows 10) -description: How to Publish a Package by Using the Management Console +title: How to publish a package by using the Management console (Windows 10) +description: How to publish a package by using the Management console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to publish a package by using the Management console +>Applies to: Windows 10, version 1607 -# How to Publish a Package by Using the Management Console +Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package. -**Applies to** -- Windows 10, version 1607 +>[!NOTE]   +>The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3. -Use the following procedure to publish an App-V package. Once you publish a package, computers that are running the App-V client can access and run the applications in that package. +## Publish an App-V package -**Note**   -The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3. +1. In the App-V Management console. Select or right-click the name of the package to be published. Select **Publish**. -  - -**To publish an App-V package** - -1. In the App-V Management console. Click or right-click the name of the package to be published. Select **Publish**. - -2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed. +2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed. If the package is not published successfully, the status **unpublished** is displayed, along with error text that explains why the package is not available. -**To enable only administrators to publish or unpublish packages** +## Enable only administrators to publish or unpublish packages -1. Navigate to the following Group Policy Object node: +1. Navigate to the following Group Policy Object node: - **Computer Configuration > Administrative Templates > System > App-V > Publishing**. + **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**. -2. Enable the **Require publish as administrator** Group Policy setting. +2. Enable the **Require publish as administrator** Group Policy setting. - To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs). + To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
      For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md) +* [Operations for App-V](appv-operations.md) +* [How to configure access to packages by using the Management console](appv-configure-access-to-packages-with-the-management-console.md) \ No newline at end of file diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index f29b02af29..b6515bbde1 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,19 +8,19 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 07/10/2018 +ms.date: 08/23/2018 --- # Understand the different apps included in Windows 10 The following types of apps run on Windows 10: - Windows apps - introduced in Windows 8, primarily installed from the Store app. - Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. -- "Win32" apps - traditional Windows applications, built for 32-bit systems. +- "Win32" apps - traditional Windows applications. Digging into the Windows apps, there are two categories: - System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. - Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: - - Provisioned: Installed the first time you sign into Windows. You'll see a tile or Start menu item for these apps, but they aren't installed until the first sign-in. + - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. @@ -30,7 +30,7 @@ Some of the apps show up in multiple tables - that's because their status change > [!TIP] > Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: > ```powershell -> Get-AppxPackage |Select Name,PackageFamilyName +> Get-AppxPackage | select Name,PackageFamilyName > Get-AppxProvisionedPackage -Online | select DisplayName,PackageName > ``` @@ -74,7 +74,7 @@ System apps are integral to the operating system. Here are the typical system ap | Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | | Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | | | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support* | Windows.ContactSupport | x | * | |Through the Optional Features app | +| Contact Support* | Windows.ContactSupport | x | * | |Via Optional Features app | | Settings | Windows.ImmersiveControlPanel | x | x | |No | | Connect | Windows.MiracastView | x | | |No | | Print 3D | Windows.Print3D | | x | |Yes | @@ -94,10 +94,11 @@ System apps are integral to the operating system. Here are the typical system ap > - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). ## Installed Windows apps + Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. | Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|----------------------| +|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| | Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | | PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | | Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | @@ -106,7 +107,7 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | | Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | | Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | | Flipboard | | | | | Yes | | | Microsoft.Advertising.Xaml | x | x | x | Yes | | | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | @@ -126,13 +127,14 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | | Microsoft.VCLibs.120.00.Universal | | x | | Yes | | | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | | | Microsoft.WinJS.2.0 | x | | | Yes | +--- ## Provisioned Windows apps Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. | Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | -|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------| +|---------------------------------|----------------------------------------|:------:|:------:|:------:|:---------------------------:| | 3D Builder | Microsoft.3DBuilder | x | | | Yes | | Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | | App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | @@ -172,6 +174,10 @@ Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, | | Microsoft.XboxGamingOverlay | | | x | No | | | Microsoft.XboxIdentityProvider | x | x | x | No | | | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | +--- >[!NOTE] ->The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. \ No newline at end of file +>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. + + +--- diff --git a/windows/application-management/images/Createpackage.PNG b/windows/application-management/images/Createpackage.PNG new file mode 100644 index 0000000000..4ae246a743 Binary files /dev/null and b/windows/application-management/images/Createpackage.PNG differ diff --git a/windows/application-management/images/Installation.PNG b/windows/application-management/images/Installation.PNG new file mode 100644 index 0000000000..9c3197ada5 Binary files /dev/null and b/windows/application-management/images/Installation.PNG differ diff --git a/windows/application-management/images/Managefirstlaunchtasks.PNG b/windows/application-management/images/Managefirstlaunchtasks.PNG new file mode 100644 index 0000000000..edcf1a23e8 Binary files /dev/null and b/windows/application-management/images/Managefirstlaunchtasks.PNG differ diff --git a/windows/application-management/images/PackageSupport.PNG b/windows/application-management/images/PackageSupport.PNG new file mode 100644 index 0000000000..1bbca6865a Binary files /dev/null and b/windows/application-management/images/PackageSupport.PNG differ diff --git a/windows/application-management/images/Packageinfo.PNG b/windows/application-management/images/Packageinfo.PNG new file mode 100644 index 0000000000..be3b9b98dd Binary files /dev/null and b/windows/application-management/images/Packageinfo.PNG differ diff --git a/windows/application-management/images/Selectinstaller.PNG b/windows/application-management/images/Selectinstaller.PNG new file mode 100644 index 0000000000..7ffd984bed Binary files /dev/null and b/windows/application-management/images/Selectinstaller.PNG differ diff --git a/windows/application-management/images/donemonitoring..PNG b/windows/application-management/images/donemonitoring..PNG new file mode 100644 index 0000000000..d39102b961 Binary files /dev/null and b/windows/application-management/images/donemonitoring..PNG differ diff --git a/windows/application-management/images/preparecomputer.PNG b/windows/application-management/images/preparecomputer.PNG new file mode 100644 index 0000000000..43b2e3e965 Binary files /dev/null and b/windows/application-management/images/preparecomputer.PNG differ diff --git a/windows/application-management/images/preparingpackagestep.PNG b/windows/application-management/images/preparingpackagestep.PNG new file mode 100644 index 0000000000..5b06e11d0d Binary files /dev/null and b/windows/application-management/images/preparingpackagestep.PNG differ diff --git a/windows/application-management/images/selectEnvironmentThiscomputer.PNG b/windows/application-management/images/selectEnvironmentThiscomputer.PNG new file mode 100644 index 0000000000..bf6f3b4bf0 Binary files /dev/null and b/windows/application-management/images/selectEnvironmentThiscomputer.PNG differ diff --git a/windows/application-management/images/selectEnvironmentVM.PNG b/windows/application-management/images/selectEnvironmentVM.PNG new file mode 100644 index 0000000000..dd6e1f9168 Binary files /dev/null and b/windows/application-management/images/selectEnvironmentVM.PNG differ diff --git a/windows/application-management/images/welcomescreen.PNG b/windows/application-management/images/welcomescreen.PNG new file mode 100644 index 0000000000..cd551740a8 Binary files /dev/null and b/windows/application-management/images/welcomescreen.PNG differ diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index f6af0d88a5..20b71d39e8 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/16/2018 +ms.date: 10/02/2018 --- # Enable or block Windows Mixed Reality apps in the enterprise @@ -34,8 +34,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download [the FOD .cab file for Windows 10, version 1803](http://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) or [the FOD .cab file for Windows 10, version 1709] - (http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. @@ -53,7 +52,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD. - + ## Block the Mixed Reality Portal You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. @@ -73,7 +72,7 @@ In the following example, the **Id** can be any generated GUID and the **Name** chr text/plain - + <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> @@ -97,7 +96,7 @@ In the following example, the **Id** can be any generated GUID and the **Name** -``` +``` ## Related topics diff --git a/windows/application-management/media/icon_hyperlink.png b/windows/application-management/media/icon_hyperlink.png new file mode 100644 index 0000000000..847e8f62ad Binary files /dev/null and b/windows/application-management/media/icon_hyperlink.png differ diff --git a/windows/application-management/msix-app-packaging-tool-walkthrough.md b/windows/application-management/msix-app-packaging-tool-walkthrough.md new file mode 100644 index 0000000000..b85a15753e --- /dev/null +++ b/windows/application-management/msix-app-packaging-tool-walkthrough.md @@ -0,0 +1,160 @@ +--- +title: Learn how to repackage your existing win32 applications to the MSIX format. This walkthrough provides in-depth detail on how the MSIX app packaging tool can be used. +description: Learn how to use the MSIX packaging tool with this in-depth walkthrough. +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 08/027/2018 +--- + +# MSIX Packaging tool walkthrough + +Learn how to repackage your legacy win32 application installers to MSIX, without the need for making code changes to your apps. The MSIX Packaging Tool allows you to modernize your app to take adavantage of Microsoft Store or Microsoft Store for Business to deploy apps on Windows 10 in S mode. + +## Terminology + + +|Term |Definition | +|---------|---------| +|MPT | MSIX Packaging Tool. An enterprise grade tool that allows to package apps in the enterprise easily as MSIX without app code changes. | +|PSF | Package Support Framework. An open source framework to allow the packaging tool and the IT Admin to apply targeted fixes to the app in order to bypass some of the modern environment constrains. Some fixes will be added automatically by the tool and some will be added manually. | +|Modification Package | MSIX package to stores app preferences/settings and add-ins, decoupled from the main package. | +|Installer | Application installer can be an MSI, EXE, App-V , ClickOnce. | +|Project template file | Template file that saves the settings and parameters used for a certain package conversion. Information captured in the template includes general Tooling packaging options, settings in the options menus like exclusion lists, package deployment settings, application install location, package manifest information like Package Family Name, publisher, version and package properties like capabilities and advanced enterprise features. | + +## Creating an Application package + +![Create a package](images/welcomescreen.png) + +When the tool is first launched, you will be prompted to provide consent to sending telemtry data. It's important to note that the diagnostic data you share only comes from the app and is never used to identify or contact you. This just helps us fix things faster for you. + +![creating an application package](images/Selectinstaller.png) + +Creating an Application package is the most commonly used option. This is where you will create an MSIX package from an installer, or by manual installation of application payload. +- If an installer is being used, browse to and select the desired application installer and click **Next**. + - This field accepts a valid existing file path. + - The field can be empty if you are manually packaging. +- If there is no installer (manual packaging) click **Next**. + +*Optionally* +- Check the box under "Use Existing MSIX Package", browse, and select an existing MSIX package you'd like to update. +- Check the box under "Use installer Preferences" and enter the desired argument in the provided field. This field accepts any string. + +### Packaging method +![selecting the package environment](images/selectenvironmentthiscomputer.png) +- Select the packaging environment by selecting one of the radio buttons: + - "Create package on an existing virtual machine" if you plan to do the package creation on a VM. Click **Next**. (You will be presented with user and password fields to provide credentials for the VM if there are any). + - "Create package on this computer" if you plan to package the application on the current machine where the tool is installed. Click **Next**. + +### Create package on this computer + +![Create a package on this computer](images/packageinfo.png) + +You've selected to package your application on the current machine where the tool is installed. Nice job! Provide the information pertaining to the app. The tool will try to auto-fill these fields based on the information available from the installer. You will always have a choice to update the entries as needed. If the field as an asterisk*, it's required, but you already knew that. Inline help is provided if the entry is not valid. + +- Package name: + - Required and corresponds to package identity Name in the manifest to describe the contents of the package. + - Must match the Name subject information of the certificate used to sign a package. + - Is not shown to the end user. + - Is case-sensitive and cannot have a space. + - Can accept string between 3 and 50 characters in length that consists of alpha-numeric, period, and dash characters. + - Cannot end with a period and be one of these: "CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", and "LPT9." +- Package display name: + - Required and corresponds to package in the manifest to display a friendly package name to the user, in start menu and settings pages. + - Field accepts A string between 1 and 256 characters in length and is localizable. +- Publisher name + - Required and corresponds to package that describes the publisher information. + - The Publisher attribute must match the publisher subject information of the certificate used to sign a package. + - This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*". +- Publisher display name + - Reuqired and corresponds to package in the manifest to display a friendly publisher name to the user, in App installer and settings pages. + - Field accepts A string between 1 and 256 characters in length and is localizable. +- Version + - Required and corresponds to package in the manifest to describe the The version number of the package. + - This field accepts a version string in quad notation, "Major.Minor.Build.Revision". +- Install location + - This is the location that the installer is going to copy the application payload to (usually Programs Files folder). + - This field is optional but recommended. + - Browse to and select a folder path. + - Make sure this filed matches Installers Install location while you go through the application install operation. + +### Prepare computer + +![prepare your computer](images/preparecomputer.png) + +- You are provided with options to prepare the computer for packaging. +- MSIX Packaging Tool Driver is required and the tool will automatically try to enable it if it is not enabled. + > [!NOTE] + > MSIX Packaging tool driver monitors the system to capture the changes that an installer is making on the system which allows MSIX Packaging Tool to create a package based on those changes. + - The tool will first check with DISM to see if the driver is installed. +- [Optional] Check the box for “Windows Search is Active” and select “disable selected” if you choose to disable the search service. + - This is not required, only recommended. + - Once disabled, the tool will update the status field to “disabled” +- [Optional] Check the box for “Windows Update is Active” and select “disable selected” if you choose to disable the Update service. + - This is not required, only recommended. + - Once disabled, the tool will update the status field to “disabled” +- “Pending reboot” checkbox is disabled by default. You'll need to manually restart the machine and then launch the tool again if you are prompted that pending operations need a reboot. + - This not required, only recommended. +When you're done preparing the machine, click **Next**. + +### Installation + +![Installation phase for capturing the install operations](images/installation.png) + +- This is installation phase where the tool is monitoring and capturing the application install operations. +- If you've provided an installer, the tool will launch the installer and you'll need to go through the installer wizard to install the application. + - Make sure the installation path matches what was defined earlier in the package information page. + - You'll need to create a shortcut in desktop for the newly installed application. + - Once you're done with the application installation wizard, make sure you finish or close on the installation wizard. + - If you need to run multiple installers you can do that manually at this point. + - If the app needs other pre-reqs, you need to install them now. + - If the application needs .Net 3.5/20, add the optional feature to Windows. +- If installer was not provided, manually copy the application binaries to the install location that you've defined earlier in package information. +- When you've completed installing the application, click **Next**. + +### Manage first launch tasks + +![Managing first launch tasks](images/managefirstlaunchtasks.png) + +- This page shows application executables that the tool captured. +- We recommended launching the application at least once to capture any first launch tasks. +- If there are multiple applications, check the box that corresponds to the main entry point. +- If you don't see the application .exe here, manually browse to and run it. +- Click **Next** + +![pop up asking for confirmation you are done monitoring](images/donemonitoring..png) + +You'll be prompted with a pop up asking for confirmation that you're finished with application installation and managing first launch tasks. +- If you're done, click **Yes, move on**. +- If you're not done, click **No, I'm not done**. You'll be taken back to the last page to where you can launch applications, install or copy other files, and dlls/executables. + +### Package support report + +![Package support, runtime fixes that might be appliciable to the app](images/packagesupport.png) + +- Here you'll have a chance to add PSF runtime fixes that might be applicable to the application. *(not supported in preview)* + - The tool will make some suggestions and apply fixes that it thinks are applicable. + - You'll have the opportunity to add, remove or edit PSF runtime fixes + - You can see a list of PSFs provided by the community from Github. + - You'll also see a packaging report on this page. The report will call out noteworthy items for example: + - If certain restricted capabilities like allowElevation is added + - If certain files were excluded from the package. + - Etc +Once done, click **Next**. + +## Create package + +![Creating the new package](images/createpackage.png) + +- Provide a location to save the MSIX package. +- By default, packages are saved in local app data folder. +- You can define the default save location in Settings menu. +- If you'd like to continue to edit the content and properties of the package before saving the MSIX package, you can select “Package editor” and be taken to package editor. +- If you prefer to sign the package with a pre-made certificate for testing, browse to and select the certificate. +- Click **Create** to create the MSIX package. + +You'll be presented with the pop up when the package is created. This pop up will include the name, publisher, and save location of the newly created package. You can close this pop up and get redirected to the welcome page. You can also select package editor to see and modify the package content and properties. diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md new file mode 100644 index 0000000000..c4e31dc19c --- /dev/null +++ b/windows/application-management/msix-app-packaging-tool.md @@ -0,0 +1,257 @@ +--- +title: Repackage your existing win32 applications to the MSIX format. +description: Learn how to install and use the MSIX packaging tool. +keywords: ["MSIX", "application", "app", "win32", "packaging tool"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +ms.author: mikeblodge +ms.topic: article +ms.date: 09/21/2018 +--- + +# Repackage existing win32 applications to the MSIX format + +The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). + +> Prerequisites: + +- Participation in the Windows Insider Program +- Minimum Windows 10 build 17701 +- Admin privileges on your PC account +- A valid MSA alias (to access the app from the Store) + +## What's new +v1.2018.915.0 +- Updated UI to improve clarity and experience +- Ability to generate a template file for use with a command line +- Ability to add/remove entry points +- Ability to sign your package from package editor +- File extension handling + +v1.2018.821.0 +- Command Line Support +- Ability to use existing local virtual machines for packaging environment. +- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues. +- Minor updates to the UI for added clarity. + +v1.2018.807.0 +- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. +- Fixed an issue where signing with password protected certificates would fail in the tool. +- Fixed an issue where the tool was crashing when editing an existing MSIX package. +- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. +- Minor UI tweaks to add clarity. +- Minor updates to the logs to add clarity. + + +## Installing the MSIX Packaging Tool + +1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). +2. Open the product description page. +3. Click the install icon to begin installation. + +This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: + +- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. +- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. +- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. + +## Creating an application package using the Command line interface +To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. + +Here are the parameters that can be passed as command line arguments: + + +|Parameter |Description | +|---------|---------| +|-?
      --help | Show help information | +|--template | [required] path to the conversion template XML file containing package information and settings for this conversion | +|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. | + +Examples: + +- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml +- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893 + +## Creating an application package using virtual machines + +You can select to perform the packaging steps on a virtual machine. To do this: +- Click on Application package and select “Create package on an existing virtual machine” in the select environment page. +- The tool will then query for existing Virtual machines and allows you to select one form a drop down menu. +- Once a VM is selected the tool will ask for user and password. The username field accepts domain\user entries as well. + +When using local virtual machines as conversion environment, the tool leverages an authenticated remote PowerShell connection to configure the virtual machine. A lightweight WCF server then provides bidirectional communication between the host and target environment. + +Requirements: +- Virtual Machine need to have PSRemoting enabled. (Enable-PSRemoting command should be run on the VM) +- Virtual Machine needs to be configured for Windows Insider Program similar to the host machine. Minimum Windows 10 build 17701 + + +## Conversion template file + + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Conversion template parameter reference +Here is the complete list of parameters that you can use in the Conversion template file. When a virtual machine is conversion environment, all file paths(installer, savelocation, etc) should be declared relative to the host, where the tool is running) + + +|ConversionSettings entries |Description | +|---------|---------| +|Settings:: AllowTelemetry |[optional] Enables telemetry logging for this invocation of the tool. | +|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. | +|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. | +|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. | +|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. | +|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. | +|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. | +|ExclusionItems::RegistryExclusion |[optional] A registry key to exclude for packaging. | +|ExclusionItems::RegistryExclusion:: ExcludePath |Path to registry to exclude for packaging. | +|PrepareComputer::DisableDefragService |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | +|PrepareComputer:: DisableWindowsSearchService |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | +|PrepareComputer:: DisableSmsHostService |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | +|PrepareComputer:: DisableWindowsUpdateService |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | +|SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. | +|SaveLocation::PackagePath |[optional] The path to the file or folder where the resulting MSIX package is saved. | +|SaveLocation::TemplatePath |[optional] The path to the file or folder where the resulting CLI template is saved. | +|Installer::Path |The path to the application installer. | +|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””. | +|Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). | +|VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. | +|VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. | +|VirtualMachine::Username |[optional] The user name for the Virtual Machine to be used for the conversion environment. | +|PackageInformation::PackageName |The Package Name for your MSIX package. | +|PackageInformation::PackageDisplayName |The Package Display Name for your MSIX package. | +|PackageInformation::PublisherName |The Publisher for your MSIX package. | +|PackageInformation::PublisherDisplayName |The Publisher Display Name for your MSIX package. | +|PackageInformation::Version |The version number for your MSIX package. | +|PackageInformation:: MainPackageNameForModificationPackage |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application. | +|Applications |[optional] 0 or more Application elements to configure the Application entries in your MSIX package. | +|Application::Id |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package | +|Application::ExecutableName |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected. | +|Application::Description |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName | +|Application::DisplayName |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName | +|Capabilities |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion. | +|Capability::Name |The capability to add to your MSIX package. | + +## Delete temporary conversion files using Command line interface +To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window. + +Example: +- MsixPackagingTool.exe cleanup + +## How to file feedback + +Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. + +## Best practices + +- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. +- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. +- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. +- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. + +## Known issues +1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. +3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. + + diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index a4a44b1265..1aa38eb7ba 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -9,7 +9,7 @@ ms.pagetype: devices author: jdeckerms ms.localizationpriority: medium ms.author: jdecker -ms.date: 11/28/2017 +ms.date: 08/02/2018 --- # Connect to remote Azure Active Directory-joined PC @@ -33,11 +33,11 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. >[!NOTE] >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: > - >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"` + >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. > >In Windows 10, version 1709, the user does not have to sign in to the remote device first. > @@ -45,6 +45,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + >[!TIP] + >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`. + ## Supported configurations diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index b51971615e..231682d2b9 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -8,9 +8,20 @@ author: brianlic-msft ms.date: 04/19/2017 --- +**Applies to** + +- Windows 10, Windows Server 2016 + + # Manage the Settings app with Group Policy -Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. + +>[!Note] +>Each server that you want to manage access to the Settings App must be patched. + +To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 86eb568add..ec81e086de 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -21,7 +21,7 @@ Your organization can support various operating systems across a wide range of d This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. -> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] +> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] >[!NOTE] >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal) @@ -113,7 +113,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i There are a variety of steps you can take to begin the process of modernizing device management in your organization: -**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. +**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 675af55231..3225ed9730 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 10/16/2017 +ms.date: 10/02/2018 --- # Create mandatory user profiles @@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 8 | Windows Server 2012 | v3 | | Windows 8.1 | Windows Server 2012 R2 | v4 | | Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, version 1607 (Anniversary Update) and version 1703 (Creators Update) | Windows Server 2016 | v6 | +| Windows 10, versions 1607, 1703, 1709, 1803, and 1809 | Windows Server 2016 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 21553dfee9..10bf5bf5c8 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -295,6 +295,8 @@ #### [SUPL DDF file](supl-ddf-file.md) ### [SurfaceHub CSP](surfacehub-csp.md) #### [SurfaceHub DDF file](surfacehub-ddf-file.md) +### [TenantLockdown CSP](tenantlockdown-csp.md) +#### [TenantLockdown DDF file](tenantlockdown-ddf.md) ### [TPMPolicy CSP](tpmpolicy-csp.md) #### [TPMPolicy DDF file](tpmpolicy-ddf-file.md) ### [UEFI CSP](uefi-csp.md) diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 8745e5a972..2362bb66f0 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -22,7 +22,7 @@ This CSP was added in Windows 10, version 1511.   -For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877). +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). The following diagram shows the AllJoynManagement configuration service provider in tree format @@ -30,47 +30,47 @@ The following diagram shows the AllJoynManagement configuration service provider The following list describes the characteristics and parameters. -**./Vendor/MSFT/AllJoynManagement** +**./Vendor/MSFT/AllJoynManagement** The root node for the AllJoynManagement configuration service provider. -**Services** +**Services** List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included. -**Services/****_Node name_** +**Services/****_Node name_** The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. -**Services/*Node name*/Port** +**Services/*Node name*/Port** The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. -**Services/*Node name*/Port/****_Node name_** +**Services/*Node name*/Port/****_Node name_** Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. -**Services/*Node name*/Port/*Node name*/CfgObject** +**Services/*Node name*/Port/*Node name*/CfgObject** The set of configurable interfaces that are available on the port of the AllJoyn object. -**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_** +**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_** The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum. For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig. -**Credentials** +**Credentials** This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node. When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. -**Credentials/****_Node name_** +**Credentials/****_Node name_** This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. -**Credentials/*Node name*/Key** +**Credentials/*Node name*/Key** An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. -**Firewall** +**Firewall** Firewall setting for the AllJoyn service. -**Firewall/PublicProfile** +**Firewall/PublicProfile** Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile. -**Firewall/PrivateProfile** +**Firewall/PrivateProfile** Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile. ## Examples @@ -123,7 +123,7 @@ Get the firewall PrivateProfile ``` syntax - + 1 @@ -131,7 +131,7 @@ Get the firewall PrivateProfile ./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile - + diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index f1f1e0aaaa..8d960a68db 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -19,7 +19,7 @@ The AppLocker configuration service provider is used to specify which applicatio > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. -> +> > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. @@ -27,15 +27,15 @@ The following diagram shows the AppLocker configuration service provider in tree ![applocker csp](images/provisioning-csp-applocker.png) -**./Vendor/MSFT/AppLocker** +**./Vendor/MSFT/AppLocker** Defines the root node for the AppLocker configuration service provider. -**ApplicationLaunchRestrictions** +**ApplicationLaunchRestrictions** Defines restrictions for applications. > [!NOTE]   > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. -> +> > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. Additional information: @@ -43,10 +43,10 @@ Additional information: - [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps. - [Whitelist example](#whitelist-example) - example for Windows 10 Mobile that denies all apps except the ones listed. -**EnterpriseDataProtection** +**EnterpriseDataProtection** Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). -In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. +In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy @@ -155,7 +155,7 @@ Each of the previous nodes contains one or more of the following leaf nodes:

      Policy

      Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

      Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

      -

      For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.

      +

      For CodeIntegrity/Policy, you can use the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.

      Here is a sample certutil invocation:

      ``` @@ -164,7 +164,7 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer

      An alternative to using certutil would be to use the following PowerShell invocation:

      -``` +``` [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) ``` @@ -259,7 +259,7 @@ Here is an example AppLocker publisher rule: ``` syntax FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"> - + ``` @@ -889,14 +889,14 @@ The following example blocks the usage of the map application. <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> </Conditions> </FilePublisherRule> - + </RuleCollection>       - + ``` The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. @@ -914,7 +914,7 @@ The following example disables the Mixed Reality Portal. In the example, the **I chr text/plain - + <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> @@ -937,7 +937,7 @@ The following example disables the Mixed Reality Portal. In the example, the **I -``` +``` The following example for Windows 10 Mobile denies all apps and allows the following apps: @@ -1215,7 +1215,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*" /> </Conditions> </FilePublisherRule> - + <FilePublisherRule Id="4546BD28-69B6-4175-A44C-33197D48F658" Name="Whitelist Outlook Calendar" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /> @@ -1281,7 +1281,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxIdentityProvider" BinaryName="*" /> </Conditions> </FilePublisherRule> - + <FilePublisherRule Id="7565A8BB-D50B-4237-A9E9-B0997B36BDF9" Name="Whitelist Voice recorder" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*" /> @@ -1317,7 +1317,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Cortana" BinaryName="*" /> </Conditions> </FilePublisherRule> - + <FilePublisherRule Id="01CD8E68-666B-4DE6-8849-7CE4F0C37CA8" Name="Whitelist Storage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA564D" BinaryName="*" /> @@ -1383,7 +1383,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSFacebook" BinaryName="*" /> </Conditions> </FilePublisherRule> - + <FilePublisherRule Id="5168A5C3-5DC9-46C1-87C0-65A9DE1B4D18" Name="Whitelist Advanced Info" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="B6E3E590-9FA5-40C0-86AC-EF475DE98E88" BinaryName="*" /> diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 9ee6c9171a..3ea9a42360 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/25/2018 +ms.date: 09/18/2018 --- # AssignedAccess CSP @@ -15,10 +15,13 @@ ms.date: 04/25/2018 The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. -For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). +> [!Warning] +> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. + > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. @@ -26,19 +29,19 @@ The following diagram shows the AssignedAccess configuration service provider in ![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png) -**./Device/Vendor/MSFT/AssignedAccess** +**./Device/Vendor/MSFT/AssignedAccess** Root node for the CSP. -**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** +**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). -For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) +For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) -> [!Note] -> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> [!Note] +> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. - + > [!Note] > You cannot set both KioskModeApp and ShellLauncher at the same time on the device. @@ -50,14 +53,14 @@ Here's an example: {"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} ``` -> [!Tip] +> [!Tip] > In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\. > > This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.  When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. -> [!Note] +> [!Note] > The domain name can be optional if the user name is unique across the system. For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output. @@ -65,33 +68,32 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. -**./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +**./Device/Vendor/MSFT/AssignedAccess/Configuration** +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). -> [!Note] -> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. +> [!Note] +> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. > > Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective. -Enterprises can use this to easily configure and manage the curated lockdown experience. +Enterprises can use this to easily configure and manage the curated lockdown experience. Supported operations are Add, Get, Delete, and Replace. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout). -**./Device/Vendor/MSFT/AssignedAccess/Status** +**./Device/Vendor/MSFT/AssignedAccess/Status** Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload. - -In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode. - + +In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode. + |Status |Description | |---------|---------|---------| | KioskModeAppRunning | This means the kiosk app is running normally. | | KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. | | KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. | -Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus. - +Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus. |Status code | KioskModeAppRuntimeStatus | |---------|---------| @@ -99,38 +101,60 @@ Note that status codes available in the Status payload correspond to a specific | 2 | KioskModeAppNotFound | | 3 | KioskModeAppActivationFailure | +Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error. -Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error. +In Windows 10, version 1810, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes. + +|Status|Description| +|---|---| +|Running|The AssignedAccess account (kiosk or multi-app) is running normally.| +|AppNotFound|The kiosk app isn't deployed to the machine.| +|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.| +|AppNoResponse|The kiosk app launched successfully but is now unresponsive.| + +Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus. + +|Status code|AssignedAccessRuntimeStatus| +|---|---| +|1|Running| +|2|AppNotFound| +|3|ActivationFailed| +|4|AppNoResponse| + +Additionally, the Status payload includes the following fields: + +- profileId: can be used by the MDM server to correlate which account caused the error. +- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist. Supported operation is Get. -**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** +**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher). -> [!Note] +> [!Note] > You cannot set both ShellLauncher and KioskModeApp at the same time on the device. > -> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. -> +> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function. +> >The ShellLauncher node is not supported in Windows 10 Pro. -**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration** +**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration** Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema. - -By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. - -Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. - -This MDM alert header is defined as follows: -- MDMAlertMark: Critical -- MDMAlertType: "com.microsoft.mdm.assignedaccess.status" -- MDMAlertDataType: String -- Source: "./Vendor/MSFT/AssignedAccess" -- Target: N/A - -> [!Note] -> MDM alert will only be sent for errors. +By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node. + +Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node. + +This MDM alert header is defined as follows: + +- MDMAlertMark: Critical +- MDMAlertType: "com.microsoft.mdm.assignedaccess.status" +- MDMAlertDataType: String +- Source: "./Vendor/MSFT/AssignedAccess" +- Target: N/A + +> [!Note] +> MDM alert will only be sent for errors. ## KioskModeApp examples @@ -146,9 +170,9 @@ KioskModeApp Add ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - chr - + + chr + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} @@ -204,9 +228,9 @@ KioskModeApp Replace ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - chr - + + chr + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} @@ -232,7 +256,7 @@ KioskModeApp Replace - + @@ -362,61 +386,61 @@ KioskModeApp Replace ## Example AssignedAccessConfiguration XML ``` syntax - - -    -      -        -          -          -          -          -          -          -          -        -      -      -        -                      -                      -                        -                          -                            -                              -                              -                              -                              -                              -                            -                            -                              -                              -                            -                          -                        -                      -                    -                ]]> -      -      -    -    -      MultiAppKioskUser -      -    - + + +    +      +        +          +          +          +          +          +          +          +        +      +      +        +                      +                      +                        +                          +                            +                              +                              +                              +                              +                              +                            +                            +                              +                              +                            +                          +                        +                      +                    +                ]]> +      +      +    +    +      MultiAppKioskUser +      +    + ``` ## Configuration examples -XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. +XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle. -Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. +Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, you’ll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA. Escape and CDATA are mechanisms when handling xml in xml. Consider it’s a transportation channel to send the configuration xml as payload from server to client. It’s transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML. @@ -451,26 +475,26 @@ This example shows escaped XML of the Data node. </AllowedApps> </AllAppsList> <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> @@ -521,26 +545,26 @@ This example shows escaped XML of the Data node. </AllowedApps> </AllAppsList> <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> ]]> </StartLayout> <Taskbar ShowTaskbar="true"/> @@ -576,53 +600,53 @@ This example uses CData for the XML. chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]]]> - - - - - - - MultiAppKioskUser - - - + + + + + + + MultiAppKioskUser + + + ]]> @@ -700,117 +724,117 @@ Example of the Delete command. ## StatusConfiguration example -StatusConfiguration Add OnWithAlerts +StatusConfiguration Add OnWithAlerts ``` syntax - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - OnWithAlerts - - ]]> - - - - - - -``` - - -StatusConfiguration Delete -``` syntax - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - - - -``` - -StatusConfiguration Get - -``` syntax - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - - + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + OnWithAlerts + + ]]> + + + + + ``` - -StatusConfiguration Replace On - + + +StatusConfiguration Delete +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + +``` + +StatusConfiguration Get + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + +``` + +StatusConfiguration Replace On + ```syntax - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - On - - ]]> - - - - - - + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + On + + ]]> + + + + + + ``` ## Status example -Status Get +Status Get ``` syntax - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Status - - - - - - + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Status + + + + + + ``` ## ShellLauncherConfiguration XSD @@ -1113,10 +1137,11 @@ ShellLauncherConfiguration Get - - - - + + + + + @@ -1126,35 +1151,51 @@ ShellLauncherConfiguration Get + + + + + + + + + + + + + + + + - + - + - + ``` -## Windows Holographic for Business edition example +## Windows Holographic for Business edition example This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning). ``` syntax - @@ -1193,8 +1234,8 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C - AzureAD\multiusertest@analogfre.onmicrosoft.com diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index a76545fe53..e68f76f543 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -17,8 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **Assigne You can download the DDF files from the links below: -- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) +- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) The XML below is for Windows 10, version 1803. @@ -62,7 +62,7 @@ The XML below is for Windows 10, version 1803. This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app. -Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index e5d61253aa..f8e1ed6025 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -58,7 +58,7 @@ In both scenarios, the enrollment flow provides an opportunity for the MDM servi In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246). +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246). Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. @@ -79,31 +79,31 @@ Azure AD MDM enrollment is a two-step process: To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint. -**Terms of Use endpoint** +**Terms of Use endpoint** Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. -**MDM enrollment endpoint** +**MDM enrollment endpoint** After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins. The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint. ![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic. +The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic. ## Make the MDM a reliable party of Azure AD -To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). +To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). ### Add a cloud-based MDM A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661). +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). > **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. @@ -115,7 +115,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD. 1. Login to the Azure Management Portal using an admin account in your home tenant. 2. In the left navigation, click on the **Active Directory**. 3. Click the directory tenant where you want to register the application. - + Ensure that you are logged into your home tenant. 4. Click the **Applications** tab. 5. In the drawer, click **Add**. @@ -132,7 +132,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD. You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section. -For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667) +For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667) ### Add an on-premises MDM @@ -142,13 +142,13 @@ The customer experience for adding an on-premises MDM to their tenant is similar Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. -For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671). +For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](https://go.microsoft.com/fwlink/p/?LinkId=613671). ### Key management and security guidelines The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. -For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715). +For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715). You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. @@ -167,7 +167,7 @@ The following image illustrates how MDM applications will show up in the Azure a You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. - +
      @@ -211,7 +211,7 @@ However, key management is different for on-premises MDM. You must obtain the cl ## Themes -The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers. +The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers. There are 3 distinct scenarios: @@ -221,7 +221,7 @@ There are 3 distinct scenarios: Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511. -The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip). +The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip). ### Using themes @@ -348,7 +348,7 @@ The following claims are expected in the access token passed by Windows to the T > **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time.   -To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). +To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. @@ -399,7 +399,7 @@ Location: Example: -HTTP/1.1 302 +HTTP/1.1 302 Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E ``` @@ -594,13 +594,13 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD joined devices** +**Multiple user management for Azure AD joined devices** In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. -**Adding a work account and MDM enrollment to a device** +**Adding a work account and MDM enrollment to a device** In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. -**Evaluating Azure AD user tokens** +**Evaluating Azure AD user tokens** The Azure AD token is in the HTTP Authorization header in the following format: ``` syntax @@ -616,8 +616,8 @@ Additional claims may be present in the Azure AD token, such as: Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens: -- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820). -- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667). +- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](https://go.microsoft.com/fwlink/p/?LinkId=613820). +- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ## Device Alert 1224 for Azure AD user token @@ -625,21 +625,21 @@ An alert is sent when the DM session starts and there is an Azure AD user logged ``` syntax Alert Type: com.microsoft/MDM/AADUserToken - -Alert sample: - - - 1 - 1224 - - - com.microsoft/MDM/AADUserToken - - UserToken inserted here - - - … other xml tags … - + +Alert sample: + + + 1 + 1224 + + + com.microsoft/MDM/AADUserToken + + UserToken inserted here + + + … other xml tags … + ``` ## Determine when a user is logged in through polling @@ -656,18 +656,18 @@ An alert is send to the MDM server in DM package\#1. Here's an example. ``` syntax - - - 1 - 1224 - - - com.microsoft/MDM/LoginStatus - - user - - - … other xml tags … + + + 1 + 1224 + + + com.microsoft/MDM/LoginStatus + + user + + + … other xml tags … ``` @@ -675,7 +675,7 @@ Here's an example. Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD. -For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822). +For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). - **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization. - **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. @@ -687,15 +687,15 @@ The following sample REST API call illustrates how an MDM can use the Azure AD G > **Note**  This is only applicable for approved MDM apps on Windows 10 devices. ``` syntax -Sample Graph API Request: +Sample Graph API Request: -PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 -Authorization: Bearer eyJ0eXAiO……… -Accept: application/json -Content-Type: application/json -{ “isManaged”:true, - “isCompliant”:true -} +PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 +Authorization: Bearer eyJ0eXAiO……… +Accept: application/json +Content-Type: application/json +{ “isManaged”:true, + “isCompliant”:true +} ``` Where: diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 622256b740..5925f48358 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/16/2018 +ms.date: 08/31/2018 --- # BitLocker CSP @@ -14,7 +14,7 @@ ms.date: 07/16/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. +The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. > [!Note] > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. @@ -257,7 +257,7 @@ The following diagram shows the BitLocker configuration service provider in tree

      On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.

      > [!Note] -> In Windows 10, version 1709, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits. +> In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.

      If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

      @@ -347,7 +347,7 @@ The following diagram shows the BitLocker configuration service provider in tree

      This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

      > [!Note] -> In Windows 10, version 1709, you can use a minimum PIN length of 4 digits. +> In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits. > >In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2. diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index df0326e929..9d1fd9bf4d 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **BitLock Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version Windows 10, next major version. +The XML below is the current version Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index bf01d38374..128a41801d 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -27,18 +27,18 @@ The following image shows the ClientCertificateInstall configuration service pro ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) -**Device or User** +**Device or User**

      For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path. -**ClientCertificateInstall** +**ClientCertificateInstall**

      The root node for the ClientCertificateInstaller configuration service provider. -**ClientCertificateInstall/PFXCertInstall** +**ClientCertificateInstall/PFXCertInstall**

      Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.

      Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/****_UniqueID_** +**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**

      Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.

      The data type format is node. @@ -47,7 +47,7 @@ The following image shows the ClientCertificateInstall configuration service pro

      Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**

      Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.

      Supported operations are Get, Add, and Replace. @@ -62,14 +62,14 @@ The following image shows the ClientCertificateInstall configuration service pro | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**

      Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.

      Date type is string.

      Supported operations are Get, Add, Delete, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**

      CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.

      The data type format is binary. @@ -80,16 +80,16 @@ The following image shows the ClientCertificateInstall configuration service pro

      If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. -

      In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871). +

      In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](https://go.microsoft.com/fwlink/p/?LinkId=523871). -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**

      Password that protects the PFX blob. This is required if the PFX is password protected.

      Data Type is a string.

      Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**

      Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.

      The data type is int. Valid values: @@ -102,7 +102,7 @@ The following image shows the ClientCertificateInstall configuration service pro

      Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**

      Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. > **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. @@ -112,38 +112,38 @@ The following image shows the ClientCertificateInstall configuration service pro

      Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**

      Returns the thumbprint of the installed PFX certificate.

      The datatype is a string.

      Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**

      Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.

      Data type is an integer.

      Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**

      Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.

      Data type is string.

      Supported operations are Add, Get, and Replace. -**ClientCertificateInstall/SCEP** +**ClientCertificateInstall/SCEP**

      Node for SCEP. > **Note**  An alert is sent after the SCEP certificate is installed.   -**ClientCertificateInstall/SCEP/****_UniqueID_** +**ClientCertificateInstall/SCEP/****_UniqueID_**

      A unique ID to differentiate different certificate installation requests. -**ClientCertificateInstall/SCEP/*UniqueID*/Install** +**ClientCertificateInstall/SCEP/*UniqueID*/Install**

      A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.

      Supported operations are Get, Add, Replace, and Delete. @@ -151,21 +151,21 @@ The following image shows the ClientCertificateInstall configuration service pro > **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.   -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**

      Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.

      Data type is string.

      Supported operations are Get, Add, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**

      Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.

      Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**

      Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*. Data type is string. @@ -175,14 +175,14 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**

      Required. Specifies the subject name.

      Data type is string.

      Supported operations are Add, Get, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**

      Optional. Specifies where to keep the private key. > **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. @@ -200,12 +200,12 @@ Data type is string.  

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**

      Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.

      Supported operations are Add, Get, Delete, and Replace. Value type is integer. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**

      Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.

      Data type format is an integer. @@ -216,7 +216,7 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**

      Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.

      Data type is integer. @@ -229,7 +229,7 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**

      Optional. OID of certificate template name. > **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. @@ -239,7 +239,7 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**

      Required for enrollment. Specify private key length (RSA).

      Data type is integer. @@ -250,7 +250,7 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**

      Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.

      For Windows Hello for Business, only SHA256 is the supported algorithm. @@ -259,14 +259,14 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**

      Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.

      Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**

      Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.

      Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*. @@ -275,7 +275,7 @@ Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**

      Optional. Specifies the units for the valid certificate period.

      Data type is string. @@ -291,7 +291,7 @@ Data type is string.  

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**

      Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.

      Data type is string. @@ -301,35 +301,35 @@ Data type is string.  

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**

      Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.

      Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**

      Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.

      Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**

      Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.

      The date type format is Null, meaning this node doesn’t contain a value.

      The only supported operation is Execute. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** +**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**

      Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.

      Data type is string.

      Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** +**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**

      Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.

      If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. @@ -338,7 +338,7 @@ Data type is string.

      The only supported operation is Get. -**ClientCertificateInstall/SCEP/*UniqueID*/Status** +**ClientCertificateInstall/SCEP/*UniqueID*/Status**

      Required. Specifies latest status of the certificated during the enrollment request.

      Data type is string. Valid values: @@ -353,12 +353,12 @@ Data type is string. | 32 | Unknown |   -**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** +**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**

      Optional. An integer value that indicates the HRESULT of the last enrollment error code.

      The only supported operation is Get. -**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl** +**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**

      Required. Returns the URL of the SCEP server that responded to the enrollment request.

      Data type is string. @@ -561,7 +561,7 @@ Enroll a client certificate through SCEP. - + @@ -617,7 +617,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c Base64Encoded_Encrypted_Password_Blog - + $CmdID$ @@ -629,7 +629,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c 2 - + $CmdID$ @@ -641,7 +641,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c My - + $CmdID$ diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 441c14e310..350ea6ad5e 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/24/2018 +ms.date: 08/27/2018 --- # Configuration service provider reference @@ -22,23 +22,22 @@ Additional lists: - [List of CSPs supported in Windows Holographic](#hololens) - [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) - [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) -- [List of CSPs supported in Windows 10 S](#windows10s) -The following tables show the configuration service providers support in Windows 10. -Footnotes: +The following tables show the configuration service providers support in Windows 10. +Footnotes: - 1 - Added in Windows 10, version 1607 - 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 -- 5 - Added in Windows 10, next major version +- 5 - Added in Windows 10, version 1809

      -## CSP support +## CSP support -[AccountManagement CSP](accountmanagement-csp.md) +[AccountManagement CSP](accountmanagement-csp.md)
      @@ -66,7 +65,7 @@ Footnotes: -[Accounts CSP](accounts-csp.md) +[Accounts CSP](accounts-csp.md)
      @@ -94,7 +93,7 @@ Footnotes: -[ActiveSync CSP](activesync-csp.md) +[ActiveSync CSP](activesync-csp.md)
      @@ -122,7 +121,7 @@ Footnotes: -[AllJoynManagement CSP](alljoynmanagement-csp.md) +[AllJoynManagement CSP](alljoynmanagement-csp.md)
      @@ -150,7 +149,7 @@ Footnotes: -[APPLICATION CSP](application-csp.md) +[APPLICATION CSP](application-csp.md)
      @@ -178,7 +177,7 @@ Footnotes: -[AppLocker CSP](applocker-csp.md) +[AppLocker CSP](applocker-csp.md)
      @@ -206,7 +205,7 @@ Footnotes: -[AssignedAccess CSP](assignedaccess-csp.md) +[AssignedAccess CSP](assignedaccess-csp.md)
      @@ -234,7 +233,7 @@ Footnotes: -[BOOTSTRAP CSP](bootstrap-csp.md) +[BOOTSTRAP CSP](bootstrap-csp.md)
      @@ -262,7 +261,7 @@ Footnotes: -[BitLocker CSP](bitlocker-csp.md) +[BitLocker CSP](bitlocker-csp.md)
      @@ -277,7 +276,7 @@ Footnotes: - + @@ -290,7 +289,7 @@ Footnotes: -[BrowserFavorite CSP](browserfavorite-csp.md) +[BrowserFavorite CSP](browserfavorite-csp.md)
      cross markcross markcheck mark5 check mark2 check mark2 check mark2
      @@ -318,7 +317,7 @@ Footnotes: -[CMPolicy CSP](cmpolicy-csp.md) +[CMPolicy CSP](cmpolicy-csp.md)
      @@ -346,7 +345,7 @@ Footnotes: -[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) +[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
      @@ -374,7 +373,7 @@ Footnotes: -[CM_CellularEntries CSP](cm-cellularentries-csp.md) +[CM_CellularEntries CSP](cm-cellularentries-csp.md)
      @@ -402,7 +401,7 @@ Footnotes: -[CM_ProxyEntries CSP](cm-proxyentries-csp.md) +[CM_ProxyEntries CSP](cm-proxyentries-csp.md)
      @@ -430,7 +429,7 @@ Footnotes: -[CellularSettings CSP](cellularsettings-csp.md) +[CellularSettings CSP](cellularsettings-csp.md)
      @@ -458,7 +457,7 @@ Footnotes: -[CertificateStore CSP](certificatestore-csp.md) +[CertificateStore CSP](certificatestore-csp.md)
      @@ -486,7 +485,7 @@ Footnotes: -[CleanPC CSP](cleanpc-csp.md) +[CleanPC CSP](cleanpc-csp.md)
      @@ -514,7 +513,7 @@ Footnotes: -[ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
      @@ -542,7 +541,7 @@ Footnotes: -[CustomDeviceUI CSP](customdeviceui-csp.md) +[CustomDeviceUI CSP](customdeviceui-csp.md)
      @@ -570,7 +569,7 @@ Footnotes: -[DMAcc CSP](dmacc-csp.md) +[DMAcc CSP](dmacc-csp.md)
      @@ -598,7 +597,7 @@ Footnotes: -[DMClient CSP](dmclient-csp.md) +[DMClient CSP](dmclient-csp.md)
      @@ -626,7 +625,7 @@ Footnotes: -[Defender CSP](defender-csp.md) +[Defender CSP](defender-csp.md)
      @@ -654,7 +653,7 @@ Footnotes: -[DevDetail CSP](devdetail-csp.md) +[DevDetail CSP](devdetail-csp.md)
      @@ -682,7 +681,7 @@ Footnotes: -[DevInfo CSP](devinfo-csp.md) +[DevInfo CSP](devinfo-csp.md)
      @@ -710,7 +709,7 @@ Footnotes: -[DeveloperSetup CSP](developersetup-csp.md) +[DeveloperSetup CSP](developersetup-csp.md)
      @@ -738,7 +737,7 @@ Footnotes: -[DeviceInstanceService CSP](deviceinstanceservice-csp.md) +[DeviceInstanceService CSP](deviceinstanceservice-csp.md)
      @@ -766,7 +765,7 @@ Footnotes: -[DeviceLock CSP](devicelock-csp.md) +[DeviceLock CSP](devicelock-csp.md)
      @@ -794,7 +793,7 @@ Footnotes: -[DeviceManageability CSP](devicemanageability-csp.md) +[DeviceManageability CSP](devicemanageability-csp.md)
      @@ -822,7 +821,7 @@ Footnotes: -[DeviceStatus CSP](devicestatus-csp.md) +[DeviceStatus CSP](devicestatus-csp.md)
      @@ -850,7 +849,7 @@ Footnotes: -[DiagnosticLog CSP](diagnosticlog-csp.md) +[DiagnosticLog CSP](diagnosticlog-csp.md)
      @@ -878,7 +877,7 @@ Footnotes: -[DynamicManagement CSP](dynamicmanagement-csp.md) +[DynamicManagement CSP](dynamicmanagement-csp.md)
      @@ -906,7 +905,7 @@ Footnotes: -[EMAIL2 CSP](email2-csp.md) +[EMAIL2 CSP](email2-csp.md)
      @@ -934,7 +933,7 @@ Footnotes: -[EnterpriseAPN CSP](enterpriseapn-csp.md) +[EnterpriseAPN CSP](enterpriseapn-csp.md)
      @@ -962,7 +961,7 @@ Footnotes: -[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) +[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
      @@ -990,7 +989,7 @@ Footnotes: -[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) +[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
      @@ -1018,7 +1017,7 @@ Footnotes: -[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) +[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
      @@ -1046,7 +1045,7 @@ Footnotes: -[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
      @@ -1074,7 +1073,7 @@ Footnotes: -[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) +[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
      @@ -1102,7 +1101,7 @@ Footnotes: -[EnterpriseExt CSP](enterpriseext-csp.md) +[EnterpriseExt CSP](enterpriseext-csp.md)
      @@ -1130,7 +1129,7 @@ Footnotes: -[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) +[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
      @@ -1158,7 +1157,7 @@ Footnotes: -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
      @@ -1186,7 +1185,7 @@ Footnotes: -[eUICCs CSP](euiccs-csp.md) +[eUICCs CSP](euiccs-csp.md)
      @@ -1214,7 +1213,7 @@ Footnotes: -[FileSystem CSP](filesystem-csp.md) +[FileSystem CSP](filesystem-csp.md)
      @@ -1242,7 +1241,7 @@ Footnotes: -[Firewall CSP](firewall-csp.md) +[Firewall CSP](firewall-csp.md)
      @@ -1270,7 +1269,7 @@ Footnotes: -[HealthAttestation CSP](healthattestation-csp.md) +[HealthAttestation CSP](healthattestation-csp.md)
      @@ -1298,7 +1297,7 @@ Footnotes: -[HotSpot CSP](hotspot-csp.md) +[HotSpot CSP](hotspot-csp.md)
      @@ -1326,7 +1325,7 @@ Footnotes: -[Maps CSP](maps-csp.md) +[Maps CSP](maps-csp.md)
      @@ -1354,7 +1353,7 @@ Footnotes: -[Messaging CSP](messaging-csp.md) +[Messaging CSP](messaging-csp.md)
      @@ -1382,7 +1381,7 @@ Footnotes: -[MultiSIM CSP](multisim-csp.md) +[MultiSIM CSP](multisim-csp.md)
      @@ -1410,7 +1409,7 @@ Footnotes: -[NAP CSP](nap-csp.md) +[NAP CSP](nap-csp.md)
      @@ -1438,7 +1437,7 @@ Footnotes: -[NAPDEF CSP](napdef-csp.md) +[NAPDEF CSP](napdef-csp.md)
      @@ -1466,7 +1465,7 @@ Footnotes: -[NetworkProxy CSP](networkproxy-csp.md) +[NetworkProxy CSP](networkproxy-csp.md)
      @@ -1494,7 +1493,7 @@ Footnotes: -[NetworkQoSPolicy CSP](networkqospolicy-csp.md) +[NetworkQoSPolicy CSP](networkqospolicy-csp.md)
      @@ -1522,7 +1521,7 @@ Footnotes: -[NodeCache CSP](nodecache-csp.md) +[NodeCache CSP](nodecache-csp.md)
      @@ -1550,7 +1549,7 @@ Footnotes: -[Office CSP](office-csp.md) +[Office CSP](office-csp.md)
      @@ -1578,7 +1577,7 @@ Footnotes: -[PROXY CSP](proxy-csp.md) +[PROXY CSP](proxy-csp.md)
      @@ -1606,7 +1605,7 @@ Footnotes: -[PXLOGICAL CSP](pxlogical-csp.md) +[PXLOGICAL CSP](pxlogical-csp.md)
      @@ -1634,7 +1633,7 @@ Footnotes: -[PassportForWork CSP](passportforwork-csp.md) +[PassportForWork CSP](passportforwork-csp.md)
      @@ -1662,7 +1661,7 @@ Footnotes: -[Personalization CSP](personalization-csp.md) +[Personalization CSP](personalization-csp.md)
      @@ -1690,7 +1689,7 @@ Footnotes: -[Policy CSP](policy-configuration-service-provider.md) +[Policy CSP](policy-configuration-service-provider.md)
      @@ -1718,7 +1717,7 @@ Footnotes: -[PolicyManager CSP](policymanager-csp.md) +[PolicyManager CSP](policymanager-csp.md)
      @@ -1746,7 +1745,7 @@ Footnotes: -[Provisioning CSP](provisioning-csp.md) +[Provisioning CSP](provisioning-csp.md)
      @@ -1774,7 +1773,7 @@ Footnotes: -[Reboot CSP](reboot-csp.md) +[Reboot CSP](reboot-csp.md)
      @@ -1802,7 +1801,7 @@ Footnotes: -[Registry CSP](registry-csp.md) +[Registry CSP](registry-csp.md)
      @@ -1830,7 +1829,7 @@ Footnotes: -[RemoteFind CSP](remotefind-csp.md) +[RemoteFind CSP](remotefind-csp.md)
      @@ -1858,7 +1857,7 @@ Footnotes: -[RemoteLock](remotelock-csp.md) +[RemoteLock](remotelock-csp.md)
      @@ -1886,7 +1885,7 @@ Footnotes: -[RemoteRing CSP](remotering-csp.md) +[RemoteRing CSP](remotering-csp.md)
      @@ -1914,7 +1913,7 @@ Footnotes: -[RemoteWipe CSP](remotewipe-csp.md) +[RemoteWipe CSP](remotewipe-csp.md)
      @@ -1942,7 +1941,7 @@ Footnotes: -[Reporting CSP](reporting-csp.md) +[Reporting CSP](reporting-csp.md)
      @@ -1970,7 +1969,7 @@ Footnotes: -[RootCATrustedCertificates CSP](rootcacertificates-csp.md) +[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
      @@ -1998,7 +1997,7 @@ Footnotes: -[SUPL CSP](supl-csp.md) +[SUPL CSP](supl-csp.md)
      @@ -2026,7 +2025,7 @@ Footnotes: -[SecureAssessment CSP](secureassessment-csp.md) +[SecureAssessment CSP](secureassessment-csp.md)
      @@ -2054,7 +2053,7 @@ Footnotes: -[SecurityPolicy CSP](securitypolicy-csp.md) +[SecurityPolicy CSP](securitypolicy-csp.md)
      @@ -2082,7 +2081,7 @@ Footnotes: -[SharedPC CSP](sharedpc-csp.md) +[SharedPC CSP](sharedpc-csp.md)
      @@ -2110,7 +2109,7 @@ Footnotes: -[Storage CSP](storage-csp.md) +[Storage CSP](storage-csp.md)
      @@ -2138,7 +2137,7 @@ Footnotes: -[SurfaceHub](surfacehub-csp.md) +[SurfaceHub](surfacehub-csp.md)
      @@ -2166,259 +2165,7 @@ Footnotes: -[TPMPolicy CSP](tpmpolicy-csp.md) - - -
      - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - - - -[UEFI CSP](uefi-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcheck mark4check mark4check mark4cross markcross mark
      - - - - - -[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcheck markcheck markcross markcross mark
      - - - - - -[Update CSP](update-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      - - - - - -[VPN CSP](vpn-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcross markcross markcheck markcheck mark
      - - - - - -[VPNv2 CSP](vpnv2-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      - - - - - -[W4 APPLICATION CSP](w4-application-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark
      - - - - - -[WiFi CSP](wifi-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      - - - - - -[Win32AppInventory CSP](win32appinventory-csp.md) - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark1check mark1check mark1cross markcross mark
      - - - - - -[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) +[TenantLockdown CSP](tenantlockdown-csp.md) @@ -2446,7 +2193,287 @@ Footnotes: -[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +[TPMPolicy CSP](tpmpolicy-csp.md) + + +
      + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + + + +[UEFI CSP](uefi-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcheck mark4check mark4check mark4cross markcross mark
      + + + + + +[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcheck markcheck markcross markcross mark
      + + + + + +[Update CSP](update-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      + + + + + +[VPN CSP](vpn-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcross markcross markcross markcheck markcheck mark
      + + + + + +[VPNv2 CSP](vpnv2-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      + + + + + +[W4 APPLICATION CSP](w4-application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark
      + + + + + +[WiFi CSP](wifi-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck mark
      + + + + + +[Win32AppInventory CSP](win32appinventory-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark1check mark1check mark1cross markcross mark
      + + + + + +[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5cross markcross mark
      + + + + + +[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) @@ -2476,7 +2503,7 @@ Footnotes: -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) +[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
      @@ -2505,7 +2532,7 @@ Footnotes: -[WindowsLicensing CSP](windowslicensing-csp.md) +[WindowsLicensing CSP](windowslicensing-csp.md)
      @@ -2533,7 +2560,7 @@ Footnotes: -[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) +[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
      @@ -2561,7 +2588,7 @@ Footnotes: -[WiredNetwork CSP](wirednetwork-csp.md) +[WiredNetwork CSP](wirednetwork-csp.md)
      @@ -2589,7 +2616,7 @@ Footnotes: -[w7 APPLICATION CSP](w7-application-csp.md) +[w7 APPLICATION CSP](w7-application-csp.md)
      @@ -2620,21 +2647,21 @@ Footnotes: - Footnotes: + Footnotes: - 1 - Added in Windows 10, version 1607 -- 2 - Added in Windows 10, version 1703 +- 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 -- 5 - Added in Windows 10, next major version +- 5 - Added in Windows 10, version 1809 ## CSP DDF files download You can download the DDF files for various CSPs from the links below: -- [Download all the DDF files for Windows 10, version 1803](http://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1709](http://download.microsoft.com/download/9/7/C/97C6CF99-F75C-475E-AF18-845F8CECCFA4/Windows10_1709_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) +- [Download all the DDF files for Windows 10, version 1803](https://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1709](https://download.microsoft.com/download/9/7/C/97C6CF99-F75C-475E-AF18-845F8CECCFA4/Windows10_1709_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) ## CSPs supported in Windows Holographic @@ -2660,6 +2687,7 @@ The following list shows the configuration service providers supported in Window | [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | @@ -2667,12 +2695,12 @@ The following list shows the configuration service providers supported in Window | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | - Footnotes: + Footnotes: - 1 - Added in Windows 10, version 1607 -- 2 - Added in Windows 10, version 1703 +- 2 - Added in Windows 10, version 1703 - 3 - Added in Windows 10, version 1709 - 4 - Added in Windows 10, version 1803 -- 5 - Added in Windows 10, next major version +- 5 - Added in Windows 10, version 1809 ## CSPs supported in Microsoft Surface Hub @@ -2699,7 +2727,7 @@ The following list shows the configuration service providers supported in Window - [Reporting CSP](reporting-csp.md) - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) - [SurfaceHub CSP](surfacehub-csp.md) -- [UEFI CSP](uefi-csp.md) +- [UEFI CSP](uefi-csp.md) - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) @@ -2723,59 +2751,4 @@ The following list shows the configuration service providers supported in Window - [VPNv2 CSP](vpnv2-csp.md) - [WiFi CSP](wifi-csp.md) -## CSPs supported in Windows 10 S -The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list: - -- [ActiveSync CSP](activesync-csp.md) -- [APPLICATION CSP](application-csp.md) -- [AppLocker CSP](applocker-csp.md) -- [AssignedAccess CSP](assignedaccess-csp.md) -- [BOOTSTRAP CSP](bootstrap-csp.md) -- [CellularSettings CSP](cellularsettings-csp.md) -- [CertificateStore CSP](certificatestore-csp.md) -- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) -- [CMPolicy CSP](cmpolicy-csp.md) -- [CM_ProxyEntries CSP](cm-proxyentries-csp.md) -- [CM_CellularEntries CSP](cm-cellularentries-csp.md) -- [Defender CSP](defender-csp.md) -- [DevDetail CSP](devdetail-csp.md) -- [DeviceManageability CSP](devicemanageability-csp.md) -- [DeviceStatus CSP](devicestatus-csp.md) -- [DevInfo CSP](devinfo-csp.md) -- [DiagnosticLog CSP](diagnosticlog-csp.md) -- [DMAcc CSP](dmacc-csp.md) -- [DMClient CSP](dmclient-csp.md) -- [eUICCs CSP](euiccs-csp.md) -- [Firewall CSP](firewall-csp.md) -- [EMAIL2 CSP](email2-csp.md) -- [EnterpriseAPN CSP](enterpriseapn-csp.md) -- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) -- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) -- [HealthAttestation CSP](healthattestation-csp.md) -- [NAP CSP](nap-csp.md) -- [NAPDEF CSP](napdef-csp.md) -- [NetworkProxy CSP](networkproxy-csp.md) -- [NodeCache CSP](nodecache-csp.md) -- [PassportForWork CSP](passportforwork-csp.md) -- [Policy CSP](policy-configuration-service-provider.md) -- [Provisioning CSP](provisioning-csp.md) -- [PROXY CSP](proxy-csp.md) -- [PXLOGICAL CSP](pxlogical-csp.md) -- [Reboot CSP](reboot-csp.md) -- [RemoteFind CSP](remotefind-csp.md) -- [RemoteWipe CSP](remotewipe-csp.md) -- [Reporting CSP](reporting-csp.md) -- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) -- [SecureAssessment CSP](secureassessment-csp.md) -- [SecurityPolicy CSP](securitypolicy-csp.md) -- [SharedPC CSP](sharedpc-csp.md) -- [Storage CSP](storage-csp.md) -- [SUPL CSP](supl-csp.md) -- [Update CSP](update-csp.md) -- [VPNv2 CSP](vpnv2-csp.md) -- [WiFi CSP](wifi-csp.md) -- [Win32AppInventory CSP](win32appinventory-csp.md) -- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) -- [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) -- [WindowsLicensing CSP](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index eb6af19adc..9782ed9ad1 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -179,7 +179,7 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. **Health/ProductStatus** -Added in Windows 10, next major version. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. +Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. Data type is integer. Supported operation is Get. @@ -365,7 +365,7 @@ Node that can be used to perform signature updates for Windows Defender. Supported operations are Get and Execute. **OfflineScan** -Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. This command causes the computer reboot and start in Windows Defender offline mode to begin the scan. +Added in Windows 10, version 1803. OfflineScan action starts a Windows Defender offline scan on the computer where you run the command. After the next OS reboot, the device will start in Windows Defender offline mode to begin the scan. Supported operations are Get and Execute. @@ -374,12 +374,3 @@ Supported operations are Get and Execute. [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  - - - - - - diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index afd02d79f2..7d4f147be9 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 27dd7bead4..5f9609bccf 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -146,7 +146,7 @@ The following diagram shows the DevDetail configuration service provider managem Supported operation is Get. **Ext/Microsoft/SMBIOSSerialNumber** -Added in Windows 10, next major version. SMBIOS Serial Number of the device. +Added in Windows 10, version 1809. SMBIOS Serial Number of the device. Value type is string. Supported operation is Get. diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 737bb65143..e84b804e6c 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 2e48c36d75..84e3a07225 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -2,6 +2,7 @@ title: Device update management description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 +keywords: mdm,management,administrator ms.author: maricia ms.topic: article ms.prod: w10 @@ -13,15 +14,18 @@ ms.date: 11/15/2017 # Device update management -In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft Updates. +>[!TIP] +>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -In particular, Windows 10 provides additional APIs to enable MDMs to: +In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft updates. + +In particular, Windows 10 provides APIs to enable MDMs to: - Ensure machines stay up-to-date by configuring Automatic Update policies. - Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device. - Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine. -This topic provides MDM ISVs with the information they need to implement update management in Windows 10. +This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10. In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: @@ -30,7 +34,8 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to - Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. - Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. -The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526707). +The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707). + For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md). The following diagram provides a conceptual overview of how this works: @@ -53,12 +58,12 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: -- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. +- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](https://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: -- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. - The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. - For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). @@ -67,7 +72,7 @@ Some important highlights: ## Examples of update metadata XML structure and element descriptions -The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below: +The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below: - **UpdateID** – The unique identifier for an update - **RevisionNumber** – Revision number for the update in case the update was modified. @@ -101,8 +106,8 @@ The following procedure describes a basic algorithm for a metadata sync service: - Initialization, composed of the following: 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). - Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). - 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720)), and: + 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). + 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720)), and: - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB. - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - Remove updates from the "needed update IDs to fault in" list once they have been brought in. @@ -134,7 +139,7 @@ The following diagram shows the Update policies in a tree format. ![update csp diagram](images/update-policies.png) -**Update/ActiveHoursEnd** +**Update/ActiveHoursEnd** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -148,7 +153,7 @@ The following diagram shows the Update policies in a tree format.

      The default is 17 (5 PM). -**Update/ActiveHoursMaxRange** +**Update/ActiveHoursMaxRange** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -159,7 +164,7 @@ The following diagram shows the Update policies in a tree format.

      The default value is 18 (hours). -**Update/ActiveHoursStart** +**Update/ActiveHoursStart** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -173,7 +178,7 @@ The following diagram shows the Update policies in a tree format.

      The default value is 8 (8 AM). -**Update/AllowAutoUpdate** +**Update/AllowAutoUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -197,7 +202,7 @@ The following diagram shows the Update policies in a tree format.

      If the policy is not configured, end-users get the default behavior (Auto install and restart). -**Update/AllowMUUpdateService** +**Update/AllowMUUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education @@ -209,7 +214,7 @@ The following diagram shows the Update policies in a tree format. - 0 – Not allowed or not configured. - 1 – Allowed. Accepts updates received through Microsoft Update. -**Update/AllowNonMicrosoftSignedUpdate** +**Update/AllowNonMicrosoftSignedUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -225,7 +230,7 @@ The following diagram shows the Update policies in a tree format.

      This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. -**Update/AllowUpdateService** +**Update/AllowUpdateService** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -245,7 +250,7 @@ The following diagram shows the Update policies in a tree format. > This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. -**Update/AutoRestartNotificationSchedule** +**Update/AutoRestartNotificationSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -256,7 +261,7 @@ The following diagram shows the Update policies in a tree format.

      The default value is 15 (minutes). -**Update/AutoRestartRequiredNotificationDismissal** +**Update/AutoRestartRequiredNotificationDismissal** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -268,7 +273,7 @@ The following diagram shows the Update policies in a tree format. - 1 (default) – Auto Dismissal. - 2 – User Dismissal. -**Update/BranchReadinessLevel** +**Update/BranchReadinessLevel** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -280,7 +285,7 @@ The following diagram shows the Update policies in a tree format. - 16 (default) – User gets all applicable upgrades from Current Branch (CB). - 32 – User gets upgrades from Current Branch for Business (CBB). -**Update/DeferFeatureUpdatesPeriodInDays** +**Update/DeferFeatureUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

      Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -290,7 +295,7 @@ The following diagram shows the Update policies in a tree format.

      Supported values are 0-180. -**Update/DeferQualityUpdatesPeriodInDays** +**Update/DeferQualityUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -299,7 +304,7 @@ The following diagram shows the Update policies in a tree format.

      Supported values are 0-30. -**Update/DeferUpdatePeriod** +**Update/DeferUpdatePeriod** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise > @@ -371,7 +376,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      -**Update/DeferUpgradePeriod** +**Update/DeferUpgradePeriod** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > @@ -388,7 +393,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -**Update/EngagedRestartDeadline** +**Update/EngagedRestartDeadline** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -399,7 +404,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 0 days (not specified). -**Update/EngagedRestartSnoozeSchedule** +**Update/EngagedRestartSnoozeSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -410,7 +415,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 3 days. -**Update/EngagedRestartTransitionSchedule** +**Update/EngagedRestartTransitionSchedule** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -421,7 +426,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 7 days. -**Update/ExcludeWUDriversInQualityUpdate** +**Update/ExcludeWUDriversInQualityUpdate** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. > Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -433,8 +438,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Allow Windows Update drivers. - 1 – Exclude Windows Update drivers. -**Update/IgnoreMOAppDownloadLimit** -

      Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +**Update/IgnoreMOAppDownloadLimit** +

      Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. @@ -447,7 +452,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      To validate this policy: 1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` @@ -455,8 +460,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego 3. Verify that any downloads that are above the download size limit will complete without being paused. -**Update/IgnoreMOUpdateDownloadLimit** -

      Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. +**Update/IgnoreMOUpdateDownloadLimit** +

      Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. > [!WARNING] > Setting this policy might cause devices to incur costs from MO operators. @@ -469,13 +474,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      To validate this policy: 1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` 3. Verify that any downloads that are above the download size limit will complete without being paused. -**Update/PauseDeferrals** +**Update/PauseDeferrals** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise > @@ -493,7 +498,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -**Update/PauseFeatureUpdates** +**Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.

      Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. @@ -506,7 +511,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Feature Updates are not paused. - 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. -**Update/PauseQualityUpdates** +**Update/PauseQualityUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -518,7 +523,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Quality Updates are not paused. - 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. -**Update/RequireDeferUpgrade** +**Update/RequireDeferUpgrade** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise > @@ -532,7 +537,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – User gets upgrades from Current Branch. - 1 – User gets upgrades from Current Branch for Business. -**Update/RequireUpdateApproval** +**Update/RequireUpdateApproval** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -552,7 +557,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 – Not configured. The device installs all applicable updates. - 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. -**Update/ScheduleImminentRestartWarning** +**Update/ScheduleImminentRestartWarning** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -563,7 +568,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 15 (minutes). -**Update/ScheduledInstallDay** +**Update/ScheduledInstallDay** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -585,7 +590,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 6 – Friday - 7 – Saturday -**Update/ScheduledInstallTime** +**Update/ScheduledInstallTime** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -600,7 +605,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 3. -**Update/ScheduleRestartWarning** +**Update/ScheduleRestartWarning** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -611,7 +616,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

      The default value is 4 (hours). -**Update/SetAutoRestartNotificationDisable** +**Update/SetAutoRestartNotificationDisable** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise @@ -623,11 +628,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Enabled - 1 – Disabled -**Update/UpdateServiceUrl** +**Update/UpdateServiceUrl** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -> [!Important] +> [!Important] > Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.

      Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. @@ -657,7 +662,7 @@ Example ``` -**Update/UpdateServiceUrlAlternate** +**Update/UpdateServiceUrlAlternate** > **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. @@ -669,9 +674,9 @@ Example

      Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. > This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. ### Update management @@ -680,12 +685,12 @@ The enterprise IT can configure the set of approved updates and get compliance s ![update csp diagram](images/provisioning-csp-update.png) -**Update** +**Update** The root node. Supported operation is Get. -**ApprovedUpdates** +**ApprovedUpdates** Node for update approvals and EULA acceptance on behalf of the end-user. > **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. @@ -700,10 +705,10 @@ The update approval list enables IT to approve individual updates and update cla Supported operations are Get and Add. -**ApprovedUpdates/****_Approved Update Guid_** +**ApprovedUpdates/****_Approved Update Guid_** Specifies the update GUID. -To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. Supported operations are Get and Add. @@ -713,52 +718,52 @@ Sample syncml: ./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d ``` -**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** +**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** Specifies the time the update gets approved. Supported operations are Get and Add. -**FailedUpdates** +**FailedUpdates** Specifies the approved updates that failed to install on a device. Supported operation is Get. -**FailedUpdates/****_Failed Update Guid_** +**FailedUpdates/****_Failed Update Guid_** Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install. Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/HResult** +**FailedUpdates/*Failed Update Guid*/HResult** The update failure error code. Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** +**FailedUpdates/*Failed Update Guid*/Status** Specifies the failed update status (for example, download, install). Supported operation is Get. -**InstalledUpdates** +**InstalledUpdates** The updates that are installed on the device. Supported operation is Get. -**InstalledUpdates/****_Installed Update Guid_** +**InstalledUpdates/****_Installed Update Guid_** UpdateIDs that represent the updates installed on a device. Supported operation is Get. -**InstallableUpdates** +**InstallableUpdates** The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. Supported operation is Get. -**InstallableUpdates/****_Installable Update Guid_** +**InstallableUpdates/****_Installable Update Guid_** Update identifiers that represent the updates applicable and not installed on a device. Supported operation is Get. -**InstallableUpdates/*Installable Update Guid*/Type** +**InstallableUpdates/*Installable Update Guid*/Type** The UpdateClassification value of the update. Valid values are: - 0 - None @@ -767,32 +772,32 @@ The UpdateClassification value of the update. Valid values are: Supported operation is Get. -**InstallableUpdates/*Installable Update Guid*/RevisionNumber** +**InstallableUpdates/*Installable Update Guid*/RevisionNumber** The revision number for the update that must be passed in server to server sync to get the metadata for the update. Supported operation is Get. -**PendingRebootUpdates** +**PendingRebootUpdates** The updates that require a reboot to complete the update session. Supported operation is Get. -**PendingRebootUpdates/****_Pending Reboot Update Guid_** +**PendingRebootUpdates/****_Pending Reboot Update Guid_** Update identifiers for the pending reboot state. Supported operation is Get. -**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** +**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** The time the update is installed. Supported operation is Get. -**LastSuccessfulScanTime** +**LastSuccessfulScanTime** The last successful scan time. Supported operation is Get. -**DeferUpgrade** +**DeferUpgrade** Upgrades deferred until the next period. Supported operation is Get. diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 89a798ab13..a20317c21f 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/26/2018 --- # DeviceStatus CSP @@ -178,11 +178,24 @@ Supported operation is Get. **DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antispyware signature. +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 - The security software reports that it is the most recent version. +- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + Supported operation is Get. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. +Valid values: + +- 0 - The status of the security provider category is good and does not need user attention. +- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). +- 2 - The status of the security provider category is poor and the computer may be at risk. +- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + Supported operation is Get. **DeviceStatus/Firewall** diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 13878c6f74..4d3c1904a5 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -42,7 +42,7 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). +> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 4d50badd48..710e19855a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -93,8 +93,8 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me text/plain chr - <SyncML> - <SyncBody><Replace><CmdID>1001</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML> + + 1001./Vendor/MSFT/Policy/Config/Experience/AllowCortanaint0 @@ -108,15 +108,15 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me chr - <rule schemaVersion="1.0"> + - <and> - <signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + + + + @@ -147,31 +147,31 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew text/plain chr - <SyncML> - <SyncBody><Replace><CmdID>1002</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace> <Final/></SyncBody></SyncML> + + 1002./Vendor/MSFT/Policy/Config/Camera/AllowCameraint0 301 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition text/plain chr - <rule schemaVersion="1.0"> - <and> - <signal type="ipConfig"> - <ipv4Gateway>192.168.0.1</ipv4Gateway> - </signal> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + 192.168.0.1 + + + + + + @@ -179,7 +179,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew 302 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/Altitude int diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index a17fca7628..d5e7c87b9c 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -23,33 +23,33 @@ The following diagram shows the EnterpriseAppManagement configuration service pr ![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png) -***EnterpriseID*** +***EnterpriseID*** Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. Supported operations are Add, Delete, and Get. -***EnterpriseID*/EnrollmentToken** +***EnterpriseID*/EnrollmentToken** Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic. Supported operations are Get, Add, and Replace. -***EnterpriseID*/StoreProductID** +***EnterpriseID*/StoreProductID** Required. The node to host the ProductId node. Scope is dynamic. Supported operation is Get. -**/StoreProductID/ProductId** +**/StoreProductID/ProductId** The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic. Supported operations are Get and Add. -***EnterpriseID*/StoreUri** +***EnterpriseID*/StoreUri** Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic. Supported operations are Get and Add. -***EnterpriseID*/CertificateSearchCriteria** -Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](http://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic. +***EnterpriseID*/CertificateSearchCriteria** +Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](https://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic. Supported operations are Get and Add. @@ -57,77 +57,77 @@ Supported operations are Get and Add.   -***EnterpriseID*/Status** +***EnterpriseID*/Status** Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. Supported operation is Get. -***EnterpriseID*/CRLCheck** +***EnterpriseID*/CRLCheck** Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic. Supported operations are Get, Add, and Replace. -***EnterpriseID*/EnterpriseApps** +***EnterpriseID*/EnterpriseApps** Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). Supported operation is Get. -**/EnterpriseApps/Inventory** +**/EnterpriseApps/Inventory** Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). Supported operation is Get. -**/Inventory/****_ProductID_** +**/Inventory/****_ProductID_** Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic. Supported operation is Get. -**/Inventory/*ProductID*/Version** +**/Inventory/*ProductID*/Version** Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic. Supported operation is Get. -**/Inventory/*ProductID*/Title** +**/Inventory/*ProductID*/Title** Required. The character string that contains the name of the installed enterprise application. Scope is dynamic. Supported operation is Get. -**/Inventory/*ProductID*/Publisher** +**/Inventory/*ProductID*/Publisher** Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic. Supported operation is Get. -**/Inventory/*ProductID*/InstallDate** +**/Inventory/*ProductID*/InstallDate** Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic. Supported operation is Get. -**/EnterpriseApps/Download** +**/EnterpriseApps/Download** Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic. Supported operation is Get. -**/Download/****_ProductID_** +**/Download/****_ProductID_** Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic. Supported operations are Get, Add, and Replace. -**/Download/*ProductID*/Version** +**/Download/*ProductID*/Version** Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic. Supported operations are Get, Add, and Replace. -**/Download/*ProductID*/Name** +**/Download/*ProductID*/Name** Required. The character string that contains the name of the installed application. Scope is dynamic. Supported operation is Get. -**/Download/*ProductID*/URL** +**/Download/*ProductID*/URL** Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic. Supported operations are Get, Add, and Replace. -**/Download/*ProductID*/Status** +**/Download/*ProductID*/Status** Required. The integer value that indicates the status of the current download process. The following table shows the possible values. @@ -175,15 +175,15 @@ Required. The integer value that indicates the status of the current download pr Scope is dynamic. Supported operations are Get, Add, and Replace. -**/Download/*ProductID*/LastError** +**/Download/*ProductID*/LastError** Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic. Supported operation is Get. -**/Download/*ProductID*/LastErrorDesc** +**/Download/*ProductID*/LastErrorDesc** Required. The character string that contains the human readable description of the last error code. -**/Download/*ProductID*/DownloadInstall** +**/Download/*ProductID*/DownloadInstall** Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic. Supported operation is Exec. @@ -342,7 +342,7 @@ Response from the device (that contains two installed applications): -./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index e5f202eacb..58bdfc9908 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -18,7 +18,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -26,13 +26,13 @@ The following diagram shows the EnterpriseAssignedAccess configuration service p The following list shows the characteristics and parameters. -**./Vendor/MSFT/EnterpriseAssignedAccess/** +**./Vendor/MSFT/EnterpriseAssignedAccess/** The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace. -**AssignedAccess/** +**AssignedAccess/** The parent node of assigned access XML. -**AssignedAccess/AssignedAccessXml** +**AssignedAccess/AssignedAccessXml** The XML code that controls the assigned access settings that will be applied to the device. Supported operations are Add, Delete, Get and Replace. @@ -79,7 +79,7 @@ Application example: ``` syntax - Large @@ -90,7 +90,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.c - Large @@ -262,11 +262,11 @@ Here is an example for Windows 10, version 1703. ``` -**Quick action settings** +**Quick action settings** Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page). -> [!Note] +> [!Note] > Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
        @@ -323,27 +323,27 @@ Starting in Windows 10, version 1703, Quick action settings no longer require an - SystemSettings_System_Display_QuickAction_Brightness -In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. +In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. ``` syntax ``` -In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. +In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. ``` syntax - - - + + + - - + + - - - + + + ``` Here is an example for Windows 10, version 1703. @@ -363,7 +363,7 @@ Here is an example for Windows 10, version 1703. Entry | Description ----------- | ------------ Buttons | The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen. - +

        • Start

        • Back

          • @@ -374,12 +374,12 @@ Buttons | The following list identifies the hardware buttons on the device that

        • Custom3

        -> [!Note] -> Lock down of the Start button only prevents the press and hold event. +> [!Note] +> Lock down of the Start button only prevents the press and hold event. > > Custom buttons are hardware buttons that can be added to devices by OEMs. -Buttons example: +Buttons example: ``` syntax @@ -398,8 +398,8 @@ Buttons example: ``` The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users. -> [!Note] -> The lockdown settings for a button, per user role, will apply regardless of the button mapping. +> [!Note] +> The lockdown settings for a button, per user role, will apply regardless of the button mapping. > > Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. @@ -415,7 +415,7 @@ To remap a button in lockdown XML, you supply the button name, the button event ``` -**Disabling navigation buttons** +**Disabling navigation buttons** To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press"). The following section contains a sample lockdown XML file that shows how to disable navigation buttons. @@ -496,7 +496,7 @@ Entry | Description ----------- | ------------ MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create. -> [!Important] +> [!Important] > If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps. MenuItems example: @@ -511,12 +511,12 @@ Entry | Description ----------- | ------------ Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. -> [!Important] +> [!Important] > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. The following sample file contains configuration for enabling tile manipulation. -> [!Note] +> [!Note] > Tile manipulation is disabled when you don’t have a `` node in lockdown XML, or if you have a `` node but don’t have the `` node. ``` syntax @@ -596,25 +596,25 @@ Entry | Description CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.   -**LockscreenWallpaper/** +**LockscreenWallpaper/** The parent node of the lock screen-related parameters that let administrators query and manage the lock screen image on devices. Supported operations are Add, Delete, Get and Replace. -**LockscreenWallpaper/BGFileName** +**LockscreenWallpaper/BGFileName** The file name of the lock screen. The image file for the lock screen can be in .jpg or .png format and must not exceed 2 MB. The file name can also be in the Universal Naming Convention (UNC) format, in which case the device downloads it from the shared network and then sets it as the lock screen wallpaper. Supported operations are Add, Get, and Replace. -**Theme/** +**Theme/** The parent node of theme-related parameters. Supported operations are Add, Delete, Get and Replace. -**Theme/ThemeBackground** +**Theme/ThemeBackground** Indicates whether the background color is light or dark. Set to **0** for light; set to **1** for dark. Supported operations are Get and Replace. -**Theme/ThemeAccentColorID** +**Theme/ThemeAccentColorID** The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values.
      @@ -724,22 +724,22 @@ The accent color to apply as the foreground color for tiles, controls, and other Supported operations are Get and Replace. -**Theme/ThemeAccentColorValue** +**Theme/ThemeAccentColorValue** A 6-character string for the accent color to apply to controls and other visual elements. To use a custom accent color for Enterprise, enter **151** for *ThemeAccentColorID* before *ThemeAccentColorValue* in lockdown XML. *ThemeAccentColorValue* configures the custom accent color using hex values for red, green, and blue, in RRGGBB format. For example, enter FF0000 for red. Supported operations are Get and Replace. -**PersistData** +**PersistData** Not supported in Windows 10. The parent node of whether to persist data that has been provisioned on the device. -**PersistData/PersistProvisionedData** +**PersistData/PersistProvisionedData** Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CSP](remotewipe-csp.md) instead. -**Clock/TimeZone/** +**Clock/TimeZone/** An integer that specifies the time zone of the device. The following table shows the possible values. Supported operations are Get and Replace. @@ -1172,8 +1172,8 @@ Supported operations are Get and Replace.
      -**Locale/Language/** -The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567). +**Locale/Language/** +The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](https://go.microsoft.com/fwlink/p/?LinkID=189567). The language setting is configured in the Default User profile only. @@ -1195,14 +1195,14 @@ The XML examples in this section show how to perform various tasks by using OMA The following example shows how to add a new policy. ``` syntax - -    -      -    - + +    +      +    + ``` ### Language @@ -1210,13 +1210,13 @@ The following example shows how to add a new policy. The following example shows how to specify the language to display on the device. ``` syntax - -    -      +    +      -    - +    + ``` ## OMA DM examples @@ -1229,20 +1229,20 @@ These XML examples show how to perform various tasks using OMA DM. The following example shows how to lock down a device. ``` syntax - - - - 2 - - - ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml - - <?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown> - - - - - + + + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml + + <?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown> + + + + + ``` ### Theme @@ -1250,66 +1250,66 @@ The following example shows how to lock down a device. The following example shows how to change the accent color to one of the standard colors. ``` syntax - -    -       -         1 -          -             -             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID -             -             -               int -             -             -            7 -          -       -       -    + +    +       +         1 +          +             +             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID +             +             +               int +             +             +            7 +          +       +       +    ``` The following example shows how to change the theme. ``` syntax - -    -       -           1 -           -               -                   ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground -               -               -                   int -               -               -               1 -           -       -       -    - + +    +       +           1 +           +               +                   ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground +               +               +                   int +               +               +               1 +           +       +       +    + ``` The following example shows how to set a custom theme accent color for the enterprise environment. ``` syntax - -    -      1 -       -          -             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID -          -          -            int -          -          -         151 -       -    + +    +      1 +       +          +             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID +          +          +            int +          +          +         151 +       +    2 @@ -1323,8 +1323,8 @@ The following example shows how to set a custom theme accent color for the enter FF0000 - - + + ``` ### Lock screen @@ -1332,55 +1332,55 @@ The following example shows how to set a custom theme accent color for the enter Use the examples in this section to set a new lock screen and manage the lock screen features. If using a UNC path, format the LocURI as \\\\host\\share\\image.jpg. ``` syntax -2 -    -      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -    -      chr -      text/plain -    -    c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg -    - +2 +    +      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +    +      chr +      text/plain +    +    c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg +    + ``` The following example shows how to query the device for the file being used as the lock screen. ``` syntax -2 -    -      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -    - +2 +    +      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +    + ``` The following example shows how to change the existing lock screen image to one of your choosing. ``` syntax - -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -             -             -               chr -               text/plain -             -            c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg -          -       -       -    - + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +             +             +               chr +               text/plain +             +            c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg +          +       +       +    + ``` ### Time zone @@ -1388,45 +1388,45 @@ The following example shows how to change the existing lock screen image to one The following example shows how to set the time zone to UTC-07 Mountain Time (US & Canada). ``` syntax - -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone -             -             -               int -             -            500 -          -       -       -    - + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone +             +             +               int +             +            500 +          +       +       +    + ``` The following example shows how to set the time zone to Pacific Standard Time (UTC-08:00) without observing daylight savings time (UTC+01:00). ``` syntax - -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone -             -             -               int -             -            400  -          -       -       -    - + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone +             +             +               int +             +            400  +          +       +       +    + ``` ### Language @@ -1434,23 +1434,23 @@ The following example shows how to set the time zone to Pacific Standard Time (U The following example shows how to set the language. ``` syntax - -    -       -         1 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language -             -             -               int -             -            1033 -          -       -       -    - + +    +       +         1 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language +             +             +               int +             +            1033 +          +       +       +    + ``` ## Product IDs in Windows 10 Mobile diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index 2c036e00e7..221d222f22 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -21,34 +21,34 @@ The following diagram shows the EnterpriseDesktopAppManagement CSP in tree forma ![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png) -**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** +**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. -**MSI** +**MSI** Node for all settings. -**MSI/****_ProductID_** +**MSI/****_ProductID_** The MSI product code for the application. -**MSI/*ProductID*/Version** +**MSI/*ProductID*/Version** Version number. Value type is string. Supported operation is Get. -**MSI/*ProductID*/Name** +**MSI/*ProductID*/Name** Name of the application. Value type is string. Supported operation is Get. -**MSI/*ProductID*/Publisher** +**MSI/*ProductID*/Publisher** Publisher of application. Value type is string. Supported operation is Get. -**MSI/*ProductID*/InstallPath** +**MSI/*ProductID*/InstallPath** Installation path of the application. Value type is string. Supported operation is Get. -**MSI/*ProductID*/InstallDate** +**MSI/*ProductID*/InstallDate** Installation date of the application. Value type is string. Supported operation is Get. -**MSI/*ProductID*/DownloadInstall** +**MSI/*ProductID*/DownloadInstall** Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get. -In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. +In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. Here is an example: @@ -68,7 +68,7 @@ Here is an example: ``` -**MSI/*ProductID*/Status** +**MSI/*ProductID*/Status** Status of the application. Value type is string. Supported operation is Get. | Status | Value | @@ -86,23 +86,23 @@ Status of the application. Value type is string. Supported operation is Get.   -**MSI/*ProductID*/LastError** +**MSI/*ProductID*/LastError** The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. Value type is string. Supported operation is Get. -**MSI/*ProductID*/LastErrorDesc** +**MSI/*ProductID*/LastErrorDesc** Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. Value type is string. Supported operation is Get. -**MSI/UpgradeCode** +**MSI/UpgradeCode** Added in the March service release of Windows 10, version 1607. -**MSI/UpgradeCode/_Guid_** +**MSI/UpgradeCode/_Guid_** Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. -Value type is string. Supported operation is Get. +Value type is string. Supported operation is Get. ## Examples @@ -226,7 +226,7 @@ The following table describes the fields in the previous sample: https://dp2.com/packages/myApp.msi - + 134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3 @@ -532,7 +532,7 @@ Properties can be specified in the package, passed through the command line, mod Here's a list of references: - [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx) -- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](http://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) +- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) - SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) ## Alert example diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index e600fe9c9e..febb95a255 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/24/2018 +ms.date: 08/27/2018 --- # EnterpriseModernAppManagement CSP @@ -127,8 +127,7 @@ Parameters:

    • User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
      • - - + Supported operation is Execute. @@ -164,6 +163,39 @@ Required. Used for managing apps from the Microsoft Store. Supported operations are Get and Delete. +**AppManagement/AppStore/ReleaseManagement** +Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization. + +> [!Note] +> ReleaseManagement settings only apply to updates through the Microsoft Store. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_** +Added in Windows 10, version 1809. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app. + + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId** +Added in Windows 10, version 1809. Specifies the app channel ID. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId** +Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease** +Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId** +Added in Windows 10, version 1809. Returns the last user channel ID on the device. + +Value type is string. Supported operation is Get. + +**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId** +Added in Windows 10, version 1809. Returns the last user release ID on the device. + +Value type is string. Supported operation is Get. + **.../****_PackageFamilyName_** Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. @@ -222,8 +254,6 @@ Required. Architecture of installed package. Value type is string. > [!Note] > Not applicable to XAP files. -  - Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/InstallLocation** @@ -231,7 +261,6 @@ Required. Install location of the app on the device. Value type is string. > [!Note] > Not applicable to XAP files. -   Supported operation is Get. @@ -360,13 +389,13 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M |False (not set) |Not configured |X64 flavor is picked | **.../_PackageFamilyName_/NonRemovable** -Added in Windows 10, next major version. Specifies if an app is nonremovable by the user. +Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user. This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users. -This setting requires admin permission. This can only be set per device, not per user. You can query the setting using AppInvetoryQuery or AppInventoryResults. +NonRemovable requires admin permission. This can only be set per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +Value type is integer. Supported operations are Add, Get, and Replace. Valid values: - 0 – app is not in the nonremovable app policy list @@ -382,12 +411,12 @@ Add an app to the nonremovable app policy list 1 - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable int - 0 + 1 @@ -395,24 +424,7 @@ Add an app to the nonremovable app policy list       ``` -Delete an app from the nonremovable app policy list -``` - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable - - - - - - -``` - -Get list of apps in the nonremovable app policy list +Get the status for a particular app ``` @@ -420,7 +432,7 @@ Get list of apps in the nonremovable app policy list 1 - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable @@ -429,9 +441,9 @@ Get list of apps in the nonremovable app policy list ``` -Replace an app in the nonremovable app policy list -Data 0 = app is not in the app policy list -Data 1 = app is in the app policy list +Replace an app in the nonremovable app policy list +Data 0 = app is not in the app policy list +Data 1 = app is in the app policy list ``` @@ -439,7 +451,7 @@ Data 1 = app is in the app policy list 1 - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/Test123/NonRemovable + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable int diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 3bbc3d3401..10a37ce63c 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 07/27/2018 --- # EnterpriseModernAppManagement DDF @@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Enterpr Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax @@ -495,7 +495,6 @@ The XML below is for Windows 10, next major version. - @@ -581,7 +580,7 @@ The XML below is for Windows 10, next major version. - ReleaseId + ReleaseManagementId @@ -643,7 +642,7 @@ The XML below is for Windows 10, next major version. - ReleaseId + ReleaseManagementId diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 2a75d65c24..4d654c47d2 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -266,9 +266,9 @@ Sample syncxml to provision the firewall settings to evaluate
    • "DNS"
    • "WINS"
    • "Intranet"
      • -
    • "RemoteCorpNetwork"
      • +
    • "RmtIntranet"
    • "Internet"
      • -
    • "PlayToRenderers"
      • +
    • "Ply2Renders"
    • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
    • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • A valid IPv6 address.
      • diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 87aa4a054e..65c36b6e0d 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -27,7 +27,7 @@ The following diagram shows the HotSpot configuration service provider managemen ![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png) -**Enabled** +**Enabled** Required. Specifies whether to enable Internet sharing on the device. The default is false. If this is initially set to false, the feature is turned off and the Internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible. @@ -36,7 +36,7 @@ When this is set to true, the Internet sharing screen is added to Settings, thou This setting can be provisioned over the air, but it may require a reboot if Settings was open when this was enabled for the first time. -**DedicatedConnections** +**DedicatedConnections** Optional. Specifies the semicolon separated list of Connection Manager cellular connections that Internet sharing will use as the public connections. By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections. @@ -51,7 +51,7 @@ If the specified connections do not exist, Internet sharing will not start becau If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. -**TetheringNAIConnection** +**TetheringNAIConnection** Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must use the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) to provision a TetheringNAI connection and then specify the provisioned connection in this node. @@ -66,63 +66,63 @@ If the specified connections do not exist, Internet sharing will not start becau If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. -**MaxUsers** +**MaxUsers** Optional. Specifies the maximum number of simultaneous users that can be connected to a device while in a sharing state. The value must be between 1 and 8 inclusive. The default value is 5. If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. -**MaxBluetoothUsers** +**MaxBluetoothUsers** Optional. Specifies the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. The value must be between 1 and 7 inclusive. The default value is 7. -**MOHelpNumber** +**MOHelpNumber** Optional. A mobile operator–specified device number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help. -**MOInfoLink** +**MOInfoLink** Optional. A mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature. -**MOAppLink** +**MOAppLink** Optional. A Windows device application link that points to a preinstalled application, provided by the mobile operator, that will help a user to subscribe to the mobile operator’s Internet sharing service when Internet sharing is not provisioned or entitlement fails. The general format for the link is `app://MOapp`. -**MOHelpMessage** +**MOHelpMessage** Optional. Reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form: `@,-` -Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](http://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN. +Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN. > **Note**  MOAppLink is required to use the MOHelpMessage setting.   -**EntitlementRequired** +**EntitlementRequired** Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**. By default the Internet sharing service will check entitlement every time an attempt is made to enable Internet sharing. Internet sharing should be set to **False** for carrier-unlocked devices. -**EntitlementDll** +**EntitlementDll** Required if `EntitlementRequired` is set to true. The path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator’s network. The value is a string that represents a valid file system path to the entitlement DLL. By default, the Internet sharing service fails entitlement checks if this setting is missing or empty. For more information, see [Creating an Entitlement DLL](#creating-entitlement-dll) later in this topic. -**EntitlementInterval** +**EntitlementInterval** Optional. The time interval, in seconds, between entitlement checks. The default value is 86,400 seconds (24 hours). If a periodic entitlement check fails, Internet sharing is automatically disabled. -**PeerlessTimeout** +**PeerlessTimeout** Optional. The time-out period, in minutes, after which Internet sharing should automatically turn off if there are no longer any active clients. This node can be set to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes. A reboot may be required before changes to this node take effect. -**PublicConnectionTimeout** +**PublicConnectionTimeout** Optional. The time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. This node can be set to any value between 1 and 60 inclusive. The default value is 20 minutes. A time-out is required, so a value of 0 is not supported. Changes to this node require a reboot. -**MinWifiKeyLength** +**MinWifiKeyLength** > **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.   -**MinWifiSSIDLength** +**MinWifiSSIDLength** > **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.   diff --git a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png index cc7920f7f5..d3d33ff9f6 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png and b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png index fa27e9baf2..c4a743deeb 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index f5cf62ff0f..6926801241 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index 95d2fcf840..018354545f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png index c361494236..c6bf90a18a 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-office.png and b/windows/client-management/mdm/images/provisioning-csp-office.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png index af267f4f6d..8f804b9185 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png index 69effac5fd..73494217f8 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index a066d9261e..6c4c961a58 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png b/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png new file mode 100644 index 0000000000..e788aebb52 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-uefi.png b/windows/client-management/mdm/images/provisioning-csp-uefi.png index 6900dd0c83..42adcc7895 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-uefi.png and b/windows/client-management/mdm/images/provisioning-csp-uefi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png index f5891084ea..28f5080466 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-wifi.png and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png index c8f2721143..5d8eaab42f 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png index 3345eb730c..07ca4f9982 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png and b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png differ diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 350fa8e7f2..a5e489976e 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -5,12 +5,12 @@ MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b -ms.author: maricia +ms.author: jdecker ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque -ms.date: 06/26/2017 +author: jdeckerms +ms.date: 09/12/2018 --- # Mobile device management @@ -23,7 +23,30 @@ There are two parts to the Windows 10 management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +## MDM security baseline + +With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices. + +The MDM security baseline includes policies that cover the following areas: + +- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting use of legacy technology +- Legacy technology policies that offer alternative solutions with modern technology +- And much more + +For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/). + + + + +## Learn about migrating to MDM + +When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy settings in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf). + ## Learn about device enrollment diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 933ae47c17..22cbf8519f 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -72,14 +72,14 @@ The Store for Business services rely on Azure Active Directory for authenticatio To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started: - Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021) -- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623023) +- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021) +- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623023) -For code samples, see [Microsoft Azure Active Directory Samples and Documentation](http://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623026). +For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026). ## Configure your Azure AD application -Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021): +Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021): 1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com) 2. Go to the Active Directory module. @@ -104,7 +104,7 @@ Here are the steps to configure your Azure AD app. For additional information, s ![business store management tool](images/businessstoreportalservices12.png) -9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021). +9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021). ![business store management tool](images/businessstoreportalservices13.png) diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 7b07a5a2d0..75b369db78 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -32,20 +32,20 @@ The enrollment process includes the following steps: ## Enrollment protocol -There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: -**Discovery request** +**Discovery request** The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. -**Certificate enrollment policy** -The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619345) +**Certificate enrollment policy** +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345) -**Certificate enrollment** +**Certificate enrollment** The certificate enrollment is an implementation of the MS-WSTEP protocol. -**Management configuration** +**Management configuration** The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. The following topics describe the end-to-end enrollment process using various authentication methods: diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 9b846e226a..563f13334a 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/12/2018 +ms.date: 08/29/2018 --- # NetworkProxy CSP @@ -31,41 +31,53 @@ The following diagram shows the NetworkProxy configuration service provider in t ![networkproxy csp](images/provisioning-csp-networkproxy.png) **./Vendor/MSFT/NetworkProxy** -The root node for the NetworkProxy configuration service provider..

      +The root node for the NetworkProxy configuration service provider.. **ProxySettingsPerUser** -Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide; set to 1 for proxy configuratio per user. +Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. + +Supported operations are Add, Get, Replace, and Delete. + +> [!Note] +> Per user proxy configuration setting is not supported. **AutoDetect** -Automatically detect settings. If enabled, the system tries to find the path to a PAC script.

      -Valid values:

      +Automatically detect settings. If enabled, the system tries to find the path to a PAC script. + +Valid values:
      • 0 - Disabled
      • 1 (default) - Enabled
      -The data type is int. Supported operations are Get and Replace.

      + +The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **SetupScriptUrl** -Address to the PAC script you want to use.

      -The data type is string. Supported operations are Get and Replace.

      +Address to the PAC script you want to use. + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **ProxyServer** -Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.

      -Supported operation is Get.

      +Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. + +Supported operation is Get. **ProxyAddress** -Address to the proxy server. Specify an address in the format <server>[“:”<port>]. 

      -The data type is string. Supported operations are Get and Replace.

      +Address to the proxy server. Specify an address in the format <server>[“:”<port>].  + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **Exceptions** -Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. 

      -The data type is string. Supported operations are Get and Replace.

      +Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.  + +The data type is string. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. **UseProxyForLocalAddresses** -Specifies whether the proxy server should be used for local (intranet) addresses. 

      -Valid values:

      +Specifies whether the proxy server should be used for local (intranet) addresses.  +Valid values:
      • 0 (default) - Do not use proxy server for local addresses
      • 1 - Use proxy server for local addresses
      -The data type is int. Supported operations are Get and Replace.

      + +The data type is int. Supported operations are Get and Replace. Starting in Window 10, version 1803, the Delete operation is also supported. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 80cdf791b0..432c713588 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 09/20/2018 --- # What's new in MDM enrollment and management @@ -18,7 +18,7 @@ ms.date: 07/23/2018 This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this section @@ -27,6 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What's new in Windows 10, version 1703](#whatsnew10) - [What's new in Windows 10, version 1709](#whatsnew1709) - [What's new in Windows 10, version 1803](#whatsnew1803) +- [What's new in Windows 10, version 1809](#whatsnew1809) - [Change history in MDM documentation](#change-history-in-mdm-documentation) - [Breaking changes and known issues](#breaking-changes-and-known-issues) - [Get command inside an atomic command is not supported](#getcommand) @@ -107,7 +108,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

      Custom header for generic alert

      The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format:

      MDM-GenericAlert: <AlertType1><AlertType2> -

      If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).

      +

      If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).

      Alert message for slow client response

      @@ -845,7 +846,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +[Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)

      Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

      @@ -1024,7 +1025,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s [Policy CSP](policy-configuration-service-provider.md) -

      Added the following new policies for Windows 10, version 1709:

      +

      Added the following new policies for Windows 10, version 1709:

      • Authentication/AllowAadPasswordReset
      • Authentication/AllowFidoDeviceSignon
        • @@ -1046,26 +1047,26 @@ For details about Microsoft mobile device management protocols for Windows 10 s
      • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
      • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
      • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
        • -
      • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
        • -
      • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
        • -
      • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
        • -
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
        • -
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
        • -
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
        • -
      • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
        • -
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
        • -
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
        • -
      • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
        • -
      • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
        • -
      • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
        • +
      • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
        • +
      • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
        • +
      • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
        • +
      • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
        • +
      • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
        • +
      • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
      • Power/DisplayOffTimeoutOnBattery
      • Power/DisplayOffTimeoutPluggedIn
      • Power/HibernateTimeoutOnBattery
        • @@ -1168,38 +1169,39 @@ For details about Microsoft mobile device management protocols for Windows 10 s
      • KioskBrowser/EnableNavigationButtons
      • KioskBrowser/RestartOnIdleTime
      • LanmanWorkstation/EnableInsecureGuestLogons
        • -
      • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
        • -
      • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
        • -
      • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
        • +
      • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
        • +
      • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
        • +
      • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
      • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
      • LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
        • -
      • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
        • -
      • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
        • -
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
        • -
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
        • -
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
        • -
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
        • -
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
        • -
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
        • -
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
        • -
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
        • -
      • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
        • -
      • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
        • +
      • LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges
        • +
      • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
        • +
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
        • +
      • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
        • +
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
        • +
      • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
        • +
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
        • +
      • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
        • +
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
        • +
      • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
        • +
      • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
        • +
      • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
        • -
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
        • -
      • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
        • -
      • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
        • -
      • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
        • +
      • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
        • +
      • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
        • +
      • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
        • +
      • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
      • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
        • -
      • Notifications/DisallowCloudNotification
        • +
      • Notifications/DisallowCloudNotification
      • RestrictedGroups/ConfigureGroupMembership
      • Search/AllowCortanaInAAD
      • Search/DoNotUseWebResults
      • Security/ConfigureWindowsPasswords
        • +
      • Start/DisableContextMenus
      • System/FeedbackHubAlwaysSaveDiagnosticsLocally
      • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
      • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
        • @@ -1220,38 +1222,38 @@ For details about Microsoft mobile device management protocols for Windows 10 s
      • Update/ConfigureFeatureUpdateUninstallPeriod
      • UserRights/AccessCredentialManagerAsTrustedCaller
      • UserRights/AccessFromNetwork
        • -
      • UserRights/ActAsPartOfTheOperatingSystem
        • -
      • UserRights/AllowLocalLogOn
        • -
      • UserRights/BackupFilesAndDirectories
        • -
      • UserRights/ChangeSystemTime
        • -
      • UserRights/CreateGlobalObjects
        • -
      • UserRights/CreatePageFile
        • -
      • UserRights/CreatePermanentSharedObjects
        • -
      • UserRights/CreateSymbolicLinks
        • -
      • UserRights/CreateToken
        • -
      • UserRights/DebugPrograms
        • -
      • UserRights/DenyAccessFromNetwork
        • -
      • UserRights/DenyLocalLogOn
        • -
      • UserRights/DenyRemoteDesktopServicesLogOn
        • -
      • UserRights/EnableDelegation
        • -
      • UserRights/GenerateSecurityAudits
        • -
      • UserRights/ImpersonateClient
        • -
      • UserRights/IncreaseSchedulingPriority
        • -
      • UserRights/LoadUnloadDeviceDrivers
        • -
      • UserRights/LockMemory
        • -
      • UserRights/ManageAuditingAndSecurityLog
        • -
      • UserRights/ManageVolume
        • -
      • UserRights/ModifyFirmwareEnvironment
        • -
      • UserRights/ModifyObjectLabel
        • -
      • UserRights/ProfileSingleProcess
        • -
      • UserRights/RemoteShutdown
        • -
      • UserRights/RestoreFilesAndDirectories
        • +
      • UserRights/ActAsPartOfTheOperatingSystem
        • +
      • UserRights/AllowLocalLogOn
        • +
      • UserRights/BackupFilesAndDirectories
        • +
      • UserRights/ChangeSystemTime
        • +
      • UserRights/CreateGlobalObjects
        • +
      • UserRights/CreatePageFile
        • +
      • UserRights/CreatePermanentSharedObjects
        • +
      • UserRights/CreateSymbolicLinks
        • +
      • UserRights/CreateToken
        • +
      • UserRights/DebugPrograms
        • +
      • UserRights/DenyAccessFromNetwork
        • +
      • UserRights/DenyLocalLogOn
        • +
      • UserRights/DenyRemoteDesktopServicesLogOn
        • +
      • UserRights/EnableDelegation
        • +
      • UserRights/GenerateSecurityAudits
        • +
      • UserRights/ImpersonateClient
        • +
      • UserRights/IncreaseSchedulingPriority
        • +
      • UserRights/LoadUnloadDeviceDrivers
        • +
      • UserRights/LockMemory
        • +
      • UserRights/ManageAuditingAndSecurityLog
        • +
      • UserRights/ManageVolume
        • +
      • UserRights/ModifyFirmwareEnvironment
        • +
      • UserRights/ModifyObjectLabel
        • +
      • UserRights/ProfileSingleProcess
        • +
      • UserRights/RemoteShutdown
        • +
      • UserRights/RestoreFilesAndDirectories
      • UserRights/TakeOwnership
      • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
      • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
      • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
      • WindowsDefenderSecurityCenter/HideSecureBoot
        • -
      • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
        • +
      • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

      Security/RequireDeviceEncrption - updated to show it is supported in desktop.

      @@ -1347,7 +1349,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

      Added a new CSP in Windows 10, version 1803.

      -[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat) +[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)

      Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

      @@ -1357,6 +1359,139 @@ For details about Microsoft mobile device management protocols for Windows 10 s +## What's new in Windows 10, version 1809 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      New or updated topicDescription
      [Policy CSP](policy-configuration-service-provider.md)

      Added the following new policies in Windows 10, version 1809:

      +
        +
      • ApplicationManagement/LaunchAppAfterLogOn
        • +
      • ApplicationManagement/ScheduleForceRestartForUpdateFailures
        • +
      • Authentication/EnableFastFirstSignIn
        • +
      • Authentication/EnableWebSignIn
        • +
      • Authentication/PreferredAadTenantDomainName
        • +
      • Browser/AllowFullScreenMode
        • +
      • Browser/AllowPrelaunch
        • +
      • Browser/AllowPrinting
        • +
      • Browser/AllowSavingHistory
        • +
      • Browser/AllowSideloadingOfExtensions
        • +
      • Browser/AllowTabPreloading
        • +
      • Browser/AllowWebContentOnNewTabPage
        • +
      • Browser/ConfigureFavoritesBar
        • +
      • Browser/ConfigureHomeButton
        • +
      • Browser/ConfigureKioskMode
        • +
      • Browser/ConfigureKioskResetAfterIdleTimeout
        • +
      • Browser/ConfigureOpenMicrosoftEdgeWith
        • +
      • Browser/ConfigureTelemetryForMicrosoft365Analytics
        • +
      • Browser/PreventCertErrorOverrides
        • +
      • Browser/SetHomeButtonURL
        • +
      • Browser/SetNewTabPageURL
        • +
      • Browser/UnlockHomeButton
        • +
      • Defender/CheckForSignaturesBeforeRunningScan
        • +
      • Defender/DisableCatchupFullScan
        • +
      • Defender/DisableCatchupQuickScan
        • +
      • Defender/EnableLowCPUPriority
        • +
      • Defender/SignatureUpdateFallbackOrder
        • +
      • Defender/SignatureUpdateFileSharesSources
        • +
      • DeviceGuard/ConfigureSystemGuardLaunch
        • +
      • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
        • +
      • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
        • +
      • DeviceInstallation/PreventDeviceMetadataFromNetwork
        • +
      • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
        • +
      • DmaGuard/DeviceEnumerationPolicy
        • +
      • Experience/AllowClipboardHistory
        • +
      • Experience/DoNotSyncBrowserSettings
        • +
      • Experience/PreventUsersFromTurningOnBrowserSyncing
        • +
      • Kerberos/UPNNameHints
        • +
      • Privacy/AllowCrossDeviceClipboard
        • +
      • Privacy/DisablePrivacyExperience
        • +
      • Privacy/UploadUserActivities
        • +
      • Security/RecoveryEnvironmentAuthentication
        • +
      • System/AllowDeviceNameInDiagnosticData
        • +
      • System/ConfigureMicrosoft365UploadEndpoint
        • +
      • System/DisableDeviceDelete
        • +
      • System/DisableDiagnosticDataViewer
        • +
      • Storage/RemovableDiskDenyWriteAccess
        • +
      • TaskManager/AllowEndTask
        • +
      • Update/EngagedRestartDeadlineForFeatureUpdates
        • +
      • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
        • +
      • Update/EngagedRestartTransitionScheduleForFeatureUpdates
        • +
      • Update/SetDisablePauseUXAccess
        • +
      • Update/SetDisableUXWUAccess
        • +
      • WindowsDefenderSecurityCenter/DisableClearTpmButton
        • +
      • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
        • +
      • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
        • +
      • WindowsLogon/DontDisplayNetworkSelectionUI
        • +
      +
      [PassportForWork CSP](passportforwork-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      +
      [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

      Added new configuration service provider in Windows 10, version 1809.

      +
      [WindowsLicensing CSP](windowslicensing-csp.md)

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      +
      [SUPL CSP](supl-csp.md)

      Added 3 new certificate nodes in Windows 10, version 1809.

      +
      [Defender CSP](defender-csp.md)

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      +
      [BitLocker CSP](bitlocker-csp.md)

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro.

      +
      [DevDetail CSP](devdetail-csp.md)

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      +
      [Wifi CSP](wifi-csp.md)

      Added a new node WifiCost in Windows 10, version 1809.

      +
      [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [RemoteWipe CSP](remotewipe-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [TenantLockdown CSP](tenantlockdown-csp.md)

      Added new CSP in Windows 10, version 1809.

      +
      [Office CSP](office-csp.md)

      Added FinalStatus setting in Windows 10, version 1809.

      +
      + + ## Breaking changes and known issues ### Get command inside an atomic command is not supported @@ -1470,7 +1605,8 @@ The following list describes the prerequisites for a certificate to be used with The following XML sample explains the properties for the EAP TLS XML including certificate filtering. -> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. +>[!NOTE] +>For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.   ``` syntax @@ -1483,15 +1619,15 @@ The following XML sample explains the properties for the EAP TLS XML including c 0 0 - + - + 13 - + true @@ -1514,7 +1650,7 @@ The following XML sample explains the properties for the EAP TLS XML including c ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff - + @@ -1522,15 +1658,15 @@ The following XML sample explains the properties for the EAP TLS XML including c - ContostoITEKU + ContostoITEKU - 1.3.6.1.4.1.311.42.1.15 + 1.3.6.1.4.1.311.42.1.15 - ContostoITEKU + ContostoITEKU @@ -1552,16 +1688,16 @@ The following XML sample explains the properties for the EAP TLS XML including c true - + - + - @@ -1572,7 +1708,8 @@ The following XML sample explains the properties for the EAP TLS XML including c ``` -> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** +>[!NOTE] +>The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**   @@ -1623,6 +1760,91 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### September 2018 + +|New or updated topic | Description| +|--- | ---| +|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| +|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| + +### August 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      New or updated topicDescription
      [BitLocker CSP](bitlocker-csp.md)

      Added support for Windows 10 Pro starting in the version 1809.

      +
      [Office CSP](office-csp.md)

      Added FinalStatus setting in Windows 10, version 1809.

      +
      [RemoteWipe CSP](remotewipe-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [TenantLockdown CSP](\tenantlockdown--csp.md)

      Added new CSP in Windows 10, version 1809.

      +
      [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [Policy DDF file](policy-ddf-file.md)

      Posted an updated version of the Policy DDF for Windows 10, version 1809.

      +
      [Policy CSP](policy-configuration-service-provider.md)

      Added the following new policies in Windows 10, version 1809:

      +
        +
      • Browser/AllowFullScreenMode
        • +
      • Browser/AllowPrelaunch
        • +
      • Browser/AllowPrinting
        • +
      • Browser/AllowSavingHistory
        • +
      • Browser/AllowSideloadingOfExtensions
        • +
      • Browser/AllowTabPreloading
        • +
      • Browser/AllowWebContentOnNewTabPage
        • +
      • Browser/ConfigureFavoritesBar
        • +
      • Browser/ConfigureHomeButton
        • +
      • Browser/ConfigureKioskMode
        • +
      • Browser/ConfigureKioskResetAfterIdleTimeout
        • +
      • Browser/ConfigureOpenMicrosoftEdgeWith
        • +
      • Browser/ConfigureTelemetryForMicrosoft365Analytics
        • +
      • Browser/PreventCertErrorOverrides
        • +
      • Browser/SetHomeButtonURL
        • +
      • Browser/SetNewTabPageURL
        • +
      • Browser/UnlockHomeButton
        • +
      • Experience/DoNotSyncBrowserSettings
        • +
      • Experience/PreventUsersFromTurningOnBrowserSyncing
        • +
      • Kerberos/UPNNameHints
        • +
      • Privacy/AllowCrossDeviceClipboard
        • +
      • Privacy/DisablePrivacyExperience
        • +
      • Privacy/UploadUserActivities
        • +
      • System/AllowDeviceNameInDiagnosticData
        • +
      • System/ConfigureMicrosoft365UploadEndpoint
        • +
      • System/DisableDeviceDelete
        • +
      • System/DisableDiagnosticDataViewer
        • +
      • Storage/RemovableDiskDenyWriteAccess
        • +
      • Update/UpdateNotificationLevel
        • +
      +

      Start/DisableContextMenus - added in Windows 10, version 1803.

      +

      RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.

      +
      + ### July 2018 @@ -1638,51 +1860,67 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware + + + + + + - - - - - - - - @@ -1713,7 +1951,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware - @@ -1725,7 +1963,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware - @@ -1740,7 +1978,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Start/StartLayout - added a table of SKU support information.
    • Start/ImportEdgeAssets - added a table of SKU support information.
      • -

      Added the following new policies in Windows 10, next major version:

      +

      Added the following new policies in Windows 10, version 1809:

      • Update/EngagedRestartDeadlineForFeatureUpdates
      • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
        • @@ -1751,7 +1989,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
      -
      [AssignedAccess CSP](assignedaccess-csp.md)

      Added the following note:

      +
        +
      • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
        • +
      +
      [PassportForWork CSP](passportforwork-csp.md)

      Added new settings in Windows 10, version 1809.

      +
      [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

      Added NonRemovable setting under AppManagement node.

      +

      Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

      [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)

      Added new configuration service provider.

      +

      Added new configuration service provider in Windows 10, version 1809.

      [WindowsLicensing CSP](windowslicensing-csp.md)

      Added S mode settings and SyncML examples.

      +

      Added S mode settings and SyncML examples in Windows 10, version 1809.

      [SUPL CSP](supl-csp.md)

      Added 3 new certificate nodes.

      +

      Added 3 new certificate nodes in Windows 10, version 1809.

      [Defender CSP](defender-csp.md)

      Added a new node Health/ProductStatus.

      +

      Added a new node Health/ProductStatus in Windows 10, version 1809.

      [BitLocker CSP](bitlocker-csp.md)

      Added a new node AllowStandardUserEncryption.

      +

      Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

      [DevDetail CSP](devdetail-csp.md)

      Added a new node SMBIOSSerialNumber.

      +

      Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

      [Policy CSP](policy-configuration-service-provider.md)

      Added the following new policies in Windows 10, next major version:

      +

      Added the following new policies in Windows 10, version 1809:

      • ApplicationManagement/LaunchAppAfterLogOn
      • ApplicationManagement/ScheduleForceRestartForUpdateFailures
        • +
      • Authentication/EnableFastFirstSignIn
        • +
      • Authentication/EnableWebSignIn
        • +
      • Authentication/PreferredAadTenantDomainName
      • Defender/CheckForSignaturesBeforeRunningScan
      • Defender/DisableCatchupFullScan
      • Defender/DisableCatchupQuickScan
      • Defender/EnableLowCPUPriority
        • -
      • Defender/SignatureUpdateFallbackOrder
        • -
      • Defender/SignatureUpdateFileSharesSources
        • +
      • Defender/SignatureUpdateFallbackOrder
        • +
      • Defender/SignatureUpdateFileSharesSources
        • +
      • DeviceGuard/ConfigureSystemGuardLaunch
      • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
      • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
      • DeviceInstallation/PreventDeviceMetadataFromNetwork
      • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
      • DmaGuard/DeviceEnumerationPolicy
      • Experience/AllowClipboardHistory
        • +
      • Security/RecoveryEnvironmentAuthentication
      • TaskManager/AllowEndTask
      • WindowsDefenderSecurityCenter/DisableClearTpmButton
      • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
        • @@ -1691,7 +1929,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

      Recent changes:

        -
      • DataUsage/SetCost3G - deprecated in Windows 10, next major version.
        • +
      • DataUsage/SetCost3G - deprecated in Windows 10, version 1809.
      [Wifi CSP](wifi-csp.md)

      Added a new node WifiCost.

      +

      Added a new node WifiCost in Windows 10, version 1809.

      [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
      [Bitlocker CSP](bitlocker-csp.md)

      Added new node AllowStandardUserEncryption.

      +

      Added new node AllowStandardUserEncryption in Windows 10, version 1809.

      [Policy CSP](policy-configuration-service-provider.md)
      [WiredNetwork CSP](wirednetwork-csp.md)New CSP added in Windows 10, next major version. +New CSP added in Windows 10, version 1809.
      @@ -1775,8 +2013,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Policy DDF file](policy-ddf-file.md)

      Updated the DDF files in the Windows 10 version 1703 and 1709.

        -
      • [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
        • -
      • [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
        • +
      • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
        • +
      • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
      @@ -1816,7 +2054,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

      Added a new CSP in Windows 10, version 1803.

      -[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat) +[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)

      Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

      @@ -2022,26 +2260,26 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • KioskBrowser/EnableHomeButton
    • KioskBrowser/EnableNavigationButtons
    • KioskBrowser/RestartOnIdleTime
      • -
    • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
      • -
    • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
      • -
    • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
      • -
    • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • -
    • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
      • -
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
      • -
    • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
      • -
    • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
      • -
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
      • -
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • -
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      • -
    • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
      • -
    • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
      • -
    • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
      • -
    • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
      • +
    • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
      • +
    • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
      • +
    • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
      • +
    • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
      • +
    • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
      • +
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
      • +
    • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
      • +
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
      • +
    • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
      • +
    • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
      • +
    • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
      • +
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
      • +
    • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
      • +
    • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
      • +
    • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
      • +
    • LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
      • +
    • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • RestrictedGroups/ConfigureGroupMembership
    • Search/AllowCortanaInAAD
    • Search/DoNotUseWebResults
      • @@ -2058,38 +2296,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
    • Update/ConfigureFeatureUpdateUninstallPeriod
    • UserRights/AccessCredentialManagerAsTrustedCaller
    • UserRights/AccessFromNetwork
      • -
    • UserRights/ActAsPartOfTheOperatingSystem
      • -
    • UserRights/AllowLocalLogOn
      • -
    • UserRights/BackupFilesAndDirectories
      • -
    • UserRights/ChangeSystemTime
      • -
    • UserRights/CreateGlobalObjects
      • -
    • UserRights/CreatePageFile
      • -
    • UserRights/CreatePermanentSharedObjects
      • -
    • UserRights/CreateSymbolicLinks
      • -
    • UserRights/CreateToken
      • -
    • UserRights/DebugPrograms
      • -
    • UserRights/DenyAccessFromNetwork
      • -
    • UserRights/DenyLocalLogOn
      • -
    • UserRights/DenyRemoteDesktopServicesLogOn
      • -
    • UserRights/EnableDelegation
      • -
    • UserRights/GenerateSecurityAudits
      • -
    • UserRights/ImpersonateClient
      • -
    • UserRights/IncreaseSchedulingPriority
      • -
    • UserRights/LoadUnloadDeviceDrivers
      • -
    • UserRights/LockMemory
      • -
    • UserRights/ManageAuditingAndSecurityLog
      • -
    • UserRights/ManageVolume
      • -
    • UserRights/ModifyFirmwareEnvironment
      • -
    • UserRights/ModifyObjectLabel
      • -
    • UserRights/ProfileSingleProcess
      • -
    • UserRights/RemoteShutdown
      • -
    • UserRights/RestoreFilesAndDirectories
      • +
    • UserRights/ActAsPartOfTheOperatingSystem
      • +
    • UserRights/AllowLocalLogOn
      • +
    • UserRights/BackupFilesAndDirectories
      • +
    • UserRights/ChangeSystemTime
      • +
    • UserRights/CreateGlobalObjects
      • +
    • UserRights/CreatePageFile
      • +
    • UserRights/CreatePermanentSharedObjects
      • +
    • UserRights/CreateSymbolicLinks
      • +
    • UserRights/CreateToken
      • +
    • UserRights/DebugPrograms
      • +
    • UserRights/DenyAccessFromNetwork
      • +
    • UserRights/DenyLocalLogOn
      • +
    • UserRights/DenyRemoteDesktopServicesLogOn
      • +
    • UserRights/EnableDelegation
      • +
    • UserRights/GenerateSecurityAudits
      • +
    • UserRights/ImpersonateClient
      • +
    • UserRights/IncreaseSchedulingPriority
      • +
    • UserRights/LoadUnloadDeviceDrivers
      • +
    • UserRights/LockMemory
      • +
    • UserRights/ManageAuditingAndSecurityLog
      • +
    • UserRights/ManageVolume
      • +
    • UserRights/ModifyFirmwareEnvironment
      • +
    • UserRights/ModifyObjectLabel
      • +
    • UserRights/ProfileSingleProcess
      • +
    • UserRights/RemoteShutdown
      • +
    • UserRights/RestoreFilesAndDirectories
    • UserRights/TakeOwnership
    • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • WindowsDefenderSecurityCenter/HideSecureBoot
      • -
    • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
      • +
    • WindowsDefenderSecurityCenter/HideTPMTroubleshooting

      • Added the following policies the were added in Windows 10, version 1709

        @@ -2383,7 +2621,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Policy DDF file](policy-ddf-file.md) -Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies: +Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
        • Browser/AllowMicrosoftCompatibilityList
        • Update/DisableDualScan
          • @@ -2402,25 +2640,25 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
        • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
        • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
        • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
          • -
        • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
          • -
        • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
          • -
        • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
          • -
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
          • -
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
          • -
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
          • -
        • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
          • -
        • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
          • -
        • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
          • -
        • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
          • -
        • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
          • -
        • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
          • -
        • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
          • +
        • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
          • +
        • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
          • +
        • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
          • +
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
          • +
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
          • +
        • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
          • +
        • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
          • +
        • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
          • +
        • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
          • +
        • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
          • +
        • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
          • +
        • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
          • +
        • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
        • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
        • Privacy/EnableActivityFeed
        • Privacy/PublishUserActivities
          • @@ -2449,10 +2687,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## FAQ -**Can there be more than 1 MDM server to enroll and manage devices in Windows 10?** +**Can there be more than 1 MDM server to enroll and manage devices in Windows 10?** No. Only one MDM is allowed. -**How do I set the maximum number of Azure Active Directory joined devices per user?** +**How do I set the maximum number of Azure Active Directory joined devices per user?** 1. Login to the portal as tenant admin: https://manage.windowsazure.com. 2. Click Active Directory on the left pane. 3. Choose your tenant. @@ -2462,10 +2700,10 @@ No. Only one MDM is allowed. ![aad maximum joined devices](images/faq-max-devices.png)   -**What is dmwappushsvc?** +**What is dmwappushsvc?** -Entry | Description ---------------- | -------------------- +Entry | Description +--------------- | -------------------- What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. | How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. | diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 1a415c4fc3..0570cae0e3 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -6,13 +6,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/25/2018 +ms.date: 08/15/2018 --- # Office CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). + This CSP was added in Windows 10, version 1703. For additional information, see [Office DDF](office-ddf.md). @@ -21,39 +24,44 @@ The following diagram shows the Office configuration service provider in tree fo ![Office CSP diagram](images/provisioning-csp-office.png) -**Office** - -

          The root node for the Office configuration service provider.

          +**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office** +The root node for the Office configuration service provider.

          **Installation** +Specifies the options for the Microsoft Office installation. -

          Specifies the options for the Microsoft Office installation. +The supported operations are Add, Delete, Get, and Replace. -

          The supported operations are Add, Delete, Get, and Replace. +**Installation/_id_** +Specifies a unique identifier that represents the ID of the Microsoft Office product to install. -**id** +The supported operations are Add, Delete, Get, and Replace. -

          Specifies a unique identifier that represents the ID of the Microsoft Office product to install. +**Installation/_id_/Install** +Installs Office by using the XML data specified in the configuration.xml file. -

          The supported operations are Add, Delete, Get, and Replace. +The supported operations are Get and Execute. -**Install** +**Installation/_id_/Status** +The Microsoft Office installation status. -

          Installs Office by using the XML data specified in the configuration.xml file. +The only supported operation is Get. -

          The supported operations are Get and Execute. +**Installation/_id_/FinalStatus** +Added in Windows 10, version 1809. Indicates the status of the Final Office 365 installation. -**Status** +The only supported operation is Get. -

          The Microsoft Office installation status. +Behavior: +- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it. +- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values: + - When status = 0: 70 (succeeded) + - When status != 0: 60 (failed) -

          The only supported operation is Get. +**Installation/CurrentStatus** +Returns an XML of current Office 365 installation status on the device. -**CurrentStatus** - -

          Returns an XML of current Office 365 installation status on the device. - -

          The only supported operation is Get. +The only supported operation is Get. ## Examples diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 99b5afb5b6..1fb6d40a20 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -7,17 +7,19 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 12/05/2017 +ms.date: 08/15/2018 --- # Office DDF +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, version 1709. +The XML below is for Windows 10, version 1809. ``` syntax @@ -33,7 +35,7 @@ The XML below is for Windows 10, version 1709. - Root of the Office CSP. + Root of the office CSP. @@ -44,7 +46,7 @@ The XML below is for Windows 10, version 1709. - com.microsoft/1.3/MDM/Office + com.microsoft/1.5/MDM/Office @@ -53,7 +55,7 @@ The XML below is for Windows 10, version 1709. - Installation options for the Office CSP. + Installation options for the office CSP. @@ -98,7 +100,7 @@ The XML below is for Windows 10, version 1709. - The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office. + The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. @@ -134,6 +136,27 @@ The XML below is for Windows 10, version 1709. + + FinalStatus + + + + + Final Office 365 installation status. + + + + + + + + + + + text/plain + + + CurrentStatus @@ -175,7 +198,7 @@ The XML below is for Windows 10, version 1709. - com.microsoft/1.3/MDM/Office + com.microsoft/1.5/MDM/Office @@ -261,6 +284,27 @@ The XML below is for Windows 10, version 1709. + + FinalStatus + + + + + Final Office 365 installation status. + + + + + + + + + + + text/plain + + + CurrentStatus @@ -287,13 +331,3 @@ The XML below is for Windows 10, version 1709. ``` - -  - -  - - - - - - diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index acfda5630f..c0369b83bb 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -13,7 +13,7 @@ ms.date: 06/26/2017 # OMA DM protocol support -The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). +The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). ## In this topic @@ -62,7 +62,7 @@ The following table shows the OMA DM standards that Windows uses.

          DM protocol commands

          -

          The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).

          +

          The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).

          • Add (Implicit Add supported)

          • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

            • @@ -121,7 +121,7 @@ The following table shows the OMA DM standards that Windows uses.

            Provisioning Files

            -

            Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

            +

            Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

            If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

            Note   @@ -133,7 +133,7 @@ The following table shows the OMA DM standards that Windows uses.

            WBXML support

            -

            Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

            +

            Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

            Handling of large objects

            @@ -146,7 +146,7 @@ The following table shows the OMA DM standards that Windows uses. ## OMA DM protocol common elements -Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1\_1\_2-20030613-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). +Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1\_1\_2-20030613-A) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). @@ -303,13 +303,13 @@ The following table shows the sequence of events during a typical DM session.   -The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (OMA-TS-DM\_RepPro-V1\_2-20070209-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). +The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (OMA-TS-DM\_RepPro-V1\_2-20070209-A) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request. -For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). +For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). ## User targeted vs. Device targeted configuration @@ -348,7 +348,7 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo ## SyncML response status codes -When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification. +When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification. | Status code | Description | |-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 3dd02f716d..4b08386596 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -194,7 +194,7 @@ Supported operations are Add, Get, Delete, and Replace. *Not supported on Windows Holographic and Windows Holographic for Business.* ***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT) -Added in Windows 10, next major version. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. +Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates. If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key. diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 06eabcf651..6f65055513 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Passpor Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6ff4d2dc96..6f425c85b1 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 08/24/2018 --- # Policy CSP @@ -131,8 +131,6 @@ The following diagram shows the Policy configuration service provider in tree fo

            Supported operations are Add and Get. Does not support Delete. -> [!Note] -> The policies supported in Windows 10 S are the same as those supported in Windows 10 Pro with the exception of the policies under ApplicationDefaults. The ApplicationDefaults policies are not supported in Windows 10 S. ## Policies @@ -365,6 +363,15 @@ The following diagram shows the Policy configuration service provider in tree fo

            Authentication/AllowSecondaryAuthenticationDevice
            +
            + Authentication/EnableFastFirstSignIn +
            +
            + Authentication/EnableWebSignIn +
            +
            + Authentication/PreferredAadTenantDomainName +
            ### Autoplay policies @@ -552,9 +559,6 @@ The following diagram shows the Policy configuration service provider in tree fo
            Browser/FirstRunURL
            -
            - Browser/ForceEnabledExtensions -
            Browser/HomePages
            @@ -900,6 +904,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            DeliveryOptimization/DOAllowVPNPeerCaching
            +
            + DeliveryOptimization/DOCacheHost +
            DeliveryOptimization/DODelayBackgroundDownloadFromHttp
            @@ -979,6 +986,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### DeviceGuard policies
            +
            + DeviceGuard/ConfigureSystemGuardLaunch +
            DeviceGuard/EnableVirtualizationBasedSecurity
            @@ -1246,6 +1256,12 @@ The following diagram shows the Policy configuration service provider in tree fo
            Experience/DoNotShowFeedbackNotifications
            +
            + Experience/DoNotSyncBrowserSettings +
            +
            + Experience/PreventUsersFromTurningOnBrowserSyncing +
            ### ExploitGuard policies @@ -2044,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Kerberos/SetMaximumContextTokenSize
            +
            + Kerberos/UPNNameHints +
            ### KioskBrowser policies @@ -2449,6 +2468,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Privacy/DisableAdvertisingId
            +
            + Privacy/DisablePrivacyExperience +
            Privacy/EnableActivityFeed
            @@ -2897,6 +2919,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
            +
            + Security/RecoveryEnvironmentAuthentication +
            Security/RequireDeviceEncryption
            @@ -3010,6 +3035,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Start/AllowPinnedFolderVideos
            +
            + Start/DisableContextMenus +
            Start/ForceStartSize
            @@ -3078,6 +3106,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Storage/EnhancedStorageDevices
            +
            + Storage/RemovableDiskDenyWriteAccess +
            ### System policies @@ -3086,6 +3117,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            System/AllowBuildPreview
            +
            + System/AllowDeviceNameInDiagnosticData +
            System/AllowEmbeddedMode
            @@ -3110,12 +3144,21 @@ The following diagram shows the Policy configuration service provider in tree fo
            System/BootStartDriverInitialization
            +
            + System/ConfigureMicrosoft365UploadEndpoint +
            System/ConfigureTelemetryOptInChangeNotification
            System/ConfigureTelemetryOptInSettingsUx
            +
            + System/DisableDeviceDelete +
            +
            + System/DisableDiagnosticDataViewer +
            System/DisableEnterpriseAuthProxy
            @@ -3419,6 +3462,9 @@ The following diagram shows the Policy configuration service provider in tree fo
            Update/SetEDURestart
            +
            + Update/UpdateNotificationLevel +
            Update/UpdateServiceUrl
            @@ -4176,7 +4222,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) - [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) - [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) -- [Browser/ForceEnabledExtensions](./policy-csp-browser.md#browser-forceenabledextensions) - [Browser/HomePages](./policy-csp-browser.md#browser-homepages) - [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) - [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) @@ -4256,6 +4301,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) - [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) - [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) - [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) - [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) - [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) @@ -4278,6 +4324,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) @@ -4319,6 +4366,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) - [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) - [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) @@ -4669,6 +4718,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) - [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) - [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) - [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) - [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) @@ -4797,18 +4847,23 @@ The following diagram shows the Policy configuration service provider in tree fo - [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) - [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) - [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) - [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) - [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) - [Start/StartLayout](./policy-csp-start.md#start-startlayout) - [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) - [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) - [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) - [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) - [System/AllowLocation](./policy-csp-system.md#system-allowlocation) - [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) - [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) - [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) - [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) +- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) - [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) - [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) - [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) @@ -4868,6 +4923,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) - [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) - [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) +- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) - [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) - [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) - [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 64e6764b0a..7b0ad06974 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Accounts @@ -248,9 +248,4 @@ Footnote: - -## Accounts policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) - diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 39cb905194..1c06c38801 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/11/2018 +ms.date: 08/08/2018 --- # Policy CSP - ApplicationManagement @@ -353,9 +353,8 @@ The following list shows the supported values: -Specifies whether multiple users of the same app can share data. -Most restricted value is 0. +[!INCLUDE [allow-windows-app-to-share-data-users-shortdesc](../../../browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md)] @@ -369,9 +368,10 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Not allowed. -- 1 – Allowed. +- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. +- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. +Most restricted value: 0 @@ -511,7 +511,7 @@ Value evaluation rule - The information for PolicyManager is opaque. There is no - + @@ -632,7 +632,7 @@ For this policy to work, the Windows apps need to declare in their manifest that - + @@ -695,7 +695,7 @@ This setting supports a range of values between 0 and 1. - + @@ -759,7 +759,7 @@ This setting supports a range of values between 0 and 1. - + @@ -1050,17 +1050,3 @@ Footnote: - -## ApplicationManagement policies supported by Windows Holographic for Business - -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - - -## ApplicationManagement policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index ed8ae05a5c..d3d1e3c5a4 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - AppVirtualization @@ -124,8 +124,8 @@ ms.date: 03/12/2018 - - + + @@ -182,8 +182,8 @@ ADMX Info: - - + + @@ -240,8 +240,8 @@ ADMX Info: - - + + @@ -298,8 +298,8 @@ ADMX Info: - - + + @@ -356,8 +356,8 @@ ADMX Info: - - + + @@ -414,8 +414,8 @@ ADMX Info: - - + + @@ -482,8 +482,8 @@ ADMX Info: - - + + @@ -540,8 +540,8 @@ ADMX Info: - - + + @@ -598,8 +598,8 @@ ADMX Info: - - + + @@ -656,8 +656,8 @@ ADMX Info: - - + + @@ -714,8 +714,8 @@ ADMX Info: - - + + @@ -772,8 +772,8 @@ ADMX Info: - - + + @@ -830,8 +830,8 @@ ADMX Info: - - + + @@ -906,8 +906,8 @@ ADMX Info: - - + + @@ -982,8 +982,8 @@ ADMX Info: - - + + @@ -1058,8 +1058,8 @@ ADMX Info: - - + + @@ -1134,8 +1134,8 @@ ADMX Info: - - + + @@ -1210,8 +1210,8 @@ ADMX Info: - - + + @@ -1268,8 +1268,8 @@ ADMX Info: - - + + @@ -1326,8 +1326,8 @@ ADMX Info: - - + + @@ -1384,8 +1384,8 @@ ADMX Info: - - + + @@ -1442,8 +1442,8 @@ ADMX Info: - - + + @@ -1500,8 +1500,8 @@ ADMX Info: - - + + @@ -1558,8 +1558,8 @@ ADMX Info: - - + + @@ -1616,8 +1616,8 @@ ADMX Info: - - + + @@ -1674,8 +1674,8 @@ ADMX Info: - - + + @@ -1732,8 +1732,8 @@ ADMX Info: - - + + @@ -1790,8 +1790,8 @@ ADMX Info: - - + + diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 1b134ed0ff..7578533727 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Authentication +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -34,6 +36,15 @@ ms.date: 05/14/2018
            Authentication/AllowSecondaryAuthenticationDevice
            +
            + Authentication/EnableFastFirstSignIn +
            +
            + Authentication/EnableWebSignIn +
            +
            + Authentication/PreferredAadTenantDomainName +
            @@ -302,6 +313,182 @@ The following list shows the supported values: + +
            + + +**Authentication/EnableFastFirstSignIn** + + +
            cross mark cross markcheck mark1cross mark check mark1 check mark1 cross mark
            cross mark check mark4check mark4cross mark check mark4 check mark4 cross mark
            cross mark check mark4check mark4cross mark check mark4 check mark4 cross mark
            cross mark cross markcheck markcross mark check mark check mark check mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            cross markcheck markcheck markcross markcross mark check mark check mark cross mark
            + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts +- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts + + + + + + + + + + + + + +
            + + +**Authentication/EnableWebSignIn** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). + +> [!Note] +> Web Sign-in is only supported on Azure AD Joined PCs. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Web Credential Provider will be enabled for Sign In +- 2 - Disabled. Web Credential Provider will not be enabled for Sign In + + + + + + + + + + + + + +
            + + +**Authentication/PreferredAadTenantDomainName** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +Specifies the preferred domain among available domains in the Azure AD tenant. + +Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com". + + +Value type is string. + + + + + + + + + + + +
            Footnote: @@ -310,18 +497,6 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - - -## Authentication policies supported by Windows Holographic for Business - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - - -## Authentication policies supported by IoT Core - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 1fb3b009d6..f73ed9e092 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/30/2018 --- # Policy CSP - Bluetooth @@ -219,7 +219,7 @@ The following list shows the supported values: check mark4 check mark4 check mark4 - cross mark + check mark4 cross mark cross mark @@ -243,7 +243,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to block user The following list shows the supported values: - 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios -- 1 - Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios +- 1 - Allow (default). Allow users on these managed devices to use Swift Pair and other proximity based scenarios @@ -439,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} - -## Bluetooth policies supported by Windows Holographic for Business - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - - - -## Bluetooth policies supported by IoT Core - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - - - -## Bluetooth policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index cbc9d1bf0b..8a423c3bec 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.technology: windows author: shortpatti ms.author: pashort -ms.date: 07/18/2018 +ms.date: 10/02/2018 --- # Policy CSP - Browser @@ -135,9 +135,6 @@ ms.date: 07/18/2018
            Browser/FirstRunURL
            -
            - Browser/ForceEnabledExtensions -
            Browser/HomePages
            @@ -428,7 +425,16 @@ Most restricted value: 0 [!INCLUDE [allow-configuration-updates-for-books-library-shortdesc](../../../browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md)] + + +ADMX Info: +- GP English name: *Allow configuration updates for the Books Library* +- GP name: *AllowConfigurationUpdateForBooksLibrary* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + Supported values: @@ -479,9 +485,6 @@ Supported values: [!INCLUDE [configure-cookies-shortdesc](../../../browsers/edge/shortdesc/configure-cookies-shortdesc.md)] - - - ADMX Info: @@ -507,7 +510,7 @@ To verify AllowCookies is set to 0 (not allowed): 1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. 2. In the upper-right corner of the browser, click **…**. 3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Cookies** is greyed out. +4. Verify the setting **Cookies** is disabled. @@ -700,8 +703,8 @@ ADMX Info: Supported values: -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -761,8 +764,8 @@ ADMX Info: Supported values: -- 0 – Prevented/not allowed. -- 1 (default) – Allowed. +- 0 – Prevented/not allowed +- 1 (default) – Allowed @@ -806,7 +809,7 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../../../browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -824,9 +827,10 @@ ADMX Info: Supported values: - 0 – Load and run Adobe Flash content automatically. -- 1 (default) – Do not load or run Adobe Flash content automatically. Requires user action. +- 1 (default) – Does not load or run Adobe Flash content automatically. Requires action from the user. Most restricted value: 1 + @@ -869,7 +873,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)] @@ -885,10 +888,12 @@ ADMX Info: Supported values: + - 0 - Prevented/not allowed - 1 (default) - Allowed Most restricted value: 0 + @@ -915,7 +920,7 @@ Most restricted value: 0 Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -939,8 +944,6 @@ Most restricted value: 0 [!INCLUDE [allow-inprivate-browsing-shortdesc](../../../browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md)] -Most restricted value: 0 - ADMX Info: @@ -956,6 +959,8 @@ Supported values: - 0 – Prevented/not allowed - 1 (default) – Allowed +Most restricted value: 0 + @@ -998,12 +1003,11 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../../../browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md)] -Most restricted value: 0 @@ -1020,6 +1024,8 @@ Supported values: - 0 – Prevented/not allowed - 1 (default) – Allowed +Most restricted value: 0 + @@ -1077,7 +1083,7 @@ ADMX Info: Supported values: -- Blank - Users can shoose to save and manage passwords locally. +- Blank - Users can choose to save and manage passwords locally. - 0 – Not allowed. - 1 (default) – Allowed. @@ -1087,10 +1093,8 @@ Most restricted value: 0 To verify AllowPasswordManager is set to 0 (not allowed): -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the settings **Save Password** is disabled. @@ -1154,14 +1158,13 @@ Supported values: - 1 – Turn on Pop-up Blocker stopping pop-up windows from opening. Most restricted value: 1 + To verify AllowPopups is set to 0 (not allowed): -1. Open Microsoft Edge. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Block pop-ups** is greyed out. +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Block pop-ups** is disabled. @@ -1207,7 +1210,6 @@ To verify AllowPopups is set to 0 (not allowed): ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)] @@ -1222,10 +1224,12 @@ ADMX Info: Supported values: + - 0 - Prevented/not allowed - 1 (default) - Allowed Most restricted value: 0 + @@ -1274,7 +1278,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)] @@ -1290,10 +1293,12 @@ ADMX Info: Supported values: + - 0 - Prevented/not allowed - 1 (default) - Allowed Most restricted value: 0 + @@ -1342,7 +1347,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)] @@ -1358,10 +1362,12 @@ ADMX Info: Supported values: + - 0 - Prevented/not allowed - 1 (default) - Allowed Most restricted value: 0 + @@ -1411,7 +1417,7 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [allow-search-engine-customization-shortdesc](../../../browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md)] @@ -1496,6 +1502,7 @@ Supported values: - 1 – Allowed. Show the search suggestions. Most restricted value: 0 + @@ -1538,7 +1545,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)] @@ -1546,7 +1552,7 @@ Most restricted value: 0 ADMX Info: -- GP English name: *Allow Sideloading of extension* +- GP English name: *Allow sideloading of Extensions* - GP name: *AllowSideloadingOfExtensions* - GP path: *Windows Components/Microsoft Edge* - GP ADMX file name: *MicrosoftEdge.admx* @@ -1555,10 +1561,11 @@ ADMX Info: Supported values: -- 0 - Prevented, but does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). +- 0 - Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). - 1 (default) - Allowed. Most restricted value: 0 + @@ -1621,19 +1628,18 @@ ADMX Info: Supported values: -- Blank - Users can choose to use Windows Defender SmartScreen or not. +- Blank - Users can choose to use Windows Defender SmartScreen. - 0 – Turned off. Do not protect users from potential threats and prevent users from turning it on. - 1 (default) – Turned on. Protect users from potential threats and prevent users from turning it off. Most restricted value: 1 + To verify AllowSmartScreen is set to 0 (not allowed): -1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. -2. In the upper-right corner of the browser, click **…**. -3. Click **Settings** in the drop down list, and select **View Advanced Settings**. -4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. +1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. +2. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is disabled. @@ -1677,7 +1683,6 @@ To verify AllowSmartScreen is set to 0 (not allowed): ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)] @@ -1694,8 +1699,8 @@ ADMX Info: Supported values: -- 0 (default) - Allowed. Preload Start and New tab pages. -- 1 - Prevented/not allowed. +- 0 - Prevented/not allowed. +- 1 (default) - Allowed. Preload Start and New tab pages. Most restricted value: 1 @@ -1746,10 +1751,10 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] + ADMX Info: @@ -1835,6 +1840,7 @@ Supported values: - 1 - Show the Books Library, regardless of the device’s country or region. Most restricted value: 0 + @@ -1877,7 +1883,7 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../../../browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] @@ -1897,6 +1903,7 @@ Supported values: - 1 – Allowed. Clear the browsing data upon exit automatically. Most restricted value: 1 + To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): @@ -1948,12 +1955,12 @@ To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [configure-additional-search-engines-shortdesc](../../../browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md)] > [!IMPORTANT] -> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  +> Due to Protected Settings (aka.ms/browserpolicy), this setting applies only on domain-joined machines or when the device is MDM-enrolled.  @@ -2015,7 +2022,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)] @@ -2085,8 +2091,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)] @@ -2109,7 +2113,7 @@ Supported values: - 3 - Hide home button. >[!TIP] ->If you want to make changes to this policy:
            1. Set the **Unlock Home Button** policy to 1 (enabled).
            2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
            3. Set the **Unlock Home Button** policy to 0 (disabled).
            +>If you want to make changes to this policy:
            1. Set **UnlockHomeButton** to 1 (enabled).
            2. Make changes to **ConfigureHomeButton** or **SetHomeButtonURL** policy.
            3. Set **UnlockHomeButton** 0 (disabled).
            @@ -2160,8 +2164,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] @@ -2182,13 +2184,14 @@ ADMX Info: Supported values: -**0 (Default or not configured)**: +**0 (Default or not configured)**: - If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays. - If it’s one of many apps, Microsoft Edge runs as normal. -**1**: -- • If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. +**1**: +- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time. - If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge. + @@ -2237,12 +2240,11 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] -You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). @@ -2256,9 +2258,11 @@ ADMX Info: Supported values: + - **Any integer from 1-1440 (5 minutes is the default)** – The time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. A confirmation dialog displays for the user to cancel or continue and automatically continues after 30 seconds. - **0** – No idle timer. + @@ -2307,8 +2311,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] @@ -2316,8 +2318,8 @@ Supported values: If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. -**Version 1810**:
            -When you enable this policy and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. +**version 1809**:
            +When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages. @@ -2332,14 +2334,14 @@ ADMX Info: Supported values: -- Blank - If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. +- Blank - If you don't configure this policy and you set DisableLockdownOfStartPages to 1 (enabled), users can change or customize the Start page. - 0 - Load the Start page. - 1 - Load the New tab page. - 2 - Load the previous pages. - 3 (default) - Load a specific page or pages. >[!TIP] ->If you want to make changes to this policy:
            1. Set the Disabled Lockdown of Start Pages policy to 0 (not configured).
            2. Make changes to the Configure Open Microsoft With policy.
            3. Set the Disabled Lockdown of Start Pages policy to 1 (enabled).
            +>If you want to make changes to this policy:
            1. Set DisableLockdownOfStartPages to 0 (not configured).
            2. Make changes to ConfigureOpenEdgeWith.
            3. Set DisableLockdownOfStartPages to 1 (enabled).
            @@ -2390,8 +2392,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] @@ -2462,7 +2462,7 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10* [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../../../browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]    @@ -2486,8 +2486,8 @@ ADMX Info: Supported values: -- 0 – Locked. Lockdown the Start pages configured in either the Configure Open Microsoft Edge With policy or Configure Start Pages policy.  -- 1 (default) – Unlocked. Users can make changes to all configured start pages.

            When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. +- 0 – Lock down Start pages configured in either the ConfigureOpenEdgeWith policy and HomePages policy. +- 1 (default) – Unlocked. Users can make changes to all configured start pages.

            When you enable this policy and define a set of URLs in the HomePages policy, Microsoft Edge uses the URLs defined in the ConfigureOpenEdgeWith policy. Most restricted value: 0 @@ -2547,8 +2547,8 @@ ADMX Info: Supported values: -- 0 (default) - Gather and send only basic diagnotic data, depending on the device configuration. -- 1 - Gather both basic and additional data, such as usage data. +- 0 (default) - Gather and send only basic diagnostic data, depending on the device configuration. +- 1 - Gather all diagnostic data. Most restricted value: 0 @@ -2601,7 +2601,6 @@ Most restricted value: 0   - ADMX Info: @@ -2616,7 +2615,8 @@ ADMX Info: Supported values: - 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. +- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

            For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). + @@ -2638,7 +2638,7 @@ Supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -2661,7 +2661,7 @@ Supported values: > [!IMPORTANT] -> We discontinued this policy in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. +> Discontinued in Windows 10, version 1511. Use the [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) policy instead. @@ -2710,73 +2710,11 @@ Supported values: Enter a URL in string format for the site you want to load when Microsoft Edge for Windows 10 Mobile opens for the first time, for example, contoso.com. -Data type = String -

            - -**Browser/ForceEnabledExtensions** - - - - - - - - - - - - - - - - - - - - - -
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
            - - - -This setting lets you decide which extensions should be always enabled. - - - -ADMX Info: -- GP name: *ForceEnabledExtensions* -- GP element: *ForceEnabledExtensions_List* -- GP ADMX file name: *MicrosoftEdge.admx* - - - - - - - - - - - - - -
            - **Browser/HomePages** @@ -2826,7 +2764,7 @@ Starting with this version, the HomePages policy enforces that users cannot chan **Version 1703**
            If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. -**Next Windows 10 major release**
            +**Version 1809**
            When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. @@ -2932,7 +2870,7 @@ Most restricted value: 1 Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -2955,7 +2893,7 @@ Most restricted value: 1 -[!INCLUDE [prevent-changes-to-favorites-shortdesc](../../../browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md)] +[!INCLUDE [prevent-access-to-about-flags-page-shortdesc](../../../browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md)] @@ -2970,7 +2908,7 @@ ADMX Info: Supported values: - 0 (default) – Allowed. -- 1 – Prevented/not allowed. Users cannot access the about:flags page. +- 1 – Prevents users from accessing the about:flags page. Most restricted value: 1 @@ -3015,7 +2953,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] @@ -3099,7 +3036,7 @@ ADMX Info: Supported values: -- 0 (default) – Allowed. Microsoft Edge loads the First Run webpage. +- 0 (default) – Allowed. Load the First Run webpage. - 1 – Prevented/not allowed. Most restricted value: 1 @@ -3145,7 +3082,7 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../../../browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md)] @@ -3161,7 +3098,7 @@ ADMX Info: Supported values: -- 0 (default) – Collect and send Live Tile metadata to Microsoft. +- 0 (default) – Collect and send Live Tile metadata. - 1 – No data collected. Most restricted value: 1 @@ -3291,6 +3228,73 @@ Most restricted value: 1
            + +**Browser/PreventTurningOffRequiredExtensions** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
            + + + +[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../../../browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] + + + +ADMX Info: +- GP English name: *Prevent turning off required extensions* +- GP name: *PreventTurningOffRequiredExtensions* +- GP element: *PreventTurningOffRequiredExtensions_Prompt* +- GP path: *Windows Components/Microsoft Edge* +- GP ADMX file name: *MicrosoftEdge.admx* + + + +Supported values: + +- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. + +- String - Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

                  _Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

            After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

            Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + + + + + + + + + + +

            + **Browser/PreventUsingLocalHostIPAddressForWebRTC** @@ -3391,9 +3395,9 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, version 1709* +>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* -[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../../../browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] +[!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)]   Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. @@ -3401,14 +3405,14 @@ Define a default list of favorites in Microsoft Edge. In this case, the Save a F To define a default list of favorites: 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. 2. Click **Import from another browser**, click **Export to file** and save the file. -3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

            Specify the URL as:

            • HTTP location: "SiteList"="http://localhost:8080/URLs.html"
            • Local network: "SiteList"="\\network\\shares\\URLs.html"
            • Local file: "SiteList"="file:///c:\\Users\\\\Documents\\URLs.html"
            +3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

            Specify the URL as:

            • HTTP location: "SiteList"=http://localhost:8080/URLs.html
            • Local network: "SiteList"="\network\shares\URLs.html"
            • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
            -> [!Important] -> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. +>[!IMPORTANT] +>Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. + -Data type = string @@ -3420,6 +3424,7 @@ ADMX Info: - GP ADMX file name: *MicrosoftEdge.admx* +
            @@ -3481,9 +3486,10 @@ ADMX Info: Supported values: - 0 (default) - All sites, including intranet sites, open in Microsoft Edge automatically. -- 1 - Only intranet sites open in Internet Explorer 11 automatically. Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser. +- 1 - Only intranet sites open in Internet Explorer 11 automatically.

            Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

            1. In Group Policy Editor, navigate to:

              **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.

            2. Refresh the policy and then view the affected sites in Microsoft Edge.

              A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

            Most restricted value: 0 + @@ -3549,7 +3555,7 @@ ADMX Info: Supported values: -- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the AllowSearchEngineCustomization policy, users cannot make changes. +- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](https://review.docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser?branch=microsoft-edge-preview#browser-allowsearchenginecustomization) policy, users cannot make changes. - 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. - 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

            Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

            If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

            If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. @@ -3596,8 +3602,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] @@ -3665,8 +3669,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] @@ -3711,7 +3713,7 @@ Supported values: Mobile Enterprise - check mark + cross mark check mark check mark check mark @@ -3798,7 +3800,7 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, version 1703* +>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later* [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../../../browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] @@ -3873,7 +3875,6 @@ To verify that favorites are in synchronized between Internet Explorer and Micro ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] @@ -3890,7 +3891,7 @@ ADMX Info: Supported values: -- 0 (default) - Lock down the home button to prevent users from making changes to the settings. +- 0 (default) - Lock down and prevent users from making changes to the settings. - 1 - Let users make changes. @@ -3957,7 +3958,7 @@ ADMX Info: Supported values: - 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. -- 1 - Allowed. Microsoft Edge downloads book files into a shared folder. +- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. Most restricted value: 0 @@ -3970,61 +3971,7 @@ Footnote: - 2 - Supported versions, version 1703. - 3 - Supported versions, version 1709. - 4 - Supported versions, version 1803. -- 5 - Added in the next major update to Windows of Windows 10. +- 5 - Supported versions, version 1809. - -## Browser policies that can be set using Exchange Active Sync (EAS) - -- [Browser/AllowBrowser](#browser-allowbrowser) - - - -## Browser policies supported by Windows Holographic for Business - -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) - - - -## Browser policies supported by IoT Core - -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) - - - -## Browser policies supported by Microsoft Surface Hub - -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) - - diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index b44471df4c..0712d689ac 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/16/2018 +ms.date: 08/08/2018 --- # Policy CSP - Cellular @@ -54,7 +54,7 @@ ms.date: 04/16/2018 Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -126,7 +126,7 @@ The following list shows the supported values: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -178,7 +178,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 @@ -230,7 +230,7 @@ ADMX Info: Mobile Enterprise - check mark3 + cross mark check mark3 check mark3 check mark3 diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 26bd1f5d3e..0806fb596a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Connectivity @@ -142,11 +142,11 @@ The following list shows the supported values: Mobile Enterprise - cross mark cross mark check mark - cross mark - cross mark + check mark + check mark + check mark check mark check mark @@ -264,7 +264,7 @@ To validate on mobile devices, do the following: Mobile Enterprise - check mark2 + check mark check mark2 check mark2 check mark2 @@ -972,40 +972,5 @@ Footnote: - -## Connectivity policies that can be set using Exchange Active Sync (EAS) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) - - - -## Connectivity policies supported by Windows Holographic for Business - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) - - - -## Connectivity policies supported by IoT Core - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) - - - -## Connectivity policies supported by Microsoft Surface Hub - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) - diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 1295ab27a3..5369a3d16d 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -68,7 +68,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. -Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, next major version, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported. +Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, version 1809, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported. The following list shows the supported values: diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 285c21097a..b1a2f2dfa1 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -34,7 +34,7 @@ ms.date: 07/13/2018 **DataUsage/SetCost3G** -This policy is deprecated in Windows 10, next major version. +This policy is deprecated in Windows 10, version 1809. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index dd2367d211..78c970b208 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 08/08/2018 --- # Policy CSP - Defender @@ -955,8 +955,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -1013,8 +1013,8 @@ ADMX Info: Mobile Enterprise - cross mark - cross mark + check mark3 + check mark3 check mark3 check mark3 check mark3 @@ -1208,7 +1208,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1280,7 +1280,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1342,7 +1342,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1397,7 +1397,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1655,7 +1655,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1788,7 +1788,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 104c932ccf..7c7ed13b63 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/06/2018 --- # Policy CSP - DeliveryOptimization +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

            @@ -25,6 +27,9 @@ ms.date: 05/14/2018
            DeliveryOptimization/DOAllowVPNPeerCaching
            +
            + DeliveryOptimization/DOCacheHost +
            DeliveryOptimization/DODelayBackgroundDownloadFromHttp
            @@ -217,6 +222,67 @@ The following list shows the supported values:
            + +**DeliveryOptimization/DOCacheHost** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +[Reserved for future use] + + + +ADMX Info: +- GP English name: *[Reserved for future use] Cache Server Hostname* +- GP name: *CacheHost* +- GP element: *CacheHost* +- GP path: *Windows Components/Delivery Optimization* +- GP ADMX file name: *DeliveryOptimization.admx* + + + + + + + + + + + + + +
            + **DeliveryOptimization/DODelayBackgroundDownloadFromHttp** @@ -1231,7 +1297,6 @@ ADMX Info: **DeliveryOptimization/DOPercentageMaxDownloadBandwidth** - [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -1501,6 +1566,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8e395ec5f7..ac8fca65ac 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - Desktop @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark - check mark + cross mark check mark check mark cross mark diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 345a36f617..18694ad290 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 09/20/2018 --- # Policy CSP - DeviceGuard +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -19,6 +21,9 @@ ms.date: 03/12/2018 ## DeviceGuard policies
            +
            + DeviceGuard/ConfigureSystemGuardLaunch +
            DeviceGuard/EnableVirtualizationBasedSecurity
            @@ -31,6 +36,75 @@ ms.date: 03/12/2018
            +
            + + +**DeviceGuard/ConfigureSystemGuardLaunch** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcross markcross markcheck mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy allows the IT admin to configure the launch of System Guard. + +Secure Launch configuration: + +- 0 - Unmanaged, configurable by Administrative user +- 1 - Enables Secure Launch if supported by hardware +- 2 - Disables Secure Launch. + +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). + + + +ADMX Info: +- GP English name: *Turn On Virtualization Based Security* +- GP name: *VirtualizationBasedSecurity* +- GP element: *SystemGuardDrop* +- GP path: *System/Device Guard* +- GP ADMX file name: *DeviceGuard.admx* + + + + + + + + + + + + +
            @@ -215,6 +289,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 46a6862046..94e15bf96e 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/08/2018 --- # Policy CSP - DeviceLock @@ -150,11 +150,11 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark check mark - cross mark - cross mark + check mark + check mark + check mark + check mark check mark check mark @@ -180,8 +180,6 @@ Specifies whether to show a user-configurable setting to control the screen time > [!NOTE] > This policy must be wrapped in an Atomic command. - - > [!IMPORTANT] > If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. @@ -508,8 +506,6 @@ Specifies how many passwords can be stored in the history that can’t be used. > [!NOTE] > This policy must be wrapped in an Atomic command. - - The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. Max policy value is the most restricted. @@ -543,8 +539,8 @@ The following list shows the supported values: Mobile Enterprise - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 check mark1 @@ -993,7 +989,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1046,7 +1042,7 @@ GP Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1108,7 +1104,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -1217,32 +1213,3 @@ Footnote: - -## DeviceLock policies that can be set using Exchange Active Sync (EAS) - -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) - - - -## DeviceLock policies supported by Windows Holographic for Business - -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) - - diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index 060689251b..7e1be2a448 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - Display @@ -53,7 +53,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -105,7 +105,7 @@ ADMX Info: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -177,7 +177,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 0d4c0d64c5..2960d7874f 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -44,7 +44,7 @@ ms.date: 06/29/2018 Mobile Enterprise - check mark5 + cross mark check mark5 check mark5 check mark5 diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index e8f2b997fc..472aa8161b 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -246,10 +246,10 @@ The default value is an empty string. Otherwise, the value should contain the UR cross mark - cross mark - cross mark - cross mark - cross mark + check mark2 + check mark2 + check mark2 + check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f2dec99193..ab5ac2d009 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/13/2018 +ms.date: 07/30/2018 --- # Policy CSP - Experience @@ -18,7 +18,7 @@ ms.date: 07/13/2018
            -## Experience policies +## Experience policies
            @@ -90,13 +90,19 @@ ms.date: 07/13/2018
            Experience/DoNotShowFeedbackNotifications
            +
            + Experience/DoNotSyncBrowserSettings +
            +
            + Experience/PreventUsersFromTurningOnBrowserSyncing +
            -**Experience/AllowClipboardHistory** +**Experience/AllowClipboardHistory** @@ -133,13 +139,13 @@ ms.date: 07/13/2018 Allows history of clipboard items to be stored in memory. -Value type is integer. Supported values: +Value type is integer. Supported values: - 0 - Not allowed - 1 - Allowed (default) -ADMX Info: +ADMX Info: - GP English name: *Allow Clipboard History* - GP name: *AllowClipboardHistory* - GP path: *System/OS Policies* @@ -153,7 +159,7 @@ ADMX Info: -**Validation procedure** +**Validation procedure** 1. Configure Experiences/AllowClipboardHistory to 0. 1. Open Notepad (or any editor app), select a text, and copy it to the clipboard. @@ -167,7 +173,7 @@ ADMX Info:
            -**Experience/AllowCopyPaste** +**Experience/AllowCopyPaste**
            @@ -222,7 +228,7 @@ The following list shows the supported values:
            -**Experience/AllowCortana** +**Experience/AllowCortana**
            @@ -263,7 +269,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Allow Cortana* - GP name: *AllowCortana* - GP path: *Windows Components/Search* @@ -282,7 +288,7 @@ The following list shows the supported values:
            -**Experience/AllowDeviceDiscovery** +**Experience/AllowDeviceDiscovery**
            @@ -336,7 +342,7 @@ The following list shows the supported values:
            -**Experience/AllowFindMyDevice** +**Experience/AllowFindMyDevice**
            @@ -352,7 +358,7 @@ The following list shows the supported values: - + @@ -379,7 +385,7 @@ When Find My Device is off, the device and its location are not registered and t -ADMX Info: +ADMX Info: - GP English name: *Turn On/Off Find My Device* - GP name: *FindMy_AllowFindMyDeviceConfig* - GP path: *Windows Components/Find My Device* @@ -398,7 +404,7 @@ The following list shows the supported values:
            -**Experience/AllowManualMDMUnenrollment** +**Experience/AllowManualMDMUnenrollment**
            cross mark check mark2check mark2cross mark check mark2 check mark2 check mark2
            @@ -454,7 +460,7 @@ The following list shows the supported values:
            -**Experience/AllowSIMErrorDialogPromptWhenNoSIM** +**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
            @@ -508,7 +514,7 @@ The following list shows the supported values:
            -**Experience/AllowSaveAsOfOfficeFiles** +**Experience/AllowSaveAsOfOfficeFiles** [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -528,7 +534,7 @@ This policy is deprecated.
            -**Experience/AllowScreenCapture** +**Experience/AllowScreenCapture**
            @@ -584,7 +590,7 @@ The following list shows the supported values:
            -**Experience/AllowSharingOfOfficeFiles** +**Experience/AllowSharingOfOfficeFiles** [Scope](./policy-configuration-service-provider.md#policy-scope): @@ -604,7 +610,7 @@ This policy is deprecated.
            -**Experience/AllowSyncMySettings** +**Experience/AllowSyncMySettings**
            @@ -639,7 +645,7 @@ This policy is deprecated. -Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). +Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). @@ -654,7 +660,7 @@ The following list shows the supported values:
            -**Experience/AllowTailoredExperiencesWithDiagnosticData** +**Experience/AllowTailoredExperiencesWithDiagnosticData**
            @@ -670,9 +676,9 @@ The following list shows the supported values: - - + + @@ -702,7 +708,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Do not use diagnostic data for tailored experiences* - GP name: *DisableTailoredExperiencesWithDiagnosticData* - GP path: *Windows Components/Cloud Content* @@ -721,7 +727,7 @@ The following list shows the supported values:
            -**Experience/AllowTaskSwitcher** +**Experience/AllowTaskSwitcher**
            cross mark check mark2check mark2check mark2 cross markcheck mark2check mark2 cross mark cross mark
            @@ -775,7 +781,7 @@ The following list shows the supported values:
            -**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** +**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
            @@ -793,7 +799,7 @@ The following list shows the supported values: - + @@ -818,7 +824,7 @@ Specifies whether to allow app and content suggestions from third-party software -ADMX Info: +ADMX Info: - GP English name: *Do not suggest third-party content in Windows spotlight* - GP name: *DisableThirdPartySuggestions* - GP path: *Windows Components/Cloud Content* @@ -837,7 +843,7 @@ The following list shows the supported values:
            -**Experience/AllowVoiceRecording** +**Experience/AllowVoiceRecording**
            check mark1 check mark1 check mark1cross markcheck mark1 cross mark cross mark
            @@ -893,7 +899,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsConsumerFeatures** +**Experience/AllowWindowsConsumerFeatures**
            @@ -909,9 +915,9 @@ The following list shows the supported values: - - + + @@ -938,7 +944,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Turn off Microsoft consumer experiences* - GP name: *DisableWindowsConsumerFeatures* - GP path: *Windows Components/Cloud Content* @@ -957,7 +963,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsSpotlight** +**Experience/AllowWindowsSpotlight**
            cross mark cross markcheck markcheck mark cross markcheck markcheck mark cross mark cross mark
            @@ -973,9 +979,9 @@ The following list shows the supported values: - - + + @@ -1002,7 +1008,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Turn off all Windows spotlight features* - GP name: *DisableWindowsSpotlightFeatures* - GP path: *Windows Components/Cloud Content* @@ -1021,7 +1027,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsSpotlightOnActionCenter** +**Experience/AllowWindowsSpotlightOnActionCenter**
            cross mark cross markcheck mark1check mark1 cross markcheck mark1check mark1 cross mark cross mark
            @@ -1037,9 +1043,9 @@ The following list shows the supported values: - - + + @@ -1065,7 +1071,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Turn off Windows Spotlight on Action Center* - GP name: *DisableWindowsSpotlightOnActionCenter* - GP path: *Windows Components/Cloud Content* @@ -1084,7 +1090,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsSpotlightOnSettings** +**Experience/AllowWindowsSpotlightOnSettings**
            cross mark cross markcheck mark2check mark2 cross markcheck mark2check mark2 cross mark cross mark
            @@ -1100,9 +1106,9 @@ The following list shows the supported values: - - + + @@ -1119,7 +1125,7 @@ The following list shows the supported values: -Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive. +Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive. - User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app. - User Setting is changeable on a per user basis. @@ -1127,7 +1133,7 @@ Added in Windows 10, version 1803. This policy allows IT admins to turn off Sugg -ADMX Info: +ADMX Info: - GP English name: *Turn off Windows Spotlight on Settings* - GP name: *DisableWindowsSpotlightOnSettings* - GP path: *Windows Components/Cloud Content* @@ -1146,7 +1152,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** +**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
            cross mark cross markcheck mark4check mark4 cross markcheck mark4check mark4
            @@ -1162,9 +1168,9 @@ The following list shows the supported values: - - + + @@ -1184,14 +1190,14 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. +Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. -ADMX Info: +ADMX Info: - GP English name: *Turn off the Windows Welcome Experience* - GP name: *DisableWindowsSpotlightWindowsWelcomeExperience* - GP path: *Windows Components/Cloud Content* @@ -1210,7 +1216,7 @@ The following list shows the supported values:
            -**Experience/AllowWindowsTips** +**Experience/AllowWindowsTips**
            cross mark cross markcheck mark2check mark2 cross markcheck mark2check mark2 cross mark cross mark
            @@ -1226,9 +1232,9 @@ The following list shows the supported values: - - + + @@ -1249,7 +1255,7 @@ Enables or disables Windows Tips / soft landing. -ADMX Info: +ADMX Info: - GP English name: *Do not show Windows tips* - GP name: *DisableSoftLanding* - GP path: *Windows Components/Cloud Content* @@ -1268,7 +1274,7 @@ The following list shows the supported values:
            -**Experience/ConfigureWindowsSpotlightOnLockScreen** +**Experience/ConfigureWindowsSpotlightOnLockScreen**
            cross mark cross markcheck markcheck mark cross markcheck markcheck mark cross mark cross mark
            @@ -1284,9 +1290,9 @@ The following list shows the supported values: - - + + @@ -1311,7 +1317,7 @@ Allows IT admins to specify whether spotlight should be used on the user's lock -ADMX Info: +ADMX Info: - GP English name: *Configure Windows spotlight on lock screen* - GP name: *ConfigureWindowsSpotlight* - GP path: *Windows Components/Cloud Content* @@ -1331,7 +1337,7 @@ The following list shows the supported values:
            -**Experience/DoNotShowFeedbackNotifications** +**Experience/DoNotShowFeedbackNotifications**
            cross mark cross markcheck mark1check mark1 cross markcheck mark1check mark1 cross mark cross mark
            @@ -1345,7 +1351,7 @@ The following list shows the supported values: - + @@ -1374,7 +1380,7 @@ If you disable or do not configure this policy setting, users can control how of -ADMX Info: +ADMX Info: - GP English name: *Do not show feedback notifications* - GP name: *DoNotShowFeedbackNotifications* - GP path: *Data Collection and Preview Builds* @@ -1392,6 +1398,179 @@ The following list shows the supported values:
            + +**Experience/DoNotSyncBrowserSettings** + + +
            Mobile Enterprise
            check mark1cross mark check mark1 check mark1 check mark1
            + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcross markcross markcheck mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] + +Related policy: + [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option. + + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Turn syncing off by default but don’t disable**_ + + Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off) and select the _Allow users to turn “browser” syncing_ option. + + + + + + + + + + +
            + + +**Experience/PreventUsersFromTurningOnBrowserSyncing** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcross markcross markcheck mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] + +Related policy: + [DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) + + + + +ADMX Info: +- GP English name: *Prevent users from turning on browser syncing* +- GP name: *PreventUsersFromTurningOnBrowserSyncing* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + +Supported values: + +- 0 - Allowed/turned on. Users can sync the browser settings. +- 1 (default) - Prevented/turned off. + + +_**Sync the browser settings automatically**_ + + Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + +_**Prevent syncing of browser settings and prevent users from turning it on**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off). + +_**Prevent syncing of browser settings and let users turn on syncing**_ + +1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off). +2. Set **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). + + + + + + +Validation procedure: + +1. Select **More > Settings**. +1. See if the setting is enabled or disabled based on your selection. + + + + +
            + Footnote: - 1 - Added in Windows 10, version 1607. @@ -1402,10 +1581,4 @@ Footnote: - -## Experience policies supported by Windows Holographic for Business - -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) - diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index 07582f80bf..a74fbeccf3 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Handwriting @@ -44,7 +44,7 @@ ms.date: 03/12/2018 cross mark check mark3 - check mark3 + cross mark check mark3 check mark3 cross mark diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 2c1b567f4b..8ff97003f8 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/08/2018 --- # Policy CSP - Kerberos +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -34,6 +36,9 @@ ms.date: 03/12/2018
            Kerberos/SetMaximumContextTokenSize
            +
            + Kerberos/UPNNameHints +
            @@ -353,6 +358,60 @@ ADMX Info: + +
            + + +**Kerberos/UPNNameHints** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + + + + + + + + + +
            Footnote: @@ -361,6 +420,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 47018e826f..c536cc66a5 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -822,7 +822,7 @@ GP Info: > [!Warning] -> Starting in the next major version of Windows, this policy is deprecated. +> Starting in the version 1809 of Windows, this policy is deprecated. Domain member: Digitally encrypt or sign secure channel data (always) @@ -892,7 +892,7 @@ GP Info: > [!Warning] -> Starting in the next major version of Windows, this policy is deprecated. +> Starting in the version 1809 of Windows, this policy is deprecated. Domain member: Digitally encrypt secure channel data (when possible) @@ -959,7 +959,7 @@ GP Info: > [!Warning] -> Starting in the next major version of Windows, this policy is deprecated. +> Starting in the version 1809 of Windows, this policy is deprecated. Domain member: Disable machine account password changes diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md index 10663ef1ad..8745836c59 100644 --- a/windows/client-management/mdm/policy-csp-location.md +++ b/windows/client-management/mdm/policy-csp-location.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Location @@ -42,7 +42,7 @@ ms.date: 03/12/2018 Mobile Enterprise - check mark2 + cross mark check mark2 check mark2 check mark2 diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index e5f9888352..9e96723b2f 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - Messaging @@ -102,10 +102,10 @@ The following list shows the supported values: cross mark + check mark1 cross mark - - cross mark - cross mark + check mark1 + check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 23a98eaa7b..652e5979f3 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 08/14/2018 --- # Policy CSP - Privacy @@ -33,6 +33,9 @@ ms.date: 06/05/2018
            Privacy/DisableAdvertisingId
            +
            + Privacy/DisablePrivacyExperience +
            Privacy/EnableActivityFeed
            @@ -367,7 +370,7 @@ The following list shows the supported values: -Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. +Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. Most restricted value is 0. @@ -387,12 +390,6 @@ The following list shows the supported values: 1 (default) – Allowed. - - - - - -
            @@ -412,7 +409,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark check mark check mark check mark @@ -433,7 +430,7 @@ The following list shows the supported values: -Updated in Windows 10, version 1709. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. +Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. Most restricted value is 0. @@ -450,7 +447,7 @@ ADMX Info: The following list shows the supported values: - 0 – Not allowed. -- 1 (default) – Allowed. +- 1 (default) – Choice deferred to user's preference. @@ -518,6 +515,73 @@ The following list shows the supported values:
            + +**Privacy/DisablePrivacyExperience** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            check mark5check mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
            + + + +Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + +Value type is integer. +- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. +- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. + +In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. + + + +ADMX Info: +- GP English name: *Don't launch privacy settings experience on user logon* +- GP name: *DisablePrivacyExperience* +- GP path: *Windows Components/OOBE* +- GP ADMX file name: *OOBE.admx* + + + + + + + + + + + + + +
            + **Privacy/EnableActivityFeed** @@ -1929,15 +1993,6 @@ ADMX Info: This policy setting specifies whether Windows apps can access the eye tracker. - - - - - - - - -
            @@ -1981,15 +2036,6 @@ This policy setting specifies whether Windows apps can access the eye tracker. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - -
            @@ -2033,15 +2079,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - -
            @@ -2085,15 +2122,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - - - - - -
            @@ -4822,15 +4850,6 @@ ADMX Info: - GP ADMX file name: *OSPolicy.admx* - - - - - - - - -
            @@ -4844,43 +4863,3 @@ Footnote: - -## Privacy policies supported by Windows Holographic for Business - -- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) -- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) - - - -## Privacy policies supported by IoT Core - -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) - - - -## Privacy policies supported by Microsoft Surface Hub - -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) - - diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 78ef27da14..b3f6a039a4 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -66,12 +66,59 @@ This security setting allows an administrator to define the members of a securit Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. + +``` syntax + + + + + + + + + + + + Restricted Group Member + + + + + + + + + + + + + + + Restricted Group + + + + + + +``` + +Here is an example: +``` + + + + + + +``` diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 90d61b4f33..f51a32f819 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Search @@ -860,15 +860,5 @@ Footnote: - -## Search policies that can be set using Exchange Active Sync (EAS) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - - - -## Search policies supported by Windows Holographic for Business - -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 923b4a3d8a..fb505e937f 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 08/09/2018 --- # Policy CSP - Security +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -43,6 +45,9 @@ ms.date: 06/26/2018
            Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
            +
            + Security/RecoveryEnvironmentAuthentication +
            Security/RequireDeviceEncryption
            @@ -393,7 +398,7 @@ The following list shows the supported values: Mobile Enterprise - check mark4 + cross mark check mark4 check mark4 check mark4 @@ -488,6 +493,87 @@ The following list shows the supported values:
            + +**Security/RecoveryEnvironmentAuthentication** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
            + + + +Added in Windows 10, version 1809. This policy controls the Admin Authentication requirement in RecoveryEnvironment. + +Supported values: +- 0 - Default: Keep using default(current) behavior +- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment +- 2 - NoRequireAuthentication: Admin Authentication is not required for components in RecoveryEnvironment + + + + + + + + + +**Validation procedure** + +The validation requires a check whether Refresh ("Keep my files") and Reset ("Remove everything") requires admin authentication in WinRE. +The process of starting Push Button Reset (PBR) in WinRE: + +1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE. +1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything". + +If the MDM policy is set to "Default" (0) or does not exist, the admin authentication flow should work as default behavior: + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should not pop up admin authentication and just go to PBR options. + +If the MDM policy is set to "RequireAuthentication" (1) + +1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication. +1. Click "<-" (right arrow) button and choose "Remove everything", it should also pop up admin authentication. + +If the MDM policy is set to "NoRequireAuthentication" (2) + +1. Start PBR in WinRE, choose "Keep my files", it should not pop up admin authentication. +1. Go through PBR options and click "cancel" at final confirmation page, wait unit the UI is back. +1. Click "TroubleShoot" -> "Reset this PC" again, choose "Remove everything", it should not pop up admin authentication neither. + + + + +
            + **Security/RequireDeviceEncryption** @@ -661,34 +747,9 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. - -## Security policies that can be set using Exchange Active Sync (EAS) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by Windows Holographic for Business - -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by IoT Core - -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - - - -## Security policies supported by Microsoft Surface Hub - -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index ba5cc1e9ef..ffb4629d06 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - Settings @@ -239,10 +239,10 @@ The following list shows the supported values: cross mark - cross mark - cross mark - cross mark - cross mark + check mark1 + check mark1 + check mark1 + check mark1 check mark1 check mark1 @@ -788,12 +788,13 @@ The following list shows the supported values: > [!div class = "checklist"] > * Device +> * User
            -Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. +Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: @@ -807,17 +808,17 @@ The format of the PageVisibilityList value is as follows: - There are two variants: one that shows only the given pages and one which hides the given pages. - The first variant starts with the string "showonly:" and the second with the string "hide:". - Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi". +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". The default value for this setting is an empty string, which is interpreted as show everything. -Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: +Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: -showonly:wi-fi;bluetooth +showonly:network-wifi;bluetooth Example 2, specifies that the wifi page should not be shown: -hide:wifi +hide:network-wifi @@ -849,10 +850,5 @@ Footnote: - -## Settings policies supported by Windows Holographic for Business -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) - diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index f499ec5037..43023aecdc 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - Speech @@ -42,7 +42,7 @@ ms.date: 05/14/2018 Mobile Enterprise - check mark1 + cross mark check mark1 check mark1 check mark1 diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 080a8fa8c1..5c8db780af 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 08/14/2018 --- # Policy CSP - Start +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -49,6 +51,9 @@ ms.date: 06/26/2018
            Start/AllowPinnedFolderVideos
            +
            + Start/DisableContextMenus +
            Start/ForceStartSize
            @@ -621,6 +626,67 @@ The following list shows the supported values:
            + +**Start/DisableContextMenus** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark4check mark4check mark4check mark4
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
            + + + +Enabling this policy prevents context menus from being invoked in the Start Menu. + + + +ADMX Info: +- GP English name: *Disable context menus in the Start Menu* +- GP name: *DisableContextMenusInStart* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *StartMenu.admx* + + + + + + + + + + + + + +
            + **Start/ForceStartSize** @@ -637,7 +703,7 @@ The following list shows the supported values: cross mark - cross mark + check mark check mark check mark check mark @@ -1726,7 +1792,7 @@ To validate on Desktop, do the following: cross mark - cross mark + check mark check mark check mark check mark @@ -1780,6 +1846,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 45727b2535..7858f38c0e 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 08/27/2018 --- # Policy CSP - Storage +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
            @@ -25,6 +27,9 @@ ms.date: 03/12/2018
            Storage/EnhancedStorageDevices
            +
            + Storage/RemovableDiskDenyWriteAccess +
            @@ -151,6 +156,71 @@ ADMX Info: + +
            + + +**Storage/RemovableDiskDenyWriteAccess** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + +Supported values: +- 0 - Disable +- 1 - Enable + + + +ADMX Info: +- GP English name: *Removable Disks: Deny write access* +- GP name: *RemovableDisks_DenyWrite_Access_2* +- GP element: *RemovableDisks_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + + + +
            Footnote: @@ -159,6 +229,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b7f8fb114a..8e9dd3ce58 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 08/24/2018 --- # Policy CSP - System @@ -24,6 +24,9 @@ ms.date: 06/05/2018
            System/AllowBuildPreview
            +
            + System/AllowDeviceNameInDiagnosticData +
            System/AllowEmbeddedMode
            @@ -48,12 +51,21 @@ ms.date: 06/05/2018
            System/BootStartDriverInitialization
            +
            + System/ConfigureMicrosoft365UploadEndpoint +
            System/ConfigureTelemetryOptInChangeNotification
            System/ConfigureTelemetryOptInSettingsUx
            +
            + System/DisableDeviceDelete +
            +
            + System/DisableDiagnosticDataViewer +
            System/DisableEnterpriseAuthProxy
            @@ -142,6 +154,67 @@ The following list shows the supported values:
            + +**System/AllowDeviceNameInDiagnosticData** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + +ADMX Info: +- GP English name: *Allow device name to be sent in Windows diagnostic data* +- GP name: *AllowDeviceNameInDiagnosticData* +- GP element: *AllowDeviceNameInDiagnosticData* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
            + **System/AllowEmbeddedMode** @@ -691,6 +764,72 @@ ADMX Info:
            + +**System/ConfigureMicrosoft365UploadEndpoint** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + +If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + +The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +Value type is string. + + +ADMX Info: +- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* +- GP name: *ConfigureMicrosoft365UploadEndpoint* +- GP element: *ConfigureMicrosoft365UploadEndpoint* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
            + **System/ConfigureTelemetryOptInChangeNotification** @@ -741,15 +880,6 @@ ADMX Info: - GP ADMX file name: *DataCollection.admx* - - - - - - - - -
            @@ -808,6 +938,123 @@ ADMX Info: - GP path: *Data Collection and Preview Builds* - GP ADMX file name: *DataCollection.admx* + + + +
            + + +**System/DisableDeviceDelete** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + +ADMX Info: +- GP English name: *Disable deleting diagnostic data * +- GP name: *DisableDeviceDelete* +- GP element: *DisableDeviceDelete* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
            + + +**System/DisableDiagnosticDataViewer** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + +ADMX Info: +- GP English name: *Disable diagnostic data viewer. * +- GP name: *DisableDiagnosticDataViewer* +- GP element: *DisableDiagnosticDataViewer* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + @@ -1194,34 +1441,3 @@ Footnote: - -## System policies that can be set using Exchange Active Sync (EAS) - -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Windows Holographic for Business - -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - - - -## System policies supported by IoT Core - -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Microsoft Surface Hub - -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - - diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 2b295a2044..e96eb5340c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 08/09/2018 --- # Policy CSP - TextInput @@ -650,6 +650,30 @@ The following list shows the supported values: **TextInput/AllowLinguisticDataCollection** + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck markcheck markcheck markcheck markcross markcross mark
            + + + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7f6dde9d31..80185310fd 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/18/2018 +ms.date: 08/29/2018 --- # Policy CSP - Update @@ -177,6 +177,9 @@ ms.date: 07/18/2018
            Update/SetEDURestart
            +
            + Update/UpdateNotificationLevel +
            Update/UpdateServiceUrl
            @@ -712,6 +715,8 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -778,6 +783,8 @@ ADMX Info: For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + Value type is integer. Default is 7 days. Supported values range: 2-30. @@ -802,15 +809,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -1509,6 +1507,11 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. + +> [!Note] +> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule are not set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. + Value type is integer. Default is 14. Supported value range: 2 - 30. @@ -1597,15 +1600,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -1732,15 +1726,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -1781,11 +1766,11 @@ ADMX Info: -For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. +For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 0 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -1846,7 +1831,7 @@ ADMX Info: For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. +Value type is integer. Default value is 7 days. Supported value range: 0 - 30. @@ -1867,15 +1852,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -3264,15 +3240,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -3324,15 +3291,6 @@ ADMX Info: - GP ADMX file name: *WindowsUpdate.admx* - - - - - - - - -
            @@ -3375,6 +3333,8 @@ ADMX Info: Added in Windows 10, version 1703. For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. +When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. + ADMX Info: @@ -3395,6 +3355,75 @@ The following list shows the supported values:
            + +**Update/UpdateNotificationLevel** + + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark5check mark5check mark5check mark5
            + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
            + + + +Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. + +Options: + +- 0 (default) – Use the default Windows Update notifications +- 1 – Turn off all notifications, excluding restart warnings +- 2 – Turn off all notifications, including restart warnings + +> [!Important] +> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. + + + +ADMX Info: +- GP English name: *Display options for update notifications* +- GP name: *UpdateNotificationLevel* +- GP path: *Windows Components/Windows Update* +- GP ADMX file name: *WindowsUpdate.admx* + + + + + + + + + + + + + +
            + **Update/UpdateServiceUrl** @@ -3550,53 +3579,3 @@ Footnote: - 5 - Added in the next major release of Windows 10. - - -## Update policies supported by Windows Holographic for Business - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by IoT Core - -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#update-autorestartdeadlineperiodindaysforfeatureupdates) -- [Update/EngagedRestartDeadlineForFeatureUpdates](#update-engagedrestartdeadlineforfeatureupdates) -- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](#update-engagedrestartsnoozescheduleforfeatureupdates) -- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](#update-engagedrestarttransitionscheduleforfeatureupdates) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/SetDisablePauseUXAccess](#update-setdisablepauseuxaccess) -- [Update/SetDisableUXWUAccess](#update-setdisableuxwuaccess) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by Microsoft Surface Hub - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) - - diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 00b49c54f7..ead54a0bfb 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -12,6 +12,61 @@ ms.date: 03/12/2018 # Policy CSP - UserRights +
            + +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. + +Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. + +```syntax + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/UserRights/BackupFilesAndDirectories + + Authenticated UsersAdministrators + + + + + +``` + +Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator + +- Grant an user right to Administrators group via SID: + ``` + *S-1-5-32-544 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID + ``` + *S-1-5-32-544*S-1-5-11 + ``` + +- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings + ``` + *S-1-5-32-544Authenticated Users + ``` + +- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings + ``` + Authenticated UsersAdministrators + ``` + +- Empty input indicates that there are no users configured to have that user right + ``` + + ``` +
            diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 2f545af87b..25ff1652b7 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/12/2018 +ms.date: 08/09/2018 --- # Policy CSP - WindowsDefenderSecurityCenter @@ -107,7 +107,7 @@ ms.date: 07/12/2018 Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -161,7 +161,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -219,7 +219,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -353,7 +353,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -411,7 +411,7 @@ Valid values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -474,7 +474,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -534,7 +534,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -594,7 +594,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -654,7 +654,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -788,7 +788,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -848,7 +848,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -908,7 +908,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -962,7 +962,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1022,7 +1022,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1082,7 +1082,7 @@ The following list shows the supported values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1140,7 +1140,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1198,7 +1198,7 @@ Valid values: Mobile Enterprise - cross mark + check mark4 check mark4 check mark4 check mark4 @@ -1332,7 +1332,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 @@ -1386,7 +1386,7 @@ ADMX Info: Mobile Enterprise - cross mark + check mark3 check mark3 check mark3 check mark3 diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index 6c1ca5bd2d..96beff9c33 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 08/09/2018 --- # Policy CSP - WirelessDisplay @@ -363,6 +363,29 @@ The following list shows the supported values: **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + + + + + + + + + + + + + + + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck mark2check mark2check mark2check mark2cross markcross mark
            + + [Scope](./policy-configuration-service-provider.md#policy-scope): diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 624c67cddb..1c14be4723 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/03/2018 +ms.date: 08/29/2018 --- # Policy DDF file @@ -19,14 +19,15 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can download the DDF files from the links below: -- [Download the Policy DDF file for Windows 10, version 1803](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) -- [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) -- [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) -- [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) -- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) +- [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) +- [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [Download the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) -The XML below is the DDF for Windows 10, next major version. +The XML below is the DDF for Windows 10, version 1809. ``` syntax @@ -1406,30 +1407,6 @@ Related policy: - - ForceEnabledExtensions - - - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - - HomePages @@ -1654,6 +1631,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PreventTurningOffRequiredExtensions + + + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + + PreventUsingLocalHostIPAddressForWebRTC @@ -8614,6 +8632,52 @@ Related policy: + + Privacy + + + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + + Security @@ -10528,34 +10592,6 @@ Related policy: LastWrite - - ForceEnabledExtensions - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - ForceEnabledExtensions_List - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ForceEnabledExtensions - LastWrite - - HomePages @@ -10806,6 +10842,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + PreventTurningOffRequiredExtensions + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventTurningOffRequiredExtensions + LastWrite + + PreventUsingLocalHostIPAddressForWebRTC @@ -18546,6 +18627,54 @@ Related policy: + + Privacy + + + + + + + + + + + + + + + + + + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + + Security @@ -22272,30 +22401,6 @@ Related policy: - - ForceEnabledExtensions - - - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - - HomePages @@ -22520,6 +22625,47 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on + + PreventTurningOffRequiredExtensions + + + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + + PreventUsingLocalHostIPAddressForWebRTC @@ -25489,7 +25635,7 @@ Related policy: - EnableSystemGuard + ConfigureSystemGuardLaunch @@ -27063,7 +27209,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - DoNotSyncBrowserSetting + DoNotSyncBrowserSettings @@ -27098,7 +27244,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSetting + Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing @@ -34352,38 +34498,6 @@ Default: Disabled. - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - - - - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -36623,6 +36737,30 @@ The options are: + + DisablePrivacyExperience + + + + + + + + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + EnableActivityFeed @@ -41468,6 +41606,30 @@ Caution: If a Restricted Groups policy is applied, any current member not on the + + AllowDeviceNameInDiagnosticData + + + + + + + + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + AllowEmbeddedMode @@ -44073,7 +44235,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - UpdateNotificationKioskMode + UpdateNotificationLevel @@ -49551,34 +49713,6 @@ Related policy: LastWrite - - ForceEnabledExtensions - - - - - - This setting lets you decide which extensions should be always enabled. - - - - - - - - - - - text/plain - - phone - MicrosoftEdge.admx - ForceEnabledExtensions_List - MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge - ForceEnabledExtensions - LastWrite - - HomePages @@ -49829,6 +49963,51 @@ Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on HighestValueMostSecure + + PreventTurningOffRequiredExtensions + + + + + + You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any available enterprise deployment channel, such as Microsoft Intune. When you enable this policy, users cannot uninstall extensions from their computer, but they can configure options for extensions defined in this policy, such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. + +When you enable this policy, you must provide a semi-colon delimited list of extension package family names (PFNs). For example, adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office Online extension. + +When enabled, removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. + +If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. + +If disabled or not configured, extensions defined as part of this policy get ignored. + +Default setting: Disabled or not configured +Related policies: Allow Developer Tools +Related Documents: +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) + + + + + + + + + + + text/plain + + phone + MicrosoftEdge.admx + PreventTurningOffRequiredExtensions_Prompt + MicrosoftEdge~AT~WindowsComponents~MicrosoftEdge + PreventTurningOffRequiredExtensions + LastWrite + + PreventUsingLocalHostIPAddressForWebRTC @@ -53218,7 +53397,7 @@ Related policy: - EnableSystemGuard + ConfigureSystemGuardLaunch @@ -54899,7 +55078,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - DoNotSyncBrowserSetting + DoNotSyncBrowserSettings @@ -54935,7 +55114,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 1 You can configure Microsoft Edge to allow users to turn on the Sync your Settings option to sync information, such as history and favorites, between user's devices. When enabled and you enable the Do not sync browser setting policy, browser settings sync automatically. If disabled, users have the option to sync the browser settings. - Related policy: DoNotSyncBrowserSetting + Related policy: DoNotSyncBrowserSettings 1 (default) = Do not allow users to turn on syncing, 0 = Allows users to turn on syncing @@ -63004,41 +63183,6 @@ Default: Disabled. LastWrite - - MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession - - - - - 15 - Microsoft network server: Amount of idle time required before suspending a session - -This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. - -Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. - -For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. - -Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. - - - - - - - - - - - text/plain - - - phone - Windows Settings~Security Settings~Local Policies~Security Options - Microsoft network server: Amount of idle time required before suspending session - LowestValueMostSecure - - MicrosoftNetworkServer_DigitallySignCommunicationsAlways @@ -63402,7 +63546,7 @@ This setting can affect the ability of computers running Windows 2000 Server, Wi - 0 + 3 Network security LAN Manager authentication level This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: @@ -63455,7 +63599,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send - 0 + 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: @@ -63493,7 +63637,7 @@ Windows 7 and Windows Server 2008 R2: Require 128-bit encryption - 0 + 536870912 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: @@ -65452,6 +65596,34 @@ The options are: LowestValueMostSecureZeroHasNoLimits + + DisablePrivacyExperience + + + + + 0 + Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + + + + + + + + + + + text/plain + + + phone + OOBE.admx + OOBE~AT~WindowsComponents~OOBE + DisablePrivacyExperience + LowestValueMostSecure + + EnableActivityFeed @@ -69810,12 +69982,12 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + phone SmartScreen.admx SmartScreen~AT~WindowsComponents~SmartScreen~Shell ConfigureAppInstallControl - HighestValueMostSecure + LastWrite @@ -70823,6 +70995,34 @@ Caution: If a Restricted Groups policy is applied, any current member not on the LowestValueMostSecure + + AllowDeviceNameInDiagnosticData + + + + + 0 + This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + + + + + + + + + text/plain + + + DataCollection.admx + AllowDeviceNameInDiagnosticData + DataCollection~AT~WindowsComponents~DataCollectionAndPreviewBuilds + AllowDeviceNameInDiagnosticData + LowestValueMostSecure + + AllowEmbeddedMode @@ -72934,7 +73134,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx EngagedRestartTransitionSchedule WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -72962,7 +73162,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the text/plain - + WindowsUpdate.admx EngagedRestartTransitionScheduleForFeatureUpdates WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat @@ -73677,7 +73877,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - UpdateNotificationKioskMode + UpdateNotificationLevel @@ -73699,7 +73899,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the WindowsUpdate.admx WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat - UpdateNotificationKioskMode + UpdateNotificationLevel LastWrite @@ -75931,4 +76131,4 @@ Because of these factors, users do not usually need this user right. Warning: If -``` +``` \ No newline at end of file diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md index 40aae74dbe..e8db3d3e21 100644 --- a/windows/client-management/mdm/push-notification-windows-mdm.md +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -16,13 +16,13 @@ ms.date: 09/22/2017 # Push notification support for device management -The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](http://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](https://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). -Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](http://go.microsoft.com/fwlink/p/?LinkId=733254). +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](https://go.microsoft.com/fwlink/p/?LinkId=733254). Note the following restrictions related to push notifications and WNS: diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index b5bccdbf85..bfb5dfd307 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -41,7 +41,7 @@ The following diagram shows the Reboot configuration service provider management

            The supported operations are Get, Add, Replace, and Delete.

            **Schedule/DailyRecurrent** -

            This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

            +

            This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.

            The supported operations are Get, Add, Replace, and Delete.

            diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 0511301b25..6a45bb2c9a 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. -> [!Note] +> [!Note] > The RemoteLock CSP is only supported in Windows 10 Mobile.   @@ -23,11 +23,11 @@ The following diagram shows the RemoteLock configuration service provider in a t ![provisioning\-csp\-remotelock](images/provisioning-csp-remotelock.png) -**./Vendor/MSFT/RemoteLock** +**./Vendor/MSFT/RemoteLock**

            Defines the root node for the RemoteLock configuration service provider.

            -**Lock** -Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec. +**Lock** +Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec. @@ -63,10 +63,10 @@ Required. The setting accepts requests to lock the device screen. The device scr   -**LockAndResetPIN** +**LockAndResetPIN** This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the **Exec** operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered. The supported operation is Exec. -This node will return the following status. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. +This node will return the following status. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification.
            @@ -95,13 +95,13 @@ This node will return the following status. All OMA DM errors are listed [here](
            -**LockAndRecoverPIN** +**LockAndRecoverPIN** Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client. -**NewPINValue** +**NewPINValue** This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device. The data type returned is a string. @@ -117,12 +117,12 @@ Initiate a remote lock of the device. ``` syntax - 1 - - - ./Vendor/MSFT/RemoteLock/Lock - - + 1 + + + ./Vendor/MSFT/RemoteLock/Lock + + ``` @@ -130,22 +130,22 @@ Initiate a remote lock and PIN reset of the device. To successfully retrieve the ``` syntax - 1 + 1 - 2 - - - ./Vendor/MSFT/RemoteLock/LockAndResetPIN - - + 2 + + + ./Vendor/MSFT/RemoteLock/LockAndResetPIN + + - 3 - - - ./Vendor/MSFT/RemoteLock/NewPINValue - - + 3 + + + ./Vendor/MSFT/RemoteLock/NewPINValue + + ``` diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 366bb79824..82818fd8da 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe CSP @@ -44,7 +44,28 @@ Supported operation is Exec. **doWipePersistUserData** Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. -  + +**AutomaticRedeployment** +Added in Windows 10, next major update. Node for the Autopilot Reset operation. + +**AutomaticRedeployment/doAutomaticRedeployment** +Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. + +**AutomaticRedeployment/LastError** +Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). + +**AutomaticRedeployment/Status** +Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. + +Supported values: + +- 0: Never run (not started). The default state. +- 1: Complete. +- 10: Reset has been scheduled. +- 20: Reset is scheduled and waiting for a reboot. +- 30: Failed during CSP Execute ("Exec" in SyncML). +- 40: Failed: power requirements not met. +- 50: Failed: reset internals failed during reset attempt. ## Related topics diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index 0f0de9b725..990cf2ae5a 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/23/2018 +ms.date: 08/13/2018 --- # RemoteWipe DDF file @@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 1709. +The XML below is the DDF for Windows 10, version 1809. ``` syntax @@ -43,7 +43,7 @@ The XML below is the DDF for Windows 10, version 1709. - + com.microsoft/1.1/MDM/RemoteWipe The root node for remote wipe function. @@ -131,21 +131,91 @@ The XML below is the DDF for Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + AutomaticRedeployment + + + + + + + + + + + + + + + + + + + doAutomaticRedeployment + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + 0 + Error value, if any, associated with Automatic Redeployment operation (typically an HRESULT). + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status value indicating current state of an Automatic Redeployment operation. 0: Never run (not started). The default state. 1: Complete. 10: Reset has been scheduled. 20: Reset is scheduled and waiting for a reboot. 30: Failed during CSP Execute ("Exec" in SyncML). 40: Failed: power requirements not met. 50: Failed: reset internals failed during reset attempt. + + + + + + + + + + + text/plain + + + + -``` - -## Related topics - - -[RemoteWipe configuration service provider](remotewipe-csp.md) - -  - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md index cbbeeaeccb..862a062eba 100644 --- a/windows/client-management/mdm/server-requirements-windows-mdm.md +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -27,7 +27,7 @@ The following list shows the general server requirements for using OMA DM to man - The MD5 binary nonce is send over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. - For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). - The server must support HTTPS. diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index dd67204515..31e9f26469 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -14,7 +14,7 @@ ms.date: 06/26/2017 OMA DM commands are transmitted between the server and the client device in messages. A message can contain one or more commands. For a list of commands supported, see the table in [OMA DM protocol support](oma-dm-protocol-support.md). -A DM message is an XML document. The structure and content of the document is defined in the OMA DM Representation Protocol (OMA-SyncML-DevInfo-DTD-V1\_1\_2-20030505-D.dtd) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). +A DM message is an XML document. The structure and content of the document is defined in the OMA DM Representation Protocol (OMA-SyncML-DevInfo-DTD-V1\_1\_2-20030505-D.dtd) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). Each message is composed of a header, specified by the SyncHdr element, and a message body, specified by the SyncBody element. @@ -49,7 +49,7 @@ The following table shows the OMA DM versions that are supported. ## File format -The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](http://go.microsoft.com/fwlink/p/?LinkId=526902) specification. +The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification. ``` syntax @@ -76,7 +76,7 @@ The following example shows the general structure of the XML document sent by th - + diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 3733920512..5ff2a27abd 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -241,31 +241,31 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam The base 64 encoded blob of the H-SLP root certificate. **RootCertificate4** -Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. +Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. **RootCertificate4/Name** -Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. +Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate4/Data** -Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. +Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. **RootCertificate5** -Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. +Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. **RootCertificate5/Name** -Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. +Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate5/Data** -Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. +Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. **RootCertificate6** -Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server. +Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server. **RootCertificate6/Name** -Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. +Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. **RootCertificate6/Data** -Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate. +Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate. **V2UPL1** Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index ec126158b6..2d75e82287 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **SUPL** Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md new file mode 100644 index 0000000000..a52598d88f --- /dev/null +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -0,0 +1,39 @@ +--- +title: TenantLockdown CSP +description: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/13/2018 +--- + +# TenantLockdown CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809. + +The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes. + +> [!Note] +> The forced network connection is only applicable to devices after reset (not new). + +The following diagram shows the TenantLockdown configuration service provider in tree format. + +![TenantLockdown CSP diagram](images/provisioning-csp-tenantlockdown.png) + +**./Vendor/MSFT/TenantLockdown** +The root node. + +**RequireNetworkInOOBE** +Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon. + +When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. + +Value type is bool. Supported operations are Get and Replace. + +- true - Require network in OOBE +- false - No network connection requirement in OOBE + +Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account. \ No newline at end of file diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md new file mode 100644 index 0000000000..041e4c97ff --- /dev/null +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -0,0 +1,75 @@ +--- +title: TenantLockdown DDF file +description: XML file containing the device description framework +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/13/2018 +--- + +# TenantLockdown DDF file + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **TenantLockdown** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is for Windows 10, version 1809. + +``` syntax + +]> + + 1.2 + + TenantLockdown + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/TenantLockdown + + + + RequireNetworkInOOBE + + + + + + false + true - Require network in OOBE, false - no network connection requirement in OOBE + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index ef549e1753..f434251f74 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -6,13 +6,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 02/01/2018 +ms.date: 10/02/2018 --- # UEFI CSP -The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803. +The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. + +> [!Note] +> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). The following diagram shows the UEFI CSP in tree format. @@ -23,62 +26,102 @@ The following list describes the characteristics and parameters. **./Vendor/MSFT/Uefi** Root node. -**UefiDeviceIdentifier** -Retrieves XML from UEFI which describes the device identifier. +**DeviceIdentifier** +Retrieves XML from UEFI that describes the device identifier. Supported operation is Get. -**IdentityInfo** -Node for provisioned signers operations. - - -**IdentityInfo/Current** -Retrieves XML from UEFI which describes the current UEFI identity information. +**Identity** +Node for identity certificate operations. Supported operation is Get. -**IdentityInfo/Apply** -Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. - -Supported operation is Replace. - -**IdentityInfo/ApplyResult** -Retrieves XML describing the results of previous ApplyIdentityInfo operation. +**Identity/Current** +Retrieves XML from UEFI that describes the current UEFI identity certificate information. Supported operation is Get. -**AuthInfo** -Node for permission information operations. +**Identity/Apply** +Applies an identity information package to UEFI. Input is the signed package in base64 encoded format. -**AuthInfo/Current** -Retrieves XML from UEFI which describes the current UEFI permission/authentication information. +Value type is Base64. Supported operation is Replace. + +**Identity/Result** +Retrieves the binary result package of the previous Identity/Apply operation. Supported operation is Get. -**AuthInfo/Apply** -Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format. +**Permissions** +Node for settings permission operations.. -Supported operation is Replace. - -**AuthInfo/ApplyResult** -Retrieves XML describing the results of previous ApplyAuthInfo operation. +**Permissions/Current** +Retrieves XML from UEFI that describes the current UEFI settings permissions. Supported operation is Get. -**Config** -Node for device configuration +**Permissions/Apply** +Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. -**Config/Current** -Retrieves XML from UEFI which describes the current UEFI configuration. +Value type is Base64. Supported operation is Replace. + +**Permissions/Result** +Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. Supported operation is Get. -**Config/Apply** -Apply a configuration package to UEFI. Input is the signed package in base64 encoded format. +**Settings** +Node for device settings operations. -Supported operation is Replace. - -**Config/ApplyResult** -Retrieves XML describing the results of previous ApplyConfig operation. +**Settings/Current** +Retrieves XML from UEFI that describes the current UEFI settings. Supported operation is Get. + +**Settings/Apply** +Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. + +Value type is Base64. Supported operation is Replace. + +**Settings/Result** +Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting. + +Supported operation is Get. + +**Identity2** +Node for identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart. + +**Identity2/Apply** +Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Identity2/Result** +Retrieves the binary result package of the previous Identity2/Apply operation. + +Supported operation is Get. + +**Permissions2** +Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart. + +**Permissions2/Apply** +Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Permissions2/Result** +Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. + +Supported operation is Get. + +**Settings2** +Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart. + +**Settings2/Apply** +Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Settings2/Result** +Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting. + +Supported operation is Get. \ No newline at end of file diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index de67ae71b4..ddfe446519 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 02/01/2018 +ms.date: 10/02/2018 --- # UEFI DDF file @@ -16,7 +16,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Uefi** Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1809. ``` syntax @@ -32,6 +32,7 @@ The XML below is the current version for this CSP. + UEFI Firmware Configuration Service Provider. @@ -46,12 +47,12 @@ The XML below is the current version for this CSP. - UefiDeviceIdentifier + DeviceIdentifier - Retrieves XML from UEFI which describes the device identifier. + Retrieves XML from UEFI which contains the device identifier. @@ -61,21 +62,18 @@ The XML below is the current version for this CSP. - - - text/plain - IdentityInfo + Identity - Provisioned signers + Identity certificate operations. @@ -95,7 +93,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI identity information + Retrieves XML from UEFI which describes the current UEFI identity certificate information. @@ -132,14 +130,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyIdentityInfo operation. + Retrieves the binary result package of the previous Identity/Apply operation. - + @@ -148,18 +146,18 @@ The XML below is the current version for this CSP. - text/plain + - AuthInfo + Permissions - Permission Information + Settings permission operations. @@ -179,7 +177,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI permission/authentication information. + Retrieves XML from UEFI which describes the current UEFI settings permissions. @@ -200,7 +198,7 @@ The XML below is the current version for this CSP. - Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format. + Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. @@ -216,14 +214,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyAuthInfo operation. + Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. - + @@ -232,18 +230,18 @@ The XML below is the current version for this CSP. - text/plain + - Config + Settings - Device Configuration + Device settings operations. @@ -263,7 +261,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI configuration. + Retrieves XML from UEFI which describes the current UEFI settings. @@ -284,7 +282,7 @@ The XML below is the current version for this CSP. - Apply a configuration package to UEFI. Input is the signed package in base64 encoded format. + Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. @@ -300,14 +298,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyConfig operation. + Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting. - + @@ -316,7 +314,196 @@ The XML below is the current version for this CSP. - text/plain + + + + + + + Identity2 + + + + + Identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package of the previous Identity2/Apply operation. + + + + + + + + + + + + + + + + + Permissions2 + + + + + Settings permission operations. Alternate endpoint for sending a second permission package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. + + + + + + + + + + + + + + + + + Settings2 + + + + + Device settings operations. Alternate endpoint for sending a second settings package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting. + + + + + + + + + + + diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 837be49e57..4b82f8c477 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -18,12 +18,12 @@ The following diagram shows the Update configuration service provider in tree fo ![update csp diagram](images/provisioning-csp-update.png) -**Update** +**Update**

            The root node.

            Supported operation is Get. -**ApprovedUpdates** +**ApprovedUpdates**

            Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] @@ -38,10 +38,10 @@ The following diagram shows the Update configuration service provider in tree fo

            Supported operations are Get and Add. -**ApprovedUpdates/****_Approved Update Guid_** +**ApprovedUpdates/****_Approved Update Guid_**

            Specifies the update GUID. -

            To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +

            To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.

            Supported operations are Get and Add. @@ -50,62 +50,62 @@ The following diagram shows the Update configuration service provider in tree fo ./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d -**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** +**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**

            Specifies the time the update gets approved.

            Supported operations are Get and Add. -**FailedUpdates** +**FailedUpdates**

            Specifies the approved updates that failed to install on a device.

            Supported operation is Get. -**FailedUpdates/****_Failed Update Guid_** +**FailedUpdates/****_Failed Update Guid_**

            Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.

            Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/HResult** +**FailedUpdates/*Failed Update Guid*/HResult**

            The update failure error code.

            Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/Status** +**FailedUpdates/*Failed Update Guid*/Status**

            Specifies the failed update status (for example, download, install).

            Supported operation is Get. -**FailedUpdates/*Failed Update Guid*/RevisionNumber** +**FailedUpdates/*Failed Update Guid*/RevisionNumber**

            Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.

            Supported operation is Get. -**InstalledUpdates** +**InstalledUpdates**

            The updates that are installed on the device.

            Supported operation is Get. -**InstalledUpdates/****_Installed Update Guid_** +**InstalledUpdates/****_Installed Update Guid_**

            UpdateIDs that represent the updates installed on a device.

            Supported operation is Get. -**InstalledUpdates/*Installed Update Guid*/RevisionNumber** +**InstalledUpdates/*Installed Update Guid*/RevisionNumber**

            Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.

            Supported operation is Get. -**InstallableUpdates** +**InstallableUpdates**

            The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.

            Supported operation is Get. -**InstallableUpdates/****_Installable Update Guid_** +**InstallableUpdates/****_Installable Update Guid_**

            Update identifiers that represent the updates applicable and not installed on a device.

            Supported operation is Get. -**InstallableUpdates/*Installable Update Guid*/Type** +**InstallableUpdates/*Installable Update Guid*/Type**

            The UpdateClassification value of the update. Valid values are: - 0 - None @@ -114,71 +114,71 @@ The following diagram shows the Update configuration service provider in tree fo

            Supported operation is Get. -**InstallableUpdates/*Installable Update Guid*/RevisionNumber** +**InstallableUpdates/*Installable Update Guid*/RevisionNumber**

            The revision number for the update that must be passed in server to server sync to get the metadata for the update.

            Supported operation is Get. -**PendingRebootUpdates** +**PendingRebootUpdates**

            The updates that require a reboot to complete the update session.

            Supported operation is Get. -**PendingRebootUpdates/****_Pending Reboot Update Guid_** +**PendingRebootUpdates/****_Pending Reboot Update Guid_**

            Update identifiers for the pending reboot state.

            Supported operation is Get. -**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** +**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**

            The time the update is installed.

            Supported operation is Get. -**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** +**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**

            Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.

            Supported operation is Get. -**LastSuccessfulScanTime** +**LastSuccessfulScanTime**

            The last successful scan time.

            Supported operation is Get. -**DeferUpgrade** +**DeferUpgrade**

            Upgrades deferred until the next period.

            Supported operation is Get. -**Rollback** +**Rollback** Added in Windows 10, version 1803. Node for the rollback operations. -**Rollback/QualityUpdate** -Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions: +**Rollback/QualityUpdate** +Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions: - Condition 1: Device must be Windows Update for Business Connected - Condition 2: Device must be in a Paused State - Condition 3: Device must have the Latest Quality Update installed on the device (Current State) - + If the conditions are not true, the device will not Roll Back the Latest Quality Update. -**Rollback/FeatureUpdate** -Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions: +**Rollback/FeatureUpdate** +Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions: - Condition 1: Device must be Windows Update for Business Connnected - Condition 2: Device must be in Paused State - Condition 3: Device must have the Latest Feature Update Installed on the device (Current State) -- Condition 4: Machine should be within the uninstall period +- Condition 4: Machine should be within the uninstall period -> [!Note] +> [!Note] > This only works for Semi Annual Channel Targeted devices. If the conditions are not true, the device will not Roll Back the Latest Feature Update. - -**Rollback/QualityUpdateStatus** -Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation. -**Rollback/FeatureUpdateStatus** +**Rollback/QualityUpdateStatus** +Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation. + +**Rollback/FeatureUpdateStatus** Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUpdate operation. ## Related topics diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 010d58563c..ef49ec3a51 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -13,7 +13,7 @@ ms.date: 04/02/2017 # VPN CSP -The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](http://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx). +The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](https://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx). > **Note**   The VPN CSP is deprecated in Windows 10 and it only supported in Windows 10 Mobile for backward compatibility. Use [VPNv2 CSP](vpnv2-csp.md) instead. @@ -33,29 +33,29 @@ The following diagram shows the VPN configuration service provider in tree forma ![provisioning\-csp\-vpn](images/provisioning-csp-vpn.png) -***ProfileName*** +***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**Server** +**Server** Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm. Supported operations are Get, Add, and Replace. Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com. -**TunnelType** +**TunnelType** Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. Value type is chr. Supported operations are Get and Add. -**ThirdParty** +**ThirdParty** Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. Supported operations are Get and Add. -**ThirdParty/Name** +**ThirdParty/Name** Required when ThirdParty is defined for SSL-VPN profile provisioning. Value type is chr. Supported operations are Get and Add. @@ -70,32 +70,32 @@ Valid values: - Checkpoint Mobile VPN -**ThirdParty/AppID** +**ThirdParty/AppID** Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. Value type is chr. Supported operations are Get, Add, Replace, and Delete. -**ThirdParty/CustomStoreURL** +**ThirdParty/CustomStoreURL** Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app. Value type is chr. Supported operations are Get, Add, Replace, and Delete. -**ThirdParty/CustomConfiguration** +**ThirdParty/CustomConfiguration** Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins. Value type is char. Supported operations are Get, Add, Replace, and Delete. -**RoleOrGroup** +**RoleOrGroup** Not Implemented. Optional. Value type is char. Supported operations are Get, Add, Delete, and Replace. -**Authentication** +**Authentication** Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a collection of configuration objects to ensure that the correct authentication policy is used on the device based on the chosen TunnelType. Supported operations are Get and Add. -**Authentication/Method** +**Authentication/Method** Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. Supported operations are Get and Add. @@ -106,12 +106,12 @@ Value type is chr.   -**Authentication/Certificate** +**Authentication/Certificate** Optional node. A collection of nodes that enables simpler authentication experiences for end users when using VPN. This and its subnodes should not be used for IKEv2 profiles. Supported operations are Get and Add. -**Authentication/Certificate/Issuer** +**Authentication/Certificate/Issuer** Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -120,7 +120,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.   -**Authentication/Certificate/EKU** +**Authentication/Certificate/EKU** Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -129,38 +129,38 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.   -**Authentication/Certificate/CacheLifeTimeForProtectedCert** +**Authentication/Certificate/CacheLifeTimeForProtectedCert** Not Implemented. Optional. Value type is int. Supported operations are Get, Add, Replace, and Delete. -**Authentication/EAP** -Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](http://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](http://go.microsoft.com/fwlink/p/?LinkId=523884). +**Authentication/EAP** +Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](https://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](https://go.microsoft.com/fwlink/p/?LinkId=523884). Supported operations are Get, Add, and Replace. Value type is chr. -**Proxy** +**Proxy** Optional node. A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile will be applied when this profile is active and connected. Supported operations are Add, Delete, and Replace. -**Proxy/Manual/Server** +**Proxy/Manual/Server** Optional. Set this element together with PORT. The value is the proxy server address as a fully qualified hostname or an IP address, for example, proxy.constoso.com. Supported operations are Get, Add, Replace, and Delete. Value type is chr. -**Proxy/Manual/Port** +**Proxy/Manual/Port** Optional. Set this element together with Server. The value is the proxy server port number in the range of 1-65535, for example, 8080. Supported operations are Get, Add, Replace, and Delete. Value type is int. -**Proxy/BypassForLocal** +**Proxy/BypassForLocal** Optional. When this setting is enabled, any web requests to resources in the intranet zone will not be sent to the proxy. When this is false, the setting should be disabled and all requests should go to the proxy. When this is true, the setting is enabled and intranet requests will not go to the proxy. Supported operations are Get, Add, Replace, and Delete. @@ -169,10 +169,10 @@ Value type is bool. Default is False. -**SecuredResources** +**SecuredResources** Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported.. -**SecuredResources/AppAllowedList/AppAllowedList** +**SecuredResources/AppAllowedList/AppAllowedList** Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps. Supported operations are Get, Add, Replace and Delete. @@ -181,7 +181,7 @@ Value type is chr. Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. -**SecuredResources/NetworkAllowedList/NetworkAllowedList** +**SecuredResources/NetworkAllowedList/NetworkAllowedList** Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks. Supported operations are Get, Add, Replace, and Delete. @@ -190,7 +190,7 @@ Value type is chr. An example is 172.31.0.0/16. -**SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList** +**SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList** Optional. Specifies one or more namespaces that you want secured over VPN. All requests to the specified namespaces are secured over VPN. Applications connecting to namespaces are secured over VPN. Otherwise, they’ll continue to connect directly. Namespaces are defined in the format \*.corp.contoso.com. Restrictions such as \* or \*.\* or \*.com.\* are not allowed. NetworkAllowedList is required for IKEv2 profiles for routing the traffic correctly over split tunnel. Supported operations are Get, Add, Replace, and Delete. @@ -199,7 +199,7 @@ Value type is chr. An example is \*.corp.contoso.com. -**SecuredResources/ExcluddedAppList/ExcludedAppList** +**SecuredResources/ExcluddedAppList/ExcludedAppList** Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. Supported operations are Get, Add, Replace, and Delete. @@ -208,7 +208,7 @@ Value type is chr. Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. -**SecuredResources/ExcludedNetworkList/ExcludedNetworkList** +**SecuredResources/ExcludedNetworkList/ExcludedNetworkList** Optional. Specifies one or more IP addresses that will never use VPN. Any app connecting to the configured excluded IP list will use the internet directly and bypass VPN. Values are defined in the format 10.0.0.0/8. Supported operations are Get, Add, Replace, and Delete. @@ -217,7 +217,7 @@ Value type is chr. An example is 172.31.0.0/16. -**SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList** +**SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList** Optional. Specifies one or more namespaces of hosts that will never use VPN. Any app connecting to the configured excluded host list will use the internet and bypass VPN. Restrictions such as \* or \*.\* or \*.com.\* are not allowed. Supported operations are Get, Add, Replace, and Delete. @@ -226,7 +226,7 @@ Value type is chr. An example is \*.corp.contoso.com. -**SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList** +**SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList** Optional. Specifies one or many DNS suffixes that will be appended to shortname URLs for DNS resolution and connectivity. Supported operations are Get, Add, Replace, and Delete. @@ -235,10 +235,10 @@ Value type is chr. An example is .corp.contoso.com. -**Policies** +**Policies** Optional node. A collection of configuration objects you can use to enforce profile-specific restrictions. -**Policies/SplitTunnel** +**Policies/SplitTunnel** Optional. When this is False, all traffic goes to the VPN gateway in force tunnel mode. When this is True, only the specific traffic to defined secured resources goes to the VPN gateway. Supported operations are Get, Add, Replace, and Delete. @@ -247,7 +247,7 @@ Value type is bool. Default value is True. -**Policies/ByPassForLocal** +**Policies/ByPassForLocal** Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. Supported operations are Get, Add, Replace, and Delete. @@ -256,7 +256,7 @@ Value type is bool. Default value is False. -**Policies/TrustedNetworkDetection** +**Policies/TrustedNetworkDetection** Optional. When this setting is set to True, the VPN cannot connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. When this is False, the VPN connects over corporate wireless network. This node has a dependency on the DNSSuffix node setting to detect the corporate wireless network. Supported operations are Get, Add, Replace, and Delete. @@ -265,7 +265,7 @@ Value type is bool. Default value is False. -**Policies/ConnectionType** +**Policies/ConnectionType** Optional. Valid values are: - Triggering: A VPN automatically connects as applications require connectivity to protected resources. The life cycle of the VPN is based on applications using the VPN. Recommended setting for optimizing usage of power resources. @@ -278,7 +278,7 @@ Value type is chr. Default value is Triggering. -**DNSSuffix** +**DNSSuffix** Optional, but it is required to set the specific DNS suffix of the primary connection. Supported operations are Get, Add, Delete, and Replace. Value type is chr. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e98cd44400..e7dc68df1b 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. -  +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + Valid values: diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 03b49e0560..7ed090af21 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -25,10 +25,10 @@ The following diagram shows the configuration service provider in tree format as ![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png) -**APPID** +**APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". -**NAME** +**NAME** Optional. Specifies a user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. This parameter takes a string value. The possible values to configure the NAME parameter are: @@ -45,15 +45,15 @@ If no value is specified, the registry location will default to <unnamed>. If `Name` is greater than 40 characters, it will be truncated to 40 characters. -**TO-PROXY** +**TO-PROXY** Required. Specifies one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. -**TO-NAPID** +**TO-NAPID** Required. Specifies the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](napdef-csp.md). -**ADDR** +**ADDR** Required. Specifies the address of the MMS application server, as a string. The possible values to configure the ADDR parameter are: - A Uniform Resource Identifier (URI) @@ -62,7 +62,7 @@ Required. Specifies the address of the MMS application server, as a string. The - A fully qualified Internet domain name -**MS** +**MS** Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. ## Remarks @@ -72,7 +72,7 @@ Windows Phone MMS does not support user–selectable profiles. While multiple MM If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values. -For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). +For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). ## Related topics diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 708ac76bd8..cce5885ca9 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -33,23 +33,23 @@ The following image shows the WiFi configuration service provider in tree format The following list shows the characteristics and parameters. -**Device or User profile** +**Device or User profile** For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path. -**Profile** +**Profile** Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. Supported operation is Get. -***<SSID>*** +***<SSID>*** Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>. The supported operations are Add, Get, Delete, and Replace. -**WlanXML** -The XML that describes the network configuration and follows the [WLAN\_profile Schema](http://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN. +**WlanXML** +The XML that describes the network configuration and follows the [WLAN\_profile Schema](https://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN. Supported operations are Get, Add, Delete, and Replace. @@ -57,13 +57,13 @@ Value type is chr. The profile XML must be escaped, as shown in the examples below. -If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](http://go.microsoft.com/fwlink/p/?LinkId=523870). +If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](https://go.microsoft.com/fwlink/p/?LinkId=523870). -> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). +> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](https://go.microsoft.com/fwlink/p/?LinkId=618963). The supported operations are Add, Get, Delete, and Replace. -**Proxy** +**Proxy** Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure. The format is *host:port*, where host can be one of the following: @@ -76,7 +76,7 @@ If it is an IPvFuture address, then it must be specified as an IP literal as "\[ Supported operations are Get, Add, Delete, and Replace. -**DisableInternetConnectivityChecks** +**DisableInternetConnectivityChecks** Added in Windows 10, version 1511.Optional. Disable the internet connectivity check for the profile. Value type is chr. @@ -86,23 +86,23 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace. -**ProxyPacUrl** +**ProxyPacUrl** Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile. Value type is chr, e.g. http://www.contoso.com/wpad.dat. -**ProxyWPAD** +**ProxyWPAD** Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile. Value type is bool. -**WiFiCost** -Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. +**WiFiCost** +Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. -Supported values: +Supported values: - 1 - Unrestricted - unlimited connection -- 2 - Fixed - capacity constraints up to a certain data limit +- 2 - Fixed - capacity constraints up to a certain data limit - 3 - Variable - paid on per byte basic Supported operations are Add, Get, Replace and Delete. Value type is integer. @@ -156,28 +156,28 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor The following example shows how to query Wi-Fi profiles installed on an MDM server. ``` syntax - - 301 - - - ./Vendor/MSFT/WiFi/Profile - - + + 301 + + + ./Vendor/MSFT/WiFi/Profile + + ``` The following example shows the response. ``` syntax - - 3 - 1 + + 3 + 1 301 - - ./Vendor/MSFT/WiFi/Profile - node - TestWLAN1/TestWLAN2 - + + ./Vendor/MSFT/WiFi/Profile + node + TestWLAN1/TestWLAN2 + ``` diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index a4ec65ad3c..d09ff0684c 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -17,7 +17,7 @@ ms.date: 06/28/2018 This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index 5efc199b30..d519cb965d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -14,9 +14,9 @@ ms.date: 07/19/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version. +The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, version 1809. -The following diagram shows the Storage configuration service provider in tree format. +The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format. ![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png) diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 9b8a7d81c5..1b6e03919f 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Win32Co Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md index 0035d1b6dc..c33b128242 100644 --- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -15,7 +15,7 @@ ms.date: 06/26/2017 # Enterprise settings, policies, and app management -The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). +The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md). diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index de75c4898d..b0bf8c6cf3 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -6,33 +6,34 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/22/2018 +ms.date: 09/10/2018 --- # WindowsDefenderApplicationGuard CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709. +The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709. The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format. ![windowsdefenderapplicationguard csp](images/provisioning-csp-windowsdefenderapplicationguard.png) **./Device/Vendor/MSFT/WindowsDefenderApplicationGuard** -

            Root node. Supported operation is Get.

            -

            +Root node. Supported operation is Get. **Settings** -

            Interior node. Supported operation is Get.

            +Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** -

            Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            +Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment. - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. **Settings/ClipboardFileType** -

            Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            +Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables content copying. - 1 - Allow text copying. @@ -40,7 +41,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 3 - Allow text and image copying. **Settings/ClipboardSettings** -

            This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete

            +This policy setting allows you to decide how the clipboard behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete - 0 (default) - Completely turns Off the clipboard functionality for the Application Guard. - 1 - Turns On clipboard operation from an isolated session to the host @@ -51,7 +52,7 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se > Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. **Settings/PrintingSettings** -

            This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            +This policy setting allows you to decide how the print functionality behaves while in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Disables all print functionality (default) - 1 - Enables only XPS printing @@ -70,13 +71,13 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se - 15 - Enables all printing **Settings/BlockNonEnterpriseContent** -

            This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            +This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer. Value type is integer. Supported operations are Add, Get, Replace, and Delete. -- 0 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. -- 1 (default) - Non-enterprise sites can open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. +- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Windows Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.. +- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Windows Defender Application Guard. **Settings/AllowPersistence** -

            This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete.

            +This policy setting allows you to decide whether data should persist across different sessions in Application Guard. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. - 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. @@ -93,29 +94,62 @@ Added in Windows 10, version 1803. This policy setting allows you to determine w - 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system. +**Settings/FileTrustCriteria** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginRemovableMedia** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginNetworkShare** +Placeholder for future use. Do not use in production code. + +**Settings/FileTrustOriginMarkOfTheWeb** +Placeholder for future use. Do not use in production code. + +**Settings/CertificateThumbprints** +Added in Windows 10, version 1809. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. You can specify multiple certificates using a comma to separate the thumbprints for each certificate you want to transfer. + +Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924 + +If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container. + +**Settings/AllowCameraMicrophoneRedirection** +Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device. + +Value type is integer. Supported operations are Add, Get, Replace, and Delete. + +If you enable this policy, applications inside Windows Defender Application Guard will be able to access the camera and microphone on the user’s device. + +If you disable or don't configure this policy, applications inside Windows Defender Application Guard will be unable to access the camera and microphone on the user’s device. + +> [!Important] +> If you turn on this policy, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed. + **Status** -

            Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. +Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get. -Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode -Bit 1 - Set to 1 when the client machine is Hyper-V capable -Bit 2 - Set to 1 when the client machine has a valid OS license and SKU -Bit 3 - Set to 1 when WDAG installed on the client machine -Bit 4 - Set to 1 when required Network Isolation Policies are configured -Bit 5 - Set to 1 when the client machine meets minimum hardware requirements - -

            +- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode +- Bit 1 - Set to 1 when the client machine is Hyper-V capable +- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU +- Bit 3 - Set to 1 when WDAG installed on the client machine +- Bit 4 - Set to 1 when required Network Isolation Policies are configured +- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements **InstallWindowsDefenderApplicationGuard** -

            Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.

            +Initiates remote installation of Application Guard feature. Supported operations are Get and Execute. - Install - Will initiate feature install - Uninstall - Will initiate feature uninstall **Audit** -

            Interior node. Supported operation is Get

            +Interior node. Supported operation is Get **Audit/AuditApplicationGuard** -

            This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete.

            +This policy setting allows you to decide whether auditing events can be collected from Application Guard. Value type in integer. Supported operations are Add, Get, Replace, and Delete. - 0 (default) - - Audit event logs aren't collected for Application Guard. - 1 - Application Guard inherits its auditing policies from Microsoft Edge and starts to audit system events specifically for Application Guard. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 33e53da2a3..eff9174d89 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -6,19 +6,21 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/22/2018 +ms.date: 09/10/2018 --- # WindowsDefenderApplicationGuard DDF file +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider. Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -This XML is for Windows 10, version 1803. +This XML is for Windows 10, version 1809. -``` syntax +```xml - com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard + com.microsoft/1.3/MDM/WindowsDefenderApplicationGuard @@ -248,6 +250,147 @@ This XML is for Windows 10, version 1803. + + FileTrustCriteria + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginRemovableMedia + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginNetworkShare + + + + + + + + + + + + + + + + + + text/plain + + + + + FileTrustOriginMarkOfTheWeb + + + + + + + + + + + + + + + + + + text/plain + + + + + CertificateThumbprints + + + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCameraMicrophoneRedirection + + + + + + + + + + + + + + + + + + text/plain + + +             Status diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index 1e61634c31..e9ec81150e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/25/2018 +ms.date: 08/15/2018 --- # WindowsLicensing CSP @@ -164,7 +164,7 @@ The supported operation is Get. Interior node for managing S mode. **SMode/SwitchingPolicy** -Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) +Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete) Value type is integer. Supported operations are Add, Get, Replace, and Delete. @@ -173,15 +173,22 @@ Supported values: - 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node. **SMode/SwitchFromSMode** -Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) +Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute) Supported operation is Execute. **SMode/Status** -Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) +Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example) Value type is integer. Supported operation is Get. +Values: +- Request fails with error code 404 - no SwitchFromSMode request has been made. +- 0 - The device successfully switched out of S mode +- 1 - The device is processing the request to switch out of S mode +- 3 - The device was already switched out of S mode +- 4 - The device failed to switch out of S mode + ## SyncML examples diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index 8da5c10b5c..c96286763c 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Windows Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is for Windows 10, next major version. +The XML below is for Windows 10, version 1809. ``` syntax diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 6a06c59879..641b29babc 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -14,7 +14,7 @@ ms.date: 06/27/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version. +The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809. The following diagram shows the WiredNetwork configuration service provider in tree format. diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 56809c2ebb..4349340530 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -41,19 +41,19 @@ Windows 10 includes comprehensive MDM capabilities that can be managed by Micros The built-in MDM client is common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT). The client provides a single interface through which you can manage any device that runs Windows 10. The client has two important roles: device enrollment in an MDM system and device management. -Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee. -Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Microsoft Store for Business, or by using their MDM system, which can also work with the Microsoft Store for Business for public store apps. -Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ. +Organizations typically have two scenarios to consider when it comes to device deployment: Bring Your Own (BYO) personal devices and Choose Your Own (CYO) company-owned devices. In both cases, the device must be enrolled in an MDM system, which would configure it with settings appropriate for the organization and the employee. +Windows 10 Mobile device management capabilities support both personal devices used in the BYO scenario and corporate devices used in the CYO scenario. The operating system offers a flexible approach to registering devices with directory services and MDM systems. IT organizations can provision comprehensive device-configuration profiles based on their business needs to control and protect mobile business data. Apps can be provisioned easily to personal or corporate devices through the Microsoft Store for Business, or by using their MDM system, which can also work with the Microsoft Store for Business for public store apps. +Knowing who owns the device and what the employee will use it for are the major factors in determining your management strategy and which controls your organization should put in place. Whether personal devices, corporate devices, or a mixture of the two, deployment processes and configuration policies may differ. For **personal devices**, companies need to be able to manage corporate apps and data on the device without impeding the employee’s ability to personalize it to meet their individual needs. The employee owns the device and corporate policy allows them to use it for both business and personal purposes, with the ability to add personal apps at their discretion. The main concern with personal devices is how organizations can prevent corporate data from being compromised, while still keeping personal data private and under the sole control of the employee. This requires that the device be able to support separation of apps and data with strict control of business and personal data traffic. -For **corporate devices**, organizations have a lot more control. IT can provide a selected list of supported device models to employees, or they can directly purchase and preconfigure them. Because devices are owned by the company, employees can be limited as to how much they can personalize these devices. Security and privacy concerns may be easier to navigate, because the device falls entirely under existing company policy. +For **corporate devices**, organizations have a lot more control. IT can provide a selected list of supported device models to employees, or they can directly purchase and preconfigure them. Because devices are owned by the company, employees can be limited as to how much they can personalize these devices. Security and privacy concerns may be easier to navigate, because the device falls entirely under existing company policy. ### Device enrollment *Applies to: Corporate and personal devices* -The way in which personal and corporate devices are enrolled into an MDM system differs. Your operations team should consider these differences when determining which approach is best for mobile workers in your organization. +The way in which personal and corporate devices are enrolled into an MDM system differs. Your operations team should consider these differences when determining which approach is best for mobile workers in your organization. **Device initialization and enrollment considerations** @@ -80,16 +80,16 @@ The way in which personal and corporate devices are enrolled into an MDM system In the Out-of-the-Box Experience (OOBE), the first time the employee starts the device, they are requested to add a cloud identity to the device. The primary identity on the device is a personal identity. Personal devices are initiated with a Microsoft Account (MSA), which uses a personal email address. The primary identity on the device is an organizational identity. Corporate devices are initialized with an organizational account (account@corporatedomain.ext). -Initialization of a device with a corporate account is unique to Windows 10. No other mobile platform currently offers this capability. The default option is to use an Azure Active Directory organizational identity. +Initialization of a device with a corporate account is unique to Windows 10. No other mobile platform currently offers this capability. The default option is to use an Azure Active Directory organizational identity. Skipping the account setup in OOBE will result in the creation of a local account. The only option to add a cloud account later is to add an MSA, putting this device into a personal device deployment scenario. To start over, the device will have to be reset. -Device Enrollment +Device Enrollment Enrolling devices in an MDM system helps control and protect corporate data while keeping workers productive. Device enrollment can be initiated by employees. They can add an Azure account as a secondary account to the Windows 10 Mobile device. Provided the MDM system is registered with your Azure AD, the device is automatically enrolled in the MDM system when the user adds an Azure AD account as a secondary account (MSA+AAD+MDM). If your organization does not have Azure AD, the employee’s device will automatically be enrolled into your organization’s MDM system (MSA+MDM). -MDM enrollment can also be initiated with a provisioning package. This option enables IT to offer easy-to-use self-service enrollment of personal devices. Provisioning is currently only supported for MDM-only enrollment (MSA+MDM). +MDM enrollment can also be initiated with a provisioning package. This option enables IT to offer easy-to-use self-service enrollment of personal devices. Provisioning is currently only supported for MDM-only enrollment (MSA+MDM). The user initiates MDM enrollment by joining the device to the Azure AD instance of their organization. The device is automatically enrolled in the MDM system when the device registers in Azure AD. This requires your MDM system to be registered with your Azure AD (AAD+MDM). @@ -98,15 +98,15 @@ MDM enrollment can also be initiated with a provisioning package. This option en **Recommendation:** Microsoft recommends Azure AD registration and automatic MDM enrollment for corporate devices (AAD+MDM) and personal devices (MSA+AAD+MDM). This requires Azure AD Premium. -### Identity management +### Identity management *Applies to: Corporate and personal devices* -Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities. +Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities. ->**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/en-us/account/) and an [Azure AD account](https://www.microsoft.com/en-us/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services. +>**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/en-us/account/) and an [Azure AD account](https://www.microsoft.com/en-us/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services. -The following table describes the impact of identity choice on device management characteristics of the personal and corporate device scenarios. +The following table describes the impact of identity choice on device management characteristics of the personal and corporate device scenarios. **Identity choice considerations for device management** @@ -135,10 +135,10 @@ The following table describes the impact of identity choice on device management Credential management Employees sign in to the device with Microsoft Account credentials. -Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account. +Users cannot sign in to devices with Azure AD credentials, even if they add the credentials after initial activation with a Microsoft account. -Employees sign in to the device with Azure AD credentials. -IT can block the addition of a personal identity, such as an MSA or Google Account. IT controls all devices access policies, without limitations. +Employees sign in to the device with Azure AD credentials. +IT can block the addition of a personal identity, such as an MSA or Google Account. IT controls all devices access policies, without limitations. @@ -178,16 +178,16 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/en-us/library/mt627908.aspx). -**Azure Active Directory** -Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](http://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. +**Azure Active Directory** +Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. **Mobile Device Management** -Microsoft [Intune](http://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. -You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](http://technet.microsoft.com/en-us/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager. -Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](http://azure.microsoft.com/en-us/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account. +Microsoft [Intune](https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. +You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/en-us/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager. +Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/en-us/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account. >**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. -In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](http://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx). +In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](https://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx). **Cloud services** On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services. @@ -200,23 +200,23 @@ However, there is an exception to this behavior. In Windows 10 Mobile, the Alway For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide). **Windows Update for Business** -Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. +Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. **Microsoft Store for Business** -The Microsoft Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps. +The Microsoft Store for Business is the place where IT administrators can find, acquire, manage, and distribute apps to Windows 10 devices. This includes both internal line-of-business (LOB) apps, as well as commercially available third-party apps. ## Configure MDM administrators can define and implement policy settings on any personal or corporate device enrolled in an MDM system. What configuration settings you use will differ based on the deployment scenario, and corporate devices will offer IT the broadest range of control. ->**Note:** This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor. -Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. +>**Note:** This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor. +Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. ### Account profile *Applies to: Corporate devices* -Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts. +Enforcing what accounts employees can use on a corporate device is important for avoiding data leaks and protecting privacy. Limiting the device to just one account controlled by the organization will reduce the risk of a data breach. However, you can choose to allow employees to add a personal Microsoft Account or other consumer email accounts. - **Allow Microsoft Account** Specifies whether users are allowed to add a Microsoft Account to the device and use this account to authenticate to cloud services, such as purchasing apps in Microsoft Store, Xbox, or Groove. - **Allow Adding Non-Microsoft Accounts** Specifies whether users are allowed to add email accounts other than Microsoft accounts. @@ -225,22 +225,22 @@ Enforcing what accounts employees can use on a corporate device is important for *Applies to: Corporate and personal devices* -Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies. +Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies. - Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [ActiveSync CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920017(v=vs.85).aspx). -- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. +- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. ### Device Lock restrictions *Applies to: Corporate and personal devices* -It’s common practice to protect a device that contains corporate information with a passcode when it is not in use. As a best practice, Microsoft recommends that you implement a device lock policy for Windows 10 Mobile devices for securing apps and data. You can use a complex password or numeric PIN to lock devices. Introduced with Windows 10, [Windows Hello](http://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello) allows you to use a PIN, a companion device (like Microsoft band), or biometrics to validate your identity to unlock Windows 10 Mobile devices. +It’s common practice to protect a device that contains corporate information with a passcode when it is not in use. As a best practice, Microsoft recommends that you implement a device lock policy for Windows 10 Mobile devices for securing apps and data. You can use a complex password or numeric PIN to lock devices. Introduced with Windows 10, [Windows Hello](https://windows.microsoft.com/en-us/windows-10/getstarted-what-is-hello) allows you to use a PIN, a companion device (like Microsoft band), or biometrics to validate your identity to unlock Windows 10 Mobile devices. ->**Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. +>**Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. To use Windows Hello with biometrics, specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the Windows Hello credentials requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys protection will be software-based. Companion devices must be paired with Windows 10 PC’s via Bluetooth. To use a Windows Hello companion device that enables the user to roam with their Windows Hello credentials requires Pro or Enterprise edition on the Windows 10 PC being signed into. -Most of the device lock restriction policies have been available via ActiveSync and MDM since Windows Phone 7 and are still available today for Windows 10 Mobile. If you are deploying Windows 10 devices in a personal device deployment scenario, these settings would apply. +Most of the device lock restriction policies have been available via ActiveSync and MDM since Windows Phone 7 and are still available today for Windows 10 Mobile. If you are deploying Windows 10 devices in a personal device deployment scenario, these settings would apply. - **Device Password Enabled** Specifies whether users are required to use a device lock password. - **Allow Simple Device Password** Whether users can use a simple password (e.g., 1111 or 1234). @@ -257,9 +257,9 @@ Most of the device lock restriction policies have been available via ActiveSync Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario. Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an AAD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment. -You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. +You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. -### Prevent changing of settings +### Prevent changing of settings *Applies to: Corporate devices* @@ -276,11 +276,11 @@ Employees are usually allowed to change certain personal device settings that yo *Applies to: Corporate devices* -Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi Fi. You can use hardware restrictions to control the availability of these features. +Windows 10 Mobile devices use state-of-the-art technology that includes popular hardware features such as cameras, global positioning system (GPS) sensors, microphones, speakers, near-field communication (NFC) radios, storage card slots, USB interfaces, Bluetooth interfaces, cellular radios, and Wi Fi. You can use hardware restrictions to control the availability of these features. The following lists the MDM settings that Windows 10 Mobile supports to configure hardware restrictions. ->**Note:** Some of these hardware restrictions provide connectivity and assist in data protection. +>**Note:** Some of these hardware restrictions provide connectivity and assist in data protection. - **Allow NFC:** Whether the NFC radio is enabled - **Allow USB Connection:** Whether the USB connection is enabled (doesn’t affect USB charging) @@ -295,12 +295,12 @@ The following lists the MDM settings that Windows 10 Mobile supports to configur - **Allow Voice Recording:** Whether the user can use the microphone to create voice recordings - **Allow Location:** Whether the device can use the GPS sensor or other methods to determine location so applications can use location information -### Certificates +### Certificates *Applies to: Personal and corporate devices* -Certificates help improve security by providing account authentication, Wi Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation. -To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes. +Certificates help improve security by providing account authentication, Wi Fi authentication, VPN encryption, and SSL encryption of web content. Although users can manage certificates on devices manually, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation. +To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes. Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired. In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings. Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). @@ -342,7 +342,7 @@ You can create multiple Wi-Fi profiles in your MDM system. The below table lists - **Proxy auto-configuration URL** A URL that specifies the proxy auto-configuration file - **Enable Web Proxy Auto-Discovery Protocol (WPAD)** Specifies whether WPAD is enabled -In addition, you can set a few device wide Wi-Fi settings. +In addition, you can set a few device wide Wi-Fi settings. - **Allow Auto Connect to Wi Fi Sense Hotspots** Whether the device will automatically detect and connect to Wi-Fi networks - **Allow Manual Wi-Fi Configuration** Whether the user can manually configure Wi-Fi settings - **Allow Wi-Fi** Whether the Wi-Fi hardware is enabled @@ -356,23 +356,23 @@ Get more detailed information about Wi-Fi connection profile settings in the [Wi *Applies to: Corporate devices* An Access Point Name (APN) defines network paths for cellular data connectivity. Typically, you define just one APN for a device in collaboration with a mobile operator, but you can define multiple APNs if your company uses multiple mobile operators. -An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. +An APN provides a private connection to the corporate network that is unavailable to other companies on the mobile operator network. You can define and deploy APN profiles in MDM systems that configure cellular data connectivity for Windows 10 Mobile. Devices running Windows 10 Mobile can have only one APN profile. The following lists the MDM settings that Windows 10 Mobile supports for APN profiles. -- **APN name** The APN name +- **APN name** The APN name - *IP connection type* The IP connection type; set to one of the following values: - IPv4 only - IPv6 only - IPv4 and IPv6 concurrently - - IPv6 with IPv4 provided by 46xlat -- **LTE attached** Whether the APN should be attached as part of an LTE Attach + - IPv6 with IPv4 provided by 46xlat +- **LTE attached** Whether the APN should be attached as part of an LTE Attach - **APN class ID** The globally unique identifier that defines the APN class to the modem - **APN authentication type** The APN authentication type; set to one of the following values: - None - Auto - PAP - CHAP - - MSCHAPv2 + - MSCHAPv2 - **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type - **Password** The password for the user account specified in User name - **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile @@ -396,7 +396,7 @@ The below lists the Windows 10 Mobile settings for managing APN proxy settings f - **User Name** Specifies the username used to connect to the proxy - **Password** Specifies the password used to connect to the proxy - **Server** Specifies the name of the proxy server -- **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4 +- **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4 - **Port** The port number of the proxy connection For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914762(v=vs.85).aspx). @@ -407,17 +407,17 @@ For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.micro Organizations often use a VPN to control access to apps and resources on their company’s intranet. In addition to native Microsoft Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Internet Key Exchange Protocol version 2 (IKEv2) VPNs, Windows 10 Mobile supports SSL VPN connections, which require a downloadable plugin from the Microsoft Store and are specific to the VPN vendor of your choice. These plugins work like apps and can be installed directly from the Microsoft Store using your MDM system (see App Management). -You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile. +You can create and provision multiple VPN connection profiles and then deploy them to managed devices that run Windows 10 Mobile. To create a VPN profile that uses native Windows 10 Mobile VPN protocols (such as IKEv2, PPTP, or L2TP), you can use the following settings: - **VPN Servers** The VPN server for the VPN profile -- **Routing policy type** The type of routing policy the VPN profile uses can be set to one of the following values: +- **Routing policy type** The type of routing policy the VPN profile uses can be set to one of the following values: - Split tunnel. Only network traffic destined to the intranet goes through the VPN connection - Force tunnel. All traffic goes through the VPN connection - **Tunneling protocol type** The tunneling protocol used for VPN profiles that use native Windows 10 Mobile VPN protocols can be one the following values: PPTP, L2TP, IKEv2, Automatic - **User authentication method** The user authentication method for the VPN connection can have a value of EAP or MSChapv2 (Windows 10 Mobile does not support the value MSChapv2 for IKEv2-based VPN connections) - **Machine certificate** The machine certificate used for IKEv2-based VPN connections -- **EAP configuration** To create a single sign-on experience for VPN users using certificate authentication, you need to create an Extensible Authentication Protocol (EAP) configuration XML file and include it in the VPN profile +- **EAP configuration** To create a single sign-on experience for VPN users using certificate authentication, you need to create an Extensible Authentication Protocol (EAP) configuration XML file and include it in the VPN profile - **L2tpPsk** The pre-shared key used for an L2TP connection - **Cryptography Suite** Enable the selection of cryptographic suite attributes used for IPsec tunneling @@ -447,7 +447,7 @@ In addition, you can specify per VPN Profile: - It can never be disconnected. - If the VPN profile is not connected, the user has no network connectivity. - No other VPN profiles can be connected or modified. -- **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require. +- **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require. For more details about VPN profiles, see the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776(v=vs.85).aspx) @@ -464,7 +464,7 @@ Protecting the apps and data stored on a device is critical to device security. Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it. -The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. This gives users the flexibility to use an SD card while still protecting the confidential apps and data on it. +The SD card is uniquely paired with a device. No other devices can see the apps or data on the encrypted partition, but they can access the data stored on the unencrypted partition of the SD card, such as music or photos. This gives users the flexibility to use an SD card while still protecting the confidential apps and data on it. You can disable the **Allow Storage Card** setting if you wish to prevent users from using SD cards entirely. If you choose not to encrypt storage, you can help protect your corporate apps and data by using the Restrict app data to the system volume and Restrict apps to the system volume settings. These help ensure that users cannot copy your apps and data to SD cards. @@ -487,50 +487,50 @@ Here is a list of MDM storage management settings that Windows 10 Mobile provide *Applies to: Corporate and personal devices* -User productivity on mobile devices is often driven by apps. +User productivity on mobile devices is often driven by apps. -Windows 10 makes it possible to develop apps that work seamlessly across multiple devices using the Universal Windows Platform (UWP) for Windows apps. UWP converges the application platform for all devices running Windows 10 so that apps run without modification on all editions of Windows 10. This saves developers both time and resources, helping deliver apps to mobile users more quickly and efficiently. This write-once, run-anywhere model also boosts user productivity by providing a consistent, familiar app experience on any device type. +Windows 10 makes it possible to develop apps that work seamlessly across multiple devices using the Universal Windows Platform (UWP) for Windows apps. UWP converges the application platform for all devices running Windows 10 so that apps run without modification on all editions of Windows 10. This saves developers both time and resources, helping deliver apps to mobile users more quickly and efficiently. This write-once, run-anywhere model also boosts user productivity by providing a consistent, familiar app experience on any device type. For compatibility with existing apps, Windows Phone 8.1 apps still run on Windows 10 Mobile devices, easing the migration to the newest platform. Microsoft recommend migrating your apps to UWP to take full advantage of the improvements in Windows 10 Mobile. In addition, bridges have been developed to easily and quickly update existing Windows Phone 8.1 (Silverlight) and iOS apps to the UWP. -Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security. +Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security. -To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index). +To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index). ### Microsoft Store for Business: Sourcing the right app *Applies to: Corporate and personal devices* -The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Microsoft Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Microsoft Store. With the Microsoft Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Microsoft Store, without the need for MSAs on Windows 10 devices. +The first step in app management is to obtain the apps your users need. You can develop your own apps or source your apps from the Microsoft Store. With Windows Phone 8.1, an MSA was needed to acquire and install apps from the Microsoft Store. With the Microsoft Store for Business, Microsoft enables organizations to acquire apps for employees from a private store with the Microsoft Store, without the need for MSAs on Windows 10 devices. -Microsoft Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices. +Microsoft Store for Business is a web portal that allows IT administrators to find, acquire, manage, and distribute apps to Windows 10 devices. Azure AD authenticated managers have access to Microsoft Store for Business functionality and settings, and store managers can create a private category of apps that are specific and private to their organization. (You can get more details about what specific Azure AD accounts have access to Microsoft Store for Business here). Microsoft Store for Business enables organizations to purchase app licenses for their organization and make apps available to their employees. In addition to commercially available apps, your developers can publish line-of-business (LOB) apps to Microsoft Store for Business by request. You can also integrate their Microsoft Store for Business subscriptions with their MDM systems, so the MDM system can distribute and manage apps from Microsoft Store for Business. -Microsoft Store for Business supports app distribution under two licensing models: online and offline. +Microsoft Store for Business supports app distribution under two licensing models: online and offline. The online model (store-managed) is the recommended method, and supports both personal device and corporate device management scenarios. To install online apps, the device must have Internet access at the time of installation. On corporate devices, an employee can be authenticated with an Azure AD account to install online apps. On personal devices, an employee must register their device with Azure AD to be able to install corporate licensed online apps. -Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention. +Corporate device users will find company licensed apps in the Store app on their phone in a private catalog. When an MDM system is associated with the Store for Business, IT administrators can present Store apps within the MDM system app catalog where users can find and install their desired apps. IT administrators can also push required apps directly to employee devices without the employee’s intervention. Employees with personal devices can install apps licensed by their organization using the Store app on their device. They can use either the Azure AD account or Microsoft Account within the Store app if they wish to purchase personal apps. If you allow employees with corporate devices to add a secondary Microsoft Account (MSA), the Store app on the device provides a unified method for installing personal and corporate apps. -Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device. +Online licensed apps do not need to be transferred or downloaded from the Microsoft Store to the MDM system to be distributed and managed. When an employee chooses a company-owned app, it will automatically be installed from the cloud. Also, apps will be automatically updated when a new version is available or can be removed if needed. When an app is removed from a device by the MDM system or the user, Microsoft Store for Business reclaims the license so it can be used for another user or on another device. -To distribute an app offline (organization-managed), the app must be downloaded from the Microsoft Store for Business. This can be accomplished in the Microsoft Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Microsoft Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Microsoft Store, then you must obtain the files directly from the developer or use the online licensing method. +To distribute an app offline (organization-managed), the app must be downloaded from the Microsoft Store for Business. This can be accomplished in the Microsoft Store for Business portal by an authorized administrator. Offline licensing requires the app developer to opt-in to the licensing model, as the Microsoft Store is no longer able to track licenses for the developer. If the app developer doesn’t allow download of the app from Microsoft Store, then you must obtain the files directly from the developer or use the online licensing method. To install acquired Microsoft Store or LOB apps offline on a Windows 10 Mobile device, IT administrators can use an MDM system. The MDM system distributes the app packages that you downloaded from Microsoft Store (also called sideloading) to Windows 10 Mobile devices. Support for offline app distribution depends on the MDM system you are using, so consult your MDM vendor documentation for details. You can fully automate the app deployment process so that no user intervention is required. Microsoft Store apps or LOB apps that have been uploaded to the Microsoft Store for Business are automatically trusted on all Windows devices, as they are cryptographically signed with Microsoft Store certificates. LOB apps that are uploaded to the Microsoft Store for Business are private to your organization and are never visible to other companies or consumers. If you do not want to upload your LOB apps, you have to establish trust for the app on your devices. To establish this trust, you’ll need to generate a signing certificate with your Public Key Infrastructure and add your chain of trust to the trusted certificates on the device (see the certificates section). You can install up to 20 self-signed LOB apps per device with Windows 10 Mobile. To install more than 20 apps on a device, you can purchase a signing certificate from a trusted public Certificate Authority, or upgrade your devices to Windows 10 Mobile Enterprise edition. -Learn more about the [Microsoft Store for Business](/microsoft-store/index). +Learn more about the [Microsoft Store for Business](/microsoft-store/index). ### Managing apps *Applies to: Corporate devices* -IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date. +IT administrators can control which apps are allowed to be installed on Windows 10 Mobile devices and how they should be kept up-to-date. -Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store. +Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store. For more details, see [AppLocker CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx). @@ -540,13 +540,13 @@ In addition to controlling which apps are allowed, IT professionals can also imp - **Allow App Store Auto Update** Whether automatic updates of apps from Microsoft Store are allowed. - **Allow Developer Unlock** Whether developer unlock is allowed. - **Allow Shared User App Data** Whether multiple users of the same app can share data. -- **Allow Store** Whether Microsoft Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system. +- **Allow Store** Whether Microsoft Store app is allowed to run. This will completely block the user from installing apps from the Store, but will still allow app distribution through an MDM system. - **Application Restrictions** An XML blob that defines the app restrictions for a device. The XML blob can contain an app allow or deny list. You can allow or deny apps based on their app ID or publisher. See AppLocker above. - **Disable Store Originated Apps** Disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded before the policy was applied. - **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available. - **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card. - **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card. -- **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](http://msdn.microsoft.com/en-us/library/windows/hardware/mt171093(v=vs.85).aspx) for more information). +- **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/en-us/library/windows/hardware/mt171093(v=vs.85).aspx) for more information). Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps) @@ -554,16 +554,16 @@ Find more details on application management options in the [Policy CSP](https:// *Applies to: Corporate and personal devices* -One of the biggest challenges in protecting corporate information on mobile devices is keeping that data separate from personal data. Most solutions available to create this data separation require users to login in with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. +One of the biggest challenges in protecting corporate information on mobile devices is keeping that data separate from personal data. Most solutions available to create this data separation require users to login in with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. -Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data protected and personal data private. It automatically tags personal and corporate data and applies policies for those apps that can access data classified as corporate. This includes when data is at rest on local or removable storage. Because corporate data is always protected, users cannot copy it to public locations like social media or personal email. +Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data protected and personal data private. It automatically tags personal and corporate data and applies policies for those apps that can access data classified as corporate. This includes when data is at rest on local or removable storage. Because corporate data is always protected, users cannot copy it to public locations like social media or personal email. -Windows Information Protection works with all apps, which are classified into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on policies. Corporate data will be encrypted at all times and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps consider all data corporate and encrypt everything by default. +Windows Information Protection works with all apps, which are classified into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on policies. Corporate data will be encrypted at all times and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps consider all data corporate and encrypt everything by default. -Any app developed on the UWA platform can be enlightened. Microsoft has made a concerted effort to enlighten several of its most popular apps, including: +Any app developed on the UWA platform can be enlightened. Microsoft has made a concerted effort to enlighten several of its most popular apps, including: - Microsoft Edge - Microsoft People -- Mobile Office apps (Word, Excel, PowerPoint, and OneNote) +- Mobile Office apps (Word, Excel, PowerPoint, and OneNote) - Outlook Mail and Calendar - Microsoft Photos - Microsoft OneDrive @@ -571,28 +571,28 @@ Any app developed on the UWA platform can be enlightened. Microsoft has made a c - Microsoft Movies & TV - Microsoft Messaging -The following table lists the settings that can be configured for Windows Information Protection: +The following table lists the settings that can be configured for Windows Information Protection: - **Enforcement level*** Set the enforcement level for information protection: - Off (no protection) - Silent mode (encrypt and audit only) - Override mode (encrypt, prompt, and audit) - Block mode (encrypt, block, and audit) -- **Enterprise protected domain names*** A list of domains used by the enterprise for its user identities. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. -- **Allow user decryption** Allows the user to decrypt files. If not allowed, the user will not be able to remove protection from enterprise content through the OS or app user experience. -- **Require protection under lock configuration** Specifies whether the protection under lock feature (also known as encrypt under PIN) should be configured. -- **Data recovery certificate*** Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. -- **Revoke on unenroll** Whether to revoke the information protection keys when a device unenrolls from the management service. -- **RMS template ID for information protection** Allows the IT admin to configure the details about who has access to RMS-protected files and for how long. +- **Enterprise protected domain names*** A list of domains used by the enterprise for its user identities. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. +- **Allow user decryption** Allows the user to decrypt files. If not allowed, the user will not be able to remove protection from enterprise content through the OS or app user experience. +- **Require protection under lock configuration** Specifies whether the protection under lock feature (also known as encrypt under PIN) should be configured. +- **Data recovery certificate*** Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. +- **Revoke on unenroll** Whether to revoke the information protection keys when a device unenrolls from the management service. +- **RMS template ID for information protection** Allows the IT admin to configure the details about who has access to RMS-protected files and for how long. - **Allow Azure RMS for information protection** Specifies whether to allow Azure RMS encryption for information protection. - **Show information protection icons** Determines whether overlays are added to icons for information protection secured files in web browser and enterprise-only app tiles in the Start menu. -- **Status** A read-only bit mask that indicates the current state of information protection on the device. The MDM service can use this value to determine the current overall state of information protection. +- **Status** A read-only bit mask that indicates the current state of information protection on the device. The MDM service can use this value to determine the current overall state of information protection. - **Enterprise IP Range*** The enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. - **Enterprise Network Domain Names*** the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. - **Enterprise Cloud Resources** A list of Enterprise resource domains hosted in the cloud that need to be protected. >**Note:** * Are mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings - specifically Enterprise IP Range and Enterprise Network Domain Names – must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key (so that others in the company can access it. -For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). ### Managing user activities @@ -615,7 +615,7 @@ On corporate devices, some user activities expose corporate data to unnecessary - **Enable Offline Maps Auto Update** Disables the automatic download and update of map data - **Allow Offline Maps Download Over Metered Connection** Allows the download and update of map data over metered connections -You can find more details on the experience settings in Policy CSP. +You can find more details on the experience settings in Policy CSP. ### Microsoft Edge @@ -639,7 +639,7 @@ The following settings for Microsoft Edge on Windows 10 Mobile can be managed. ## Manage -In enterprise IT environments, the need for security and cost control must be balanced against the desire to provide users with the latest technologies. Since cyberattacks have become an everyday occurrence, it is important to properly maintain the state of your Windows 10 Mobile devices. IT needs to control configuration settings, keeping them from drifting out of compliance, as well as enforce which devices can access internal applications. Windows 10 Mobile delivers the mobile operations management capabilities necessary to ensure that devices are in compliance with corporate policy. +In enterprise IT environments, the need for security and cost control must be balanced against the desire to provide users with the latest technologies. Since cyberattacks have become an everyday occurrence, it is important to properly maintain the state of your Windows 10 Mobile devices. IT needs to control configuration settings, keeping them from drifting out of compliance, as well as enforce which devices can access internal applications. Windows 10 Mobile delivers the mobile operations management capabilities necessary to ensure that devices are in compliance with corporate policy. ### Servicing options @@ -647,7 +647,7 @@ In enterprise IT environments, the need for security and cost control must be ba *Applies to: Corporate and personal devices* -Microsoft has streamlined the Windows product engineering and release cycle so new features, experiences, and functionality demanded by the market can be delivered more quickly than ever before. Microsoft plans to deliver two Feature Updates per year (12-month period). Feature Updates establish a Current Branch or CB, and have an associated version. +Microsoft has streamlined the Windows product engineering and release cycle so new features, experiences, and functionality demanded by the market can be delivered more quickly than ever before. Microsoft plans to deliver two Feature Updates per year (12-month period). Feature Updates establish a Current Branch or CB, and have an associated version. @@ -663,27 +663,27 @@ Microsoft has streamlined the Windows product engineering and release cycle so n - + - + - +
            Current Branch15111511 November 2015
            Current Branch for Business15111511 March 2016
            Current Branch16071607 July 2016
            -Microsoft will also deliver and install monthly updates for security and stability directly to Windows 10 Mobile devices. These Quality Updates, released under Microsoft control via Windows Update, are available for all devices running Windows 10 Mobile. Windows 10 Mobile devices consume Feature Updates and Quality Updates as part of the same standard update process. +Microsoft will also deliver and install monthly updates for security and stability directly to Windows 10 Mobile devices. These Quality Updates, released under Microsoft control via Windows Update, are available for all devices running Windows 10 Mobile. Windows 10 Mobile devices consume Feature Updates and Quality Updates as part of the same standard update process. -Quality Updates are usually smaller than Feature Updates, but the installation process and experience is very similar, though larger updates will take more time to install. Enterprise customers can manage the update experience and process on Windows 10 Mobile devices using an MDM system, after upgrading the devices to Enterprise edition. In most cases, policies to manage the update process will apply to both feature and quality updates. +Quality Updates are usually smaller than Feature Updates, but the installation process and experience is very similar, though larger updates will take more time to install. Enterprise customers can manage the update experience and process on Windows 10 Mobile devices using an MDM system, after upgrading the devices to Enterprise edition. In most cases, policies to manage the update process will apply to both feature and quality updates. -Microsoft aspires to update Windows 10 Mobile devices with the latest updates automatically and without being disruptive for all customers. Out-of-the-box, a Windows 10 Mobile device will Auto Scan for available updates. However, depending on the device’s network and power status, update methods and timing will vary. +Microsoft aspires to update Windows 10 Mobile devices with the latest updates automatically and without being disruptive for all customers. Out-of-the-box, a Windows 10 Mobile device will Auto Scan for available updates. However, depending on the device’s network and power status, update methods and timing will vary. @@ -706,26 +706,26 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au - + - + + - + - - + + - - - + + +
            Wi-Fi Device is connected to a personal or corporate Wi-Fi network (no data charges)YesYes Yes/td> -YesYes – outside of Active Hours (forced restart after 7 days if user postpones restart)YesYes – outside of Active Hours (forced restart after 7 days if user postpones restart)
            Cellular Device is only connected to a cellular network (standard data charges apply)Will skip a daily scan if scan was successfully completed in the last 5 daysWill skip a daily scan if scan was successfully completed in the last 5 days Will only occur if update package is small and does not exceed the mobile operator data limit.YesIdemYesIdem
            Cellular -- Roaming Device is only connected to a cellular network and roaming charges applyNo NoNoIdemNoNoIdem
            @@ -734,10 +734,10 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au *Applies to: Corporate and Personal devices* -Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/en-us/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](http://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about. +Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/en-us/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](https://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about. ->**Note:** -We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback via the Feedback Hub +>**Note:** +We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback via the Feedback Hub **Windows as a Service** @@ -745,7 +745,7 @@ We invite IT Professionals to participate in the Windows Insider Program to test Microsoft created a new way to deliver and install updates to Windows 10 Mobile directly to devices without Mobile Operator approval. This capability helps to simplify update deployments and ongoing management, broadens the base of employees who can be kept current with the latest Windows features and experiences, and lowers total cost of ownership for organizations who no longer have to manage updates to keep devices secure. -Update availability depends on what servicing option you choose for the device. These servicing options are outlined in the chart below: +Update availability depends on what servicing option you choose for the device. These servicing options are outlined in the chart below: @@ -766,23 +766,23 @@ Update availability depends on what servicing option you choose for the device. - + - + - + - + - +
            Windows Insider Builds As appropriate during development cycle, released to Windows Insiders onlyVariable, until the next Insider build is released to Windows InsidersVariable, until the next Insider build is released to Windows Insiders Allows Insiders to test new feature and application compatibility before a Feature Update is released/td> Mobile
            Current Branch (CB) Immediately after the Feature Update is published to Windows Update by MicrosoftMicrosoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer)Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer) Makes new features available to users as soon as possibleMobile & Mobile EnterpriseMobile & Mobile Enterprise
            Current Branch for Business (CBB) A minimum of four months after the corresponding Feature Update is first published to Windows Update by MicrosoftA minimum of four months, though it potentially can be longerNoA minimum of four months, though it potentially can be longerNo Provides additional time to test new feature before deploymentMobile Enterprise onlyMobile Enterprise only
            @@ -791,12 +791,12 @@ Update availability depends on what servicing option you choose for the device. *Applies to: Corporate devices* -While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition. +While Windows 10 Mobile provides updates directly to user devices from Windows Update, there are many organizations that want to track, test, and schedule updates to corporate devices. To support these requirements, we created the Windows 10 Mobile Enterprise edition. Upgrading to Windows 10 Mobile Enterprise edition provides additional device and app management capabilities for organizations that want to: -- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. +- **Defer, approve and deploy feature and quality updates:** Windows 10 Mobile devices get updates directly from Windows Update. If you want to curate updates prior to deploying them, an upgrade to Windows 10 Mobile Enterprise edition is required. Once Enterprise edition is enabled, the phone can be set to the Current Branch for Business servicing option, giving IT additional time to test updates before they are released. - **Deploy an unlimited number of self-signed LOB apps to a single device:** To use an MDM system to deploy LOB apps directly to devices, you must cryptographically sign the software packages with a code signing certificate that your organization’s certificate authority (CA) generates. You can deploy a maximum of 20 self-signed LOB apps to a Windows 10 Mobile device. To deploy more than 20 self-signed LOB apps, Windows 10 Mobile Enterprise is required. -- **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered. +- **Set the diagnostic data level:** Microsoft collects diagnostic data to help keep Windows devices secure and to help Microsoft improve the quality of Windows and Microsoft services. An upgrade to Windows 10 Mobile Enterprise edition is required to set the diagnostic data level so that only diagnostic information required to keep devices secured is gathered. To learn more about diagnostic, see [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization). @@ -804,25 +804,25 @@ To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning Details on updating a device to Enterprise edition with [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904983(v=vs.85).aspx) ->**Recommendation:** Microsoft recommends using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices. +>**Recommendation:** Microsoft recommends using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices. **Deferring and Approving Updates with MDM** *Applies to: Corporate devices with Enterprise edition* -Once a device is upgraded to Windows 10 Mobile Enterprise edition, you can manage devices that receive updates from Windows Update (or Windows Update for Business) with a set of update policies. +Once a device is upgraded to Windows 10 Mobile Enterprise edition, you can manage devices that receive updates from Windows Update (or Windows Update for Business) with a set of update policies. -To control Feature Updates, you will need to move your devices to the Current Branch for Business (CBB) servicing option. A device that subscribes to CBB will wait for the next CBB to be published by Microsoft Update. While the device will wait for Feature Updates until the next CBB, Quality Updates will still be received by the device. +To control Feature Updates, you will need to move your devices to the Current Branch for Business (CBB) servicing option. A device that subscribes to CBB will wait for the next CBB to be published by Microsoft Update. While the device will wait for Feature Updates until the next CBB, Quality Updates will still be received by the device. -To control monthly Quality Update additional deferral policies, need to be set to your desired deferral period. When Quality Updates are available for your Windows 10 Mobile devices from Windows Update, these updates will not install until your deferral period lapses. This gives IT Professionals some time to test the impact of the updates on devices and apps. +To control monthly Quality Update additional deferral policies, need to be set to your desired deferral period. When Quality Updates are available for your Windows 10 Mobile devices from Windows Update, these updates will not install until your deferral period lapses. This gives IT Professionals some time to test the impact of the updates on devices and apps. -Before updates are distributed and installed, you may want to test them for issues or application compatibility. IT pros have the ability require updates to be approved. This enables the MDM administrator to select and approve specific updates to be installed on a device and accept the EULA associated with the update on behalf of the user. Please remember that on Windows 10 Mobile all updates are packaged as a “OS updates” and never as individual fixes. +Before updates are distributed and installed, you may want to test them for issues or application compatibility. IT pros have the ability require updates to be approved. This enables the MDM administrator to select and approve specific updates to be installed on a device and accept the EULA associated with the update on behalf of the user. Please remember that on Windows 10 Mobile all updates are packaged as a “OS updates” and never as individual fixes. -You may want to choose to handle Quality Updates and Feature Updates in the same way and not wait for the next CBB to be released to your devices. This streamlines the release of updates using the same process for approval and release. You can apply different deferral period by type of update. In version 1607 Microsoft added additional policy settings to enable more granularity to control over updates. +You may want to choose to handle Quality Updates and Feature Updates in the same way and not wait for the next CBB to be released to your devices. This streamlines the release of updates using the same process for approval and release. You can apply different deferral period by type of update. In version 1607 Microsoft added additional policy settings to enable more granularity to control over updates. -Once updates are being deployed to your devices, you may want to pause the rollout of updates to enterprise devices. -For example, after you start rolling out a quality update, certain phone models are adversely impacted or users are reporting a specific LOB app is not connecting and updating a database. Problems can occur that did not surface during initial testing. -IT professionals can pause updates to investigate and remediate unexpected issues. +Once updates are being deployed to your devices, you may want to pause the rollout of updates to enterprise devices. +For example, after you start rolling out a quality update, certain phone models are adversely impacted or users are reporting a specific LOB app is not connecting and updating a database. Problems can occur that did not surface during initial testing. +IT professionals can pause updates to investigate and remediate unexpected issues. The following table summarizes applicable update policy settings by version of Windows 10 Mobile. All policy settings are backward compatible, and will be maintained in future Feature Updates. Consult the documentation of your MDM system to understand support for these settings in your MDM. @@ -859,20 +859,20 @@ Defer Feature and Quality Updates for up to 30 days. Approve Updates RequireUpdateApproval - + RequireUpdateApproval - - + + Pause Update rollout once an approved update is being deployed, pausing the rollout of the update. PauseDeferrals -Pause Feature Updates for up to 35 days +Pause Feature Updates for up to 35 days PauseQualityUpdates -Pause Feature Updates for up to 35 days +Pause Feature Updates for up to 35 days @@ -881,33 +881,33 @@ Pause Feature Updates for up to 35 days *Applies to: Corporate devices with Enterprise edition* -Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. +Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. -This can include: +This can include: - Notifying users prior to downloading updates. - Automatically downloading updates, and then notifying users to schedule a restart (this is the default behavior if this policy is not configured). - Automatically downloading and restarting devices with user notification. - Automatically downloading and restarting devices at a specified time. - Automatically downloading and restarting devices without user interaction. -- Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device will not receive any updates. +- Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device will not receive any updates. -In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, etc.). +In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, etc.). **Managing the source of updates with MDM** *Applies to: Corporate devices with Enterprise edition* -Although Windows 10 Enterprise enables IT administrators to defer installation of new updates from Windows Update, enterprises may also want additional control over update processes. With this in mind, Microsoft created Windows Update for Business. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. If you are using a MDM system, the use of Windows Update for Business is not a requirement, as you can manage these features from your MDM system. +Although Windows 10 Enterprise enables IT administrators to defer installation of new updates from Windows Update, enterprises may also want additional control over update processes. With this in mind, Microsoft created Windows Update for Business. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing updates. If you are using a MDM system, the use of Windows Update for Business is not a requirement, as you can manage these features from your MDM system. -Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). +Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb). -IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS. +IT administrators can specify where the device gets updates from with AllowUpdateService. This could be Microsoft Update, Windows Update for Business, or Windows Server Update Services (WSUS. **Managing Updates with Windows Update Server** *Applies to: Corporate devices with Enterprise edition* -When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices. +When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices. Learn more about [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx) @@ -915,46 +915,46 @@ Learn more about [managing updates with Windows Server Update Services (WSUS)](h *Applies to: Personal and corporate devices* -In addition to configuring how Windows 10 Mobile Enterprise obtains updates, the MDM administrator can query devices for Windows 10 Mobile update information so that update status can be checked against a list of approved updates. +In addition to configuring how Windows 10 Mobile Enterprise obtains updates, the MDM administrator can query devices for Windows 10 Mobile update information so that update status can be checked against a list of approved updates. The device update status query provides an overview of: -- Installed updates: A list of updates that are installed on the device. -- Installable updates: A list of updates that are available for installation. +- Installed updates: A list of updates that are installed on the device. +- Installable updates: A list of updates that are available for installation. - Failed updates: A list of updates that failed during installation, including indication of why the update failed. -- Pending reboot: A list of updates that require a restart to complete update installation. -- Last successful scan time: The last time a successful update scan was completed. -- Defer upgrade: Whether the upgrade is deferred until the next update cycle. +- Pending reboot: A list of updates that require a restart to complete update installation. +- Last successful scan time: The last time a successful update scan was completed. +- Defer upgrade: Whether the upgrade is deferred until the next update cycle. -### Device health +### Device health *Applies to: Personal and corporate devices* -Device Health Attestation (DHA) is another line of defense that is new to Windows 10 Mobile. It can be used to remotely detect devices that lack a secure configuration or have vulnerabilities that could allow them to be easily exploited by sophisticated attacks. +Device Health Attestation (DHA) is another line of defense that is new to Windows 10 Mobile. It can be used to remotely detect devices that lack a secure configuration or have vulnerabilities that could allow them to be easily exploited by sophisticated attacks. -Windows 10 Mobile makes it easy to integrate with Microsoft Intune or third-party MDM solutions for an overall view of device health and compliance. Using these solutions together, you can detect jailbroken devices, monitor device compliance, generate compliance reports, alert users or administrators to issues, initiate corrective action, and manage conditional access to resources like Office 365 or VPN. +Windows 10 Mobile makes it easy to integrate with Microsoft Intune or third-party MDM solutions for an overall view of device health and compliance. Using these solutions together, you can detect jailbroken devices, monitor device compliance, generate compliance reports, alert users or administrators to issues, initiate corrective action, and manage conditional access to resources like Office 365 or VPN. -The first version of Device Health Attestation (DHA) was released in June 2015 for Windows 10 devices that supported TPM 2.0 and operated in an enterprise cloud-based topology. In the Windows 10 anniversary release, Device Health Attestation (DHA) capabilities are extended to legacy devices that support TPM 1.2, hybrid, and on-premises environments that have access to the Internet or operate in an air-gapped network. +The first version of Device Health Attestation (DHA) was released in June 2015 for Windows 10 devices that supported TPM 2.0 and operated in an enterprise cloud-based topology. In the Windows 10 anniversary release, Device Health Attestation (DHA) capabilities are extended to legacy devices that support TPM 1.2, hybrid, and on-premises environments that have access to the Internet or operate in an air-gapped network. -The health attestation feature is based on Open Mobile Alliance (OMA) standards. IT managers can use DHA to validate devices that: +The health attestation feature is based on Open Mobile Alliance (OMA) standards. IT managers can use DHA to validate devices that: - Run Windows 10 operating system (mobile phone or PC) -- Support Trusted Module Platform (TPM 1.2 or 2.0) in discrete of firmware format +- Support Trusted Module Platform (TPM 1.2 or 2.0) in discrete of firmware format - Are managed by a DHA-enabled device management solution (Intune or third-party MDM) -- Operate in cloud, hybrid, on-premises, and BYOD scenarios +- Operate in cloud, hybrid, on-premises, and BYOD scenarios DHA-enabled device management solutions help IT managers create a unified security bar across all managed Windows 10 Mobile devices. This allows IT managers to: - Collect hardware attested data (highly assured) data remotely - Monitor device health compliance and detect devices that are vulnerable or could be exploited by sophisticated attacks -- Take actions against potentially compromised devices, such as: +- Take actions against potentially compromised devices, such as: - Trigger corrective actions remotely so offending device is inaccessible (lock, wipe, or brick the device) - Prevent the device from getting access to high-value assets (conditional access) - Trigger further investigation and monitoring (route the device to a honeypot for further monitoring) -- Simply alert the user or the admin to fix the issue +- Simply alert the user or the admin to fix the issue >**Note:** Windows Device Health Attestation Service can be used for conditional access scenarios which may be enabled by Mobile Device Management solutions (e.g.: Microsoft Intune) and other types of management systems (e.g.: SCCM) purchased separately. For more information about health attestation in Windows 10 Mobile, see the [Windows 10 Mobile security guide](/windows/device-security/windows-10-mobile-security-guide). -Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above. +Thisis a lists of attributes that are supported by DHA and can trigger the corrective actions mentioned above. - **Attestation Identity Key (AIK) present** Indicates that an AIK is present (i.e., the device can be trusted more than a device without an AIK). - **Data Execution Prevention (DEP) enabled** Whether a DEP policy is enabled for the device, indicating that the device can be trusted more than a device without a DEP policy. - **BitLocker status** BitLocker helps protect the storage on the device. A device with BitLocker can be trusted more than a device without BitLocker. @@ -969,17 +969,17 @@ Thisis a lists of attributes that are supported by DHA and can trigger the corre - **Secure Boot Configuration Policy (SBCP) present** Whether the hash of the custom SBCP is present. A device with an SBCP hash present is more trustworthy than a device without an SBCP hash. - **Boot cycle whitelist** The view of the host platform between boot cycles as defined by the manufacturer compared to a published whitelist. A device that complies with the whitelist is more trustworthy (secure) than a device that is noncompliant. -**Example scenario** +**Example scenario** -Windows 10 mobile has protective measures that work together and integrate with Microsoft Intune or third-party Mobile Device Management (MDM) solutions. IT administrators can monitor and verify compliance to ensure corporate resources are protected end-to–end with the security and trust rooted in the physical hardware of the device. +Windows 10 mobile has protective measures that work together and integrate with Microsoft Intune or third-party Mobile Device Management (MDM) solutions. IT administrators can monitor and verify compliance to ensure corporate resources are protected end-to–end with the security and trust rooted in the physical hardware of the device. Here is what occurs when a smartphone is turned on: 1. Windows 10 Secure Boot protects the boot sequence, enables the device to boot into a defined and trusted configuration, and loads a factory trusted boot loader. 2. Windows 10 Trusted Boot takes control, verifies the digital signature of the Windows kernel, and the components are loaded and executed during the Windows startup process. -3. In parallel to Steps 1 and 2, Windows 10 Mobile TPM (Trusted Platform Modules – measured boot) runs independently in a hardware-protected security zone (isolated from boot execution path monitors boot activities) to create an integrity protected and tamper evident audit trail - signed with a secret that is only accessible by TPM. -4. Devices managed by a DHA-enabled MDM solution send a copy of this audit trail to Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel. -5. Microsoft HAS reviews the audit trails, issues an encrypted/signed report, and forwards it to the device. -6. IT managers can use a DHA-enabled MDM solution to review the report in a protected, tamper-resistant and tamper-evident communication channel. They can assess if a device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with security needs and enterprise policies. +3. In parallel to Steps 1 and 2, Windows 10 Mobile TPM (Trusted Platform Modules – measured boot) runs independently in a hardware-protected security zone (isolated from boot execution path monitors boot activities) to create an integrity protected and tamper evident audit trail - signed with a secret that is only accessible by TPM. +4. Devices managed by a DHA-enabled MDM solution send a copy of this audit trail to Microsoft Health Attestation Service (HAS) in a protected, tamper-resistant, and tamper-evident communication channel. +5. Microsoft HAS reviews the audit trails, issues an encrypted/signed report, and forwards it to the device. +6. IT managers can use a DHA-enabled MDM solution to review the report in a protected, tamper-resistant and tamper-evident communication channel. They can assess if a device is running in a compliant (healthy) state, allow access, or trigger corrective action aligned with security needs and enterprise policies. ### Asset reporting @@ -1012,7 +1012,7 @@ The following list shows examples of the Windows 10 Mobile software and hardware *Applies to: Corporate devices with Windows 10 Mobile Enterprise edition* -Microsoft uses diagnostics, performance, and usage data from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data helps keep Windows devices healthy, improve the operating system, and personalize features and services. +Microsoft uses diagnostics, performance, and usage data from Windows devices to help inform decisions and focus efforts to provide the most robust and valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data helps keep Windows devices healthy, improve the operating system, and personalize features and services. You can control the level of data that diagnostic data systems collect. To configure devices, specify one of these levels in the Allow Telemetry setting with your MDM system. @@ -1030,7 +1030,7 @@ The remote assistance features in Windows 10 Mobile help resolve issues that use - **Remote ring** Support personnel can remotely make devices ring. This ability can help users locate misplaced devices and, in conjunction with the Remote Lock feature, help ensure that unauthorized users are unable to access the device if they find it. - **Remote find** Support personnel can remotely locate a device on a map, which helps identify the geographic location of the device. Remote find parameters can be configured via phone settings (see table below). The remote find feature returns the most current latitude, longitude, and altitude of the device. -**Remote assistance policies** +**Remote assistance policies** - **Desired location accuracy** The desired accuracy as a radius value in meters; has a value between 1 and 1,000 meters - **Maximum remote find** Maximum length of time in minutes that the server will accept a successful remote find; has a value between 0 and 1,000 minutes - **Remote find timeout** The number of seconds devices should wait for a remote find to finish; has a value between 0 and 1,800 seconds @@ -1045,17 +1045,17 @@ These remote management features help organizations reduce the IT effort require Device retirement is the last phase of the device lifecycle, which in today’s business environment averages about 18 months. After that time period, employees want the productivity and performance improvements that come with the latest hardware. It’s important that devices being replaced with newer models are securely retired since you don’t want any company data to remain on discarded devices that could compromise the confidentiality of your data. This is typically not a problem with corporate devices, but it can be more challenging in a personal device scenario. You need to be able to selectively wipe all corporate data without impacting personal apps and data on the device. IT also needs a way to adequately support users who need to wipe devices that are lost or stolen. -Windows 10 Mobile IT supports device retirement in both personal and corporate scenarios, allowing IT to be confident that corporate data remains confidential and user privacy is protected. +Windows 10 Mobile IT supports device retirement in both personal and corporate scenarios, allowing IT to be confident that corporate data remains confidential and user privacy is protected. >**Note:** All these MDM capabilities are in addition to the device’s software and hardware factory reset features, which employees can use to restore devices to their factory configuration. -**Personal devices:** Windows 10 mobile supports the USA regulatory requirements for a “kill switch” in case your phone is lost or stolen. Reset protection is a free service on account.microsoft.com that helps ensure that the phone cannot be easily reset and reused. All you need to do to turn on **Reset Protection** is sign in with your Microsoft account and accept the recommended settings. To manually turn it on, you can find it under Settings > Updates & security > Find my phone. At this point, Reset Protection is only available with an MSA, not with Azure AD account. It is also only available in the USA and not in other regions of the world. +**Personal devices:** Windows 10 mobile supports the USA regulatory requirements for a “kill switch” in case your phone is lost or stolen. Reset protection is a free service on account.microsoft.com that helps ensure that the phone cannot be easily reset and reused. All you need to do to turn on **Reset Protection** is sign in with your Microsoft account and accept the recommended settings. To manually turn it on, you can find it under Settings > Updates & security > Find my phone. At this point, Reset Protection is only available with an MSA, not with Azure AD account. It is also only available in the USA and not in other regions of the world. -If you choose to completely wipe a device when lost or when an employee leaves the company, make sure you obtain consent from the user and follow any local legislation that protects the user’s personal data. +If you choose to completely wipe a device when lost or when an employee leaves the company, make sure you obtain consent from the user and follow any local legislation that protects the user’s personal data. -A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. +A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. -**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. +**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. **Settings for personal or corporate device retirement** - **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 553e805d78..c212eae7d8 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -13,7 +13,7 @@ ms.date: 11/08/2017 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) - [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) - [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) @@ -58,6 +58,6 @@ These are the top Microsoft Support solutions for the most common issues experie ## Solutions related to wireless networking and 802.1X authentication -- [Windows 10 devices can't connect to an 802.1X environment](http://support.microsoft.com/kb/3121002) -- [Windows 10 wireless connection displays "Limited" status](http://support.microsoft.com/kb/3114149) -- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](http://support.microsoft.com/kb/3084164) +- [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) +- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149) +- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164) diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index a52e6a2d6f..10f9efd44b 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -39,11 +39,11 @@ Administrators can configure and control Windows libraries in the following ways The following is important information about libraries you may need to understand to successfully manage your enterprise. -### Library Contents +### Library Contents Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. -### Default Libraries and Known Folders +### Default Libraries and Known Folders The default libraries include: - Documents @@ -51,18 +51,18 @@ The default libraries include: - Pictures - Videos -Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. +Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with. These known folders are automatically included in the default libraries and set as the default save location. That is, when users drag, copy, or save a file to the Documents library, the file is moved, copied, or saved to the My Documents folder. Administrators and users can change the default save-to location. -### Hiding Default Libraries +### Hiding Default Libraries Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions. -### Default Save Locations for Libraries +### Default Save Locations for Libraries Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails. -### Indexing Requirements and “Basic” Libraries +### Indexing Requirements and “Basic” Libraries Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality: - No support for metadata browsing via **Arrange By** views. @@ -77,11 +77,11 @@ For instructions on enabling indexing, see [How to Enable Indexing of Library Lo If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx). -### Folder Redirection +### Folder Redirection While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. -### Supported storage locations +### Supported storage locations The following table show which locations are supported in Windows libraries. @@ -95,11 +95,11 @@ The following table show which locations are supported in Windows libraries. \* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: - Expected maximum load is four concurrent query requests. -- Expected indexing corpus is a maximum of one million documents. +- Expected indexing corpus is a maximum of one million documents. - Users directly access the server. That is, the server is not made available through DFS Namespaces. - Users are not redirected to another server in case of failure. That is, server clusters are not used. -### Library Attributes +### Library Attributes The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): - Name @@ -109,9 +109,9 @@ The following library attributes can be modified within Windows Explorer, the Li The library icon can be modified by the administrator or user by directly editing the Library Description schema file. -See the [Library Description Schema](http://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. +See the [Library Description Schema](https://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files. -## See also +## See also ### Concepts diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 6480fcac26..af4f71427d 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,13 +1,21 @@ # [Configure Windows 10](index.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) -### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) +## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) +### [Prepare a device for kiosk configuration](kiosk-prepare.md) +### [Set up digital signs on Windows 10](setup-digital-signage.md) +### [Set up a single-app kiosk](kiosk-single-app.md) +### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) +### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) +#### [Validate your kiosk configuration](kiosk-validate.md) +#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +#### [Policies enforced on kiosk devices](kiosk-policies.md) +#### [Assigned access XML reference](kiosk-xml.md) +#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) +#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) +#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) @@ -19,18 +27,17 @@ ### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md) ### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) ## [Configure cellular settings for tablets and PCs](provisioning-apn.md) -## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) -### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) -### [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) -### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -#### [Customize and export Start layout](customize-and-export-start-layout.md) -#### [Add image for secondary tiles](start-secondary-tiles.md) -#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -#### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +## [Configure Windows Spotlight on the lock screen](windows-spotlight.md) +## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) +## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +### [Customize and export Start layout](customize-and-export-start-layout.md) +### [Add image for secondary tiles](start-secondary-tiles.md) +### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) ## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) ### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) #### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) @@ -62,10 +69,10 @@ ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) ### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) +#### [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md) #### [AccountManagement](wcd/wcd-accountmanagement.md) #### [Accounts](wcd/wcd-accounts.md) #### [ADMXIngestion](wcd/wcd-admxingestion.md) -#### [ApplicationManagement](wcd/wcd-applicationmanagement.md) #### [AssignedAccess](wcd/wcd-assignedaccess.md) #### [AutomaticTime](wcd/wcd-automatictime.md) #### [Browser](wcd/wcd-browser.md) @@ -91,8 +98,10 @@ #### [Folders](wcd/wcd-folders.md) #### [HotSpot](wcd/wcd-hotspot.md) #### [InitialSetup](wcd/wcd-initialsetup.md) -#### [InternetExplorer](wcd/wcd-internetexplorer.md) -#### [Licensing](wcd/wcd-licensing.md) +#### [InternetExplorer](wcd/wcd-internetexplorer.md) +#### [KioskBrowser](wcd/wcd-kioskbrowser.md) +#### [Licensing](wcd/wcd-licensing.md) +#### [Location](wcd/wcd-location.md) #### [Maps](wcd/wcd-maps.md) #### [Messaging](wcd/wcd-messaging.md) #### [ModemConfigurations](wcd/wcd-modemconfigurations.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 8fac2d4142..3483fedd7a 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,14 +10,37 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/27/2018 +ms.date: 10/02/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## RELEASE: Windows 10, version 1809 +The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added: + +- [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md) + +## September 2018 + +New or changed topic | Description +--- | --- +[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New +[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Add required order of elements in XML. + +## August 2018 + +New or changed topic | Description +--- | --- +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added instructions for specifying multiple URLs in configuration settings for Kiosk Browser. + +## July 2018 + +New or changed topic | Description +--- | --- +[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md). ## June 2018 @@ -70,7 +93,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update. -Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer. +Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer. ## February 2018 diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 010c42f839..e0aaf35780 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -19,12 +19,12 @@ ms.date: 10/05/2017 Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. >[!NOTE] ->For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](http://go.microsoft.com/fwlink/p/?LinkId=746819). +>For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). ![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png) ## Turn on Cortana with Dynamics CRM in your organization -You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](http://go.microsoft.com/fwlink/p/?LinkId=746817)? +You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)? **To turn on Cortana with Dynamics CRM** @@ -46,7 +46,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**. ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png) - + The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen. ## Turn off Cortana with Dynamics CRM diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index a646a2dcb0..81736973f3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -19,6 +19,6 @@ ms.date: 10/05/2017 We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. ![Cortana at work, showing how to provide feedback to Microsoft](../images/cortana-feedback.png) - -If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). + +If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](https://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 0e837d83f8..c4417fdad9 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -25,7 +25,7 @@ But Cortana works even harder when she connects to Office 365, helping employees We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful. >[!NOTE] ->For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](http://go.microsoft.com/fwlink/p/?LinkId=717379). +>For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717379). ## Before you begin There are a few things to be aware of before you start using Cortana with Office 365 in your organization. @@ -34,9 +34,9 @@ There are a few things to be aware of before you start using Cortana with Office - **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf. -- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](http://go.microsoft.com/fwlink/p/?LinkId=536419). +- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). -- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](http://go.microsoft.com/fwlink/p/?LinkId=620763). +- **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). ## Turn on Cortana with Office 365 on employees’ devices You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365. @@ -48,14 +48,14 @@ You must tell your employees to turn on Cortana before they’ll be able to use 2. Click on **Connected Services**, click **Office 365**, and then click **Connect**. ![Cotana at work, showing how to turn on the connected services for Office 365](../images/cortana-connect-o365.png) - + The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen. ## Turn off Cortana with Office 365 Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Office 365 admin center. **To turn off Cortana with Office 365** -1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. +1. [Sign in to Office 365](https://www.office.com/signin) using your Azure AD account. 2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 3221620058..78e5022926 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -17,7 +17,7 @@ ms.date: 10/05/2017 - Windows 10 Mobile, version 1703 ## Who is Cortana? -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. @@ -50,15 +50,15 @@ Cortana requires the following hardware and software to successfully run the inc Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) ## Cortana and privacy -We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](http://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. +We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](https://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement). ## See also -- [What is Cortana?](http://go.microsoft.com/fwlink/p/?LinkId=746818) +- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) -- [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) +- [Cortana and Windows](https://go.microsoft.com/fwlink/?LinkId=717384) - [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) -- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) +- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 6a00068066..950452b167 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -17,7 +17,7 @@ ms.date: 10/05/2017 - Windows 10 Mobile >[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381). |Group policy |MDM policy |Description | |-------------|-----------|------------| @@ -41,4 +41,4 @@ ms.date: 10/05/2017 - + diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 14f64e2e91..d03fac5bee 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -30,30 +30,30 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. -**To get a Microsoft Store app** +**To get a Microsoft Store app** 1. Go to the Microsoft Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**. 2. Click **Uber**, and then click **Install**. 3. Open Uber, create an account or sign in, and then close the app. -**To set up the app with Cortana** +**To set up the app with Cortana** 1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. 2. Click on **Connected Services**, click **Uber**, and then click **Connect**. ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png) - -**To use the voice-enabled commands with Cortana** + +**To use the voice-enabled commands with Cortana** 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). 2. Say _Uber get me a taxi_. @@ -61,4 +61,4 @@ While these aren't line-of-business apps, we've worked to make sure to implement Cortana changes, letting you provide your trip details for Uber. ## See also -- [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) \ No newline at end of file +- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 4c3a24a318..fbea8c5ef0 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 09/18/2018 --- # Customize and export Start layout @@ -132,6 +132,8 @@ When you have the Start layout that you want your users to see, use the [Export- +3. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file are critical.](start-layout-xml-desktop.md#required-order) + >[!IMPORTANT] >If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md new file mode 100644 index 0000000000..9234ee8d90 --- /dev/null +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -0,0 +1,95 @@ +--- +title: Find the Application User Model ID of an installed app +description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. +MSHAttr: +- 'PreferredSiteName:MSDN' +- 'PreferredLib:/library/windows/hardware' +ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD +author: alhopper-msft +ms.author: alhopper +ms.date: 05/02/2017 +ms.topic: article +ms.prod: windows-hardware +ms.technology: windows-oem +--- +# Find the Application User Model ID of an installed app + +In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry. + +## To identify the AUMID of an installed app by using Windows PowerShell + +At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device: + +```powershell +$installedapps = get-AppxPackage + +$aumidList = @() +foreach ($app in $installedapps) +{ + foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) + { + $aumidList += $app.packagefamilyname + "!" + $id + } +} + +$aumidList +``` + +You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters. + +## To identify the AUMID of an installed app for the current user by using the registry + +Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device. + +At a command prompt, type the following command: + +`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"` + +## Example + +The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user. + +```powershell +function listAumids( $userAccount ) { + + if ($userAccount -eq "allusers") + { + # Find installed packages for all accounts. Must be run as an administrator in order to use this option. + $installedapps = Get-AppxPackage -allusers + } + elseif ($userAccount) + { + # Find installed packages for the specified account. Must be run as an administrator in order to use this option. + $installedapps = get-AppxPackage -user $userAccount + } + else + { + # Find installed packages for the current account. + $installedapps = get-AppxPackage + } + + $aumidList = @() + foreach ($app in $installedapps) + { + foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id) + { + $aumidList += $app.packagefamilyname + "!" + $id + } + } + + return $aumidList +} +``` + +The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it. + +```powershell +# Get a list of AUMIDs for the current account: +listAumids + +# Get a list of AUMIDs for an account named “CustomerAccount”: +listAumids(“CustomerAccount”) + +# Get a list of AUMIDs for all accounts on the device: +listAumids(“allusers”) +``` diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 844295ad38..06a64d0755 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,6 +1,6 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/31/2018 +ms.date: 10/02/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -43,30 +43,46 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) + +In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. + +>[!NOTE] +>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). 1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) 2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) -3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). +3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions. >[!NOTE] >If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). -#### Kiosk Browser settings +### Kiosk Browser settings Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

            For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. -Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

            If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

            For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

            If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. +>[!IMPORTANT] +>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> +> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). +>4. Save the XML file. +>5. Open the project again in Windows Configuration Designer. +>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. + + >[!TIP] >To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: >- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton @@ -120,8 +136,6 @@ Entry | Result ### Other browsers ->[!NOTE] ->Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not currently supported for assigned access. You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG new file mode 100644 index 0000000000..cf74c646c7 Binary files /dev/null and b/windows/configuration/images/kiosk-desktop.PNG differ diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png new file mode 100644 index 0000000000..b096d6837d Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen-sm.png differ diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG new file mode 100644 index 0000000000..37ccd4f8a4 Binary files /dev/null and b/windows/configuration/images/kiosk-fullscreen.PNG differ diff --git a/windows/configuration/images/kiosk-intune.PNG b/windows/configuration/images/kiosk-intune.PNG new file mode 100644 index 0000000000..2cbe25c6a5 Binary files /dev/null and b/windows/configuration/images/kiosk-intune.PNG differ diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG new file mode 100644 index 0000000000..51a4338371 Binary files /dev/null and b/windows/configuration/images/kiosk-settings.PNG differ diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png new file mode 100644 index 0000000000..160e170e5c Binary files /dev/null and b/windows/configuration/images/kiosk-wizard.png differ diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png new file mode 100644 index 0000000000..868ea31bb1 Binary files /dev/null and b/windows/configuration/images/kiosk.png differ diff --git a/windows/configuration/images/office-logo.png b/windows/configuration/images/office-logo.png new file mode 100644 index 0000000000..cd6d504301 Binary files /dev/null and b/windows/configuration/images/office-logo.png differ diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png new file mode 100644 index 0000000000..c2899361eb Binary files /dev/null and b/windows/configuration/images/set-assignedaccess.png differ diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG new file mode 100644 index 0000000000..d1386d4a0d Binary files /dev/null and b/windows/configuration/images/user.PNG differ diff --git a/windows/configuration/images/windows.png b/windows/configuration/images/windows.png new file mode 100644 index 0000000000..e3889eff6a Binary files /dev/null and b/windows/configuration/images/windows.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index 5ed671a894..b64b47fabf 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -22,10 +22,13 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | -| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | -| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | +| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

            **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | +| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. | +| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | | [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | | [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. | | [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. | diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md new file mode 100644 index 0000000000..9675c42d2c --- /dev/null +++ b/windows/configuration/kiosk-additional-reference.md @@ -0,0 +1,38 @@ +--- +title: More kiosk methods and reference information (Windows 10) +description: Find more information for configuring, validating, and troubleshooting kiosk configuration. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 09/13/2018 +--- + +# More kiosk methods and reference information + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + +## In this section + +Topic | Description +--- | --- +[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app. +[Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk. +[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience. +[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk. +[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration. +[Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education, version 1703 and earlier, so that users can only run a few specific apps. +[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. + + + + diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md new file mode 100644 index 0000000000..d2c46dcb4c --- /dev/null +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -0,0 +1,86 @@ +--- +title: Use MDM Bridge WMI Provider to create a Windows 10 kiosk (Windows 10) +description: Environments that use Windows Management Instrumentation (WMI)can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Use MDM Bridge WMI Provider to create a Windows 10 kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Environments that use [Windows Management Instrumentation (WMI)](https://msdn.microsoft.com/library/aa394582.aspx) can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. + +Here’s an example to set AssignedAccess configuration: + +1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). +2. Run `psexec.exe -i -s cmd.exe`. +3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. +4. Execute the following script: + +```ps +$nameSpaceName="root\cimv2\mdm\dmmap" +$className="MDM_AssignedAccess" +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className +$obj.Configuration = @" +<?xml version="1.0" encoding="utf-8" ?> +<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> + <Profiles> + <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> + <AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> + </AllowedApps> + </AllAppsList> + <StartLayout> + <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> + <LayoutOptions StartTileGroupCellWidth="6" /> + <DefaultLayoutOverride> + <StartLayoutCollection> + <defaultlayout:StartLayout GroupCellWidth="6"> + <start:Group Name="Group1"> + <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + </start:Group> + <start:Group Name="Group2"> + <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> + <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> + </start:Group> + </defaultlayout:StartLayout> + </StartLayoutCollection> + </DefaultLayoutOverride> + </LayoutModificationTemplate> + ]]> + </StartLayout> + <Taskbar ShowTaskbar="true"/> + </Profile> + </Profiles> + <Configs> + <Config> + <Account>MultiAppKioskUser</Account> + <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> + </Config> + </Configs> +</AssignedAccessConfiguration> +"@ + +Set-CimInstance -CimInstance $obj +``` diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md new file mode 100644 index 0000000000..a142517a28 --- /dev/null +++ b/windows/configuration/kiosk-methods.md @@ -0,0 +1,77 @@ +--- +title: Configure kiosks and digital signs on Windows desktop editions (Windows 10) +description: Learn about the methods for configuring kiosks. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: jdeckerms +ms.date: 07/30/2018 +--- + +# Configure kiosks and digital signs on Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. Windows 10 offers two different locked-down experiences for public or specialized use: + +| | | +--- | --- + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

            When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

            A single-app kiosk is ideal for public use.

            (Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

            A multi-app kiosk is appropriate for devices that are shared by multiple people.

            When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +| | | +--- | --- +![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) +![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). +![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. +![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + + + +## Methods for a single-app kiosk running a UWP app + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user +[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a single-app kiosk running a Windows desktop application + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD +[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a multi-app kiosk + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD + +## Summary of kiosk configuration methods + +Method | App type | Account type | Single-app kiosk | Multi-app kiosk +--- | --- | --- | :---: | :---: +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X +[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X + + +>[!NOTE] +>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. + diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md new file mode 100644 index 0000000000..18b9247b19 --- /dev/null +++ b/windows/configuration/kiosk-policies.md @@ -0,0 +1,82 @@ +--- +title: Policies enforced on kiosk devices (Windows 10) +description: Learn about the policies enforced on a device when you configure it as a kiosk. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +ms.author: jdecker +--- + +# Policies enforced on kiosk devices + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. + + +## Group Policy + +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. + +| Setting | Value | +| --- | --- | +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled +Remove Pinned programs from the taskbar | Enabled +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers + +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy + + +Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). + +Setting | Value | System-wide + --- | --- | --- +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/HidePeopleBar | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md new file mode 100644 index 0000000000..346ce64c96 --- /dev/null +++ b/windows/configuration/kiosk-prepare.md @@ -0,0 +1,228 @@ +--- +title: Prepare a device for kiosk configuration (Windows 10) +description: Some tips for device settings on kiosks. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 10/02/2018 +--- + +# Prepare a device for kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +>[!WARNING] +>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. +> +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: + +Recommendation | How to +--- | --- +Hide update notifications
            (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
            -or-
            Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
            -or-
            Add the following registry keys as DWORD (32-bit) type:
            `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

            `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled` +Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. +Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** +Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. +Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. +Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

            **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +## Automatic logon + +In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. + +>[!TIP] +>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. + + +**How to edit the registry to have an account sign in automatically** + +1. Open Registry Editor (regedit.exe). + + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. + + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. + +>[!TIP] +>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). + + +## Interactions and interoperability + +The following table describes some features that have interoperability issues we recommend that you consider when running assigned access. + +> [!Note] +> Where applicable, the table notes which features are optional that you can configure for assigned access. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
            FeatureDescription

            Accessibility

            Assigned access does not change Ease of Access settings.

            +

            We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:

            + ++++ + + + + + + + + + + + + + + + + + + + + +
            Key combinationBlocked behavior

            Left Alt+Left Shift+Print Screen

            Open High Contrast dialog box.

            Left Alt+Left Shift+Num Lock

            Open Mouse Keys dialog box.

            Windows logo key+U

            Open Ease of Access Center.

            +

             

            Assigned access Windows PowerShell cmdlets

            In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).

            Key sequences blocked by assigned access

            When in assigned access, some key combinations are blocked for assigned access users.

            +

            Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.

            +

            Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).

            + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
            Key combinationBlocked behavior for assigned access users

            Alt+Esc

            Cycle through items in the reverse order from which they were opened.

            Ctrl+Alt+Esc

            Cycle through items in the reverse order from which they were opened.

            Ctrl+Esc

            Open the Start screen.

            Ctrl+F4

            Close the window.

            Ctrl+Shift+Esc

            Open Task Manager.

            Ctrl+Tab

            Switch windows within the application currently open.

            LaunchApp1

            Open the app that is assigned to this key.

            LaunchApp2

            Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.

            LaunchMail

            Open the default mail client.

            Windows logo key

            Open the Start screen.

            +

             

            +

            Keyboard Filter settings apply to other standard accounts.

            Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)

            If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.

            +

            [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.

            +

            Power button

            Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

            +

            For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).

            Unified Write Filter (UWF)

            UWFsettings apply to all users, including those with assigned access.

            +

            For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).

            WEDL_AssignedAccess class

            Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

            +

            If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).

            Welcome Screen

            Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

            +

            For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).

            + + + + diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md deleted file mode 100644 index 4627f16d24..0000000000 --- a/windows/configuration/kiosk-shared-pc.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 08/08/2017 ---- - -# Configure kiosk and shared devices running Windows desktop editions - -Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | -| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | -| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md new file mode 100644 index 0000000000..02c0137f83 --- /dev/null +++ b/windows/configuration/kiosk-shelllauncher.md @@ -0,0 +1,211 @@ +--- +title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 10/01/2018 +--- + +# Use Shell Launcher to create a Windows 10 kiosk + + +**Applies to** +>App type: Windows desktop application +> +>OS edition: Windows 10 Ent, Edu +> +>Account type: Local standard user or administrator, Active Directory, Azure AD + + +Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +>[!NOTE] +>Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. +> +>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to: +>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools +>- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies +>- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies +> +>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + + + +### Requirements + +>[!WARNING] +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +> +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + +- A domain or local user account. + +- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + + +### Configure Shell Launcher + +To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. + +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md new file mode 100644 index 0000000000..9f16d7bc3b --- /dev/null +++ b/windows/configuration/kiosk-single-app.md @@ -0,0 +1,276 @@ +--- +title: Set up a single-app kiosk (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 10/02/2018 +--- + +# Set up a single-app kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +| | | +--- | --- +A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

            When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) + +You have several options for configuring your single-app kiosk. + +Method | Description +--- | --- +[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.

            This method is supported on Windows 10 Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

            This method is supported on Windows 10 Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

            This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

            This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. + + +>[!TIP] +>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + + + + +## Set up a kiosk in local Settings + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +You can use **Settings** to quickly configure one or a few devices as a kiosk. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + +### Instructions for Windows 10, version 1809 + +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time. + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other users**. + +2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. + +3. Enter a name for the new account. + + >[!NOTE] + >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**. + +4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options: + + - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) + - Which URL should be displayed when the kiosk accounts signs in + - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) + +5. Select **Close**. + +To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. + + +### Instructions for Windows 10, version 1803 and earlier + +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) + +![The Set up assigned access page in Settings](images/kiosk-settings.png) + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. + +2. Select **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. + + + + + + + + +## Set up a kiosk using Windows PowerShell + + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: + +1. Log in as administrator. +2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. +3. Log in as the Assigned Access user account. +4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. +5. Log out as the Assigned Access user account. +6. Log in as administrator. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +**Configure assigned access by AppUserModelID and user name** + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` +**Configure assigned access by AppUserModelID and user SID** + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` +**Configure assigned access by app name and user name** + +``` +Set-AssignedAccess -AppName -UserName +``` +**Configure assigned access by app name and user SID** + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + + +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer + +>App type: UWP or Windows desktop application +> +>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +> +>Account type: Local standard user, Active Directory + +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) + + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. + + +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. + + + + + + + + + + + + +
            ![step one](images/one.png)![set up device](images/set-up-device.png)

            Enable device setup if you want to configure settings on this page.

            **If enabled:**

            Enter a name for the device.

            (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

            Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

            You can also select to remove pre-installed software from the device.             		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
            ![step two](images/two.png) ![set up network](images/set-up-network.png)

            Enable network setup if you want to configure settings on this page.

            **If enabled:**

            Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.            		![Enter network SSID and type](images/set-up-network-details.png)
            ![step three](images/three.png) ![account management](images/account-management.png)

            Enable account management if you want to configure settings on this page.

            **If enabled:**

            You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

            To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

            **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

            To create a local administrator account, select that option and enter a user name and password.

            **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.             		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
            ![step four](images/four.png) ![add applications](images/add-applications.png)

            You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

            **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.             		![add an application](images/add-applications-details.png)
            ![step five](images/five.png) ![add certificates](images/add-certificates.png)

            To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.            		![add a certificate](images/add-certificates-details.png)
            ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

            You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

            If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

            In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.            		![Configure kiosk account and app](images/kiosk-account-details.png)
            ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

            On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.            		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
            ![finish](images/finish.png)

            You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.            		![Protect your package](images/finish-details.png)
            + + +>[!NOTE] +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + + + + +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) + + + + + +  + + + +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service + +>App type: UWP +> +>OS edition: Windows 10 Pro (version 1709), Ent, Edu +> +>Account type: Local standard user, Azure AD + +![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. + +>[!TIP] +>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). + +The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. + +**To configure kiosk in Microsoft Intune** + +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Single app kiosk**. +1. Enter the user account (Azure AD or a local standard user account). +11. Enter the Application User Model ID for an installed app. +14. Select **OK**, and then select **Create**. +18. Assign the profile to a device group to configure the devices in that group as kiosks. + + + +## Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +  + + + diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md new file mode 100644 index 0000000000..9281f546da --- /dev/null +++ b/windows/configuration/kiosk-validate.md @@ -0,0 +1,94 @@ +--- +title: Validate kiosk configuration (Windows 10) +description: This topic explains what to expect on a multi-app kiosk. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 07/30/2018 +--- + +# Validate kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. + +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. + +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. + +>[!NOTE] +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. + +The following sections explain what to expect on a multi-app kiosk. + +### App launching and switching experience + +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. + +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. + +### Start changes + +When the assigned access user signs in, you should see a restricted Start experience: +- Start gets launched in full screen and prevents the end user from accessing the desktop. +- Start shows the layout aligned with what you defined in the multi-app configuration XML. +- Start prevents the end user from changing the tile layout. + - The user cannot resize, reposition, and unpin the tiles. + - The user cannot pin additional tiles on the start. +- Start hides **All Apps** list. +- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes + +If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: +- Disables context menu of Start button (Quick Link) +- Disables context menu of taskbar +- Prevents the end user from changing the taskbar +- Disables Cortana and Search Windows +- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings + +### Blocked hotkeys + +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. + +| Hotkey | Action | +| --- | --- | +| Windows logo key + A | Open Action center | +| Windows logo key + Shift + C | Open Cortana in listening mode | +| Windows logo key + D | Display and hide the desktop | +| Windows logo key + Alt + D | Display and hide the date and time on the desktop | +| Windows logo key + E | Open File Explorer | +| Windows logo key + F | Open Feedback Hub | +| Windows logo key + G | Open Game bar when a game is open | +| Windows logo key + I | Open Settings | +| Windows logo key + J | Set focus to a Windows tip when one is available. | +| Windows logo key + O | Lock device orientation | +| Windows logo key + Q | Open search | +| Windows logo key + R | Open the Run dialog box | +| Windows logo key + S | Open search | +| Windows logo key + X | Open the Quick Link menu | +| Windows logo key + comma (,) | Temporarily peek at the desktop | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + + + +### Locked-down Ctrl+Alt+Del screen + +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. + +### Auto-trigger touch keyboard + +In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. + + diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 74cdfe88e1..414773196e 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 10/02/2018 ms.author: jdecker ms.topic: article --- @@ -24,11 +24,14 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1803. +>Updated for Windows 10, version 1809. ```xml - + @@ -44,6 +47,9 @@ ms.topic: article + + + @@ -80,7 +86,7 @@ ms.topic: article - + @@ -117,7 +123,7 @@ ms.topic: article - + @@ -134,7 +140,6 @@ ms.topic: article - ``` ## Kiosk only sample XML @@ -142,6 +147,7 @@ ms.topic: article @@ -161,7 +167,7 @@ ms.topic: article ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1803. +>Updated for Windows 10, version 1809. ```xml @@ -170,136 +176,206 @@ ms.topic: article xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" + xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` - - - - - - - - - - - - +## XSD schema for new elements in Windows 10, version 1809 - - - - - - - - - - +```xml + + - - - - - - - - - - + + + + + - - - - + + + - - - + + + + + - - - + - - - - - + - - - - - + - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` \ No newline at end of file diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index de93d13008..876d2a663d 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 08/14/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A ## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. ## Use AppLocker to set rules for apps diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 8e3162d8d0..46423972f4 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,5 +1,5 @@ --- -title: Create a Windows 10 kiosk that runs multiple apps (Windows 10) +title: Set up a multi-app kiosk (Windows 10) description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] @@ -9,29 +9,33 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 10/02/2018 ms.author: jdecker ms.topic: article --- -# Create a Windows 10 kiosk that runs multiple apps +# Set up a multi-app kiosk **Applies to** - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: -- Configure [a single-app kiosk profile](#profile) in your XML file. -- Assign [group accounts to a config profile](#config-for-group-accounts). -- Configure [an account to sign in automatically](#config-for-autologon-account). +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. + +The following table lists changes to multi-app kiosk in recent updates. + +New features and improvements | In update +--- | --- +- Configure [a single-app kiosk profile](#profile) in your XML file

            - Assign [group accounts to a config profile](#config-for-group-accounts)

            - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 +- Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

            - [Automatically launch an app](#allowedapps) when the user signs in

            - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

            **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`. + -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). @@ -65,7 +69,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi >Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. - ## Configure a kiosk using a provisioning package Process: @@ -77,12 +80,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites -- Windows Configuration Designer (Windows 10, version 1709) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +- Windows Configuration Designer (Windows 10, version 1709 or later) +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. @@ -101,11 +104,14 @@ Let's start by looking at the basic structure of the XML file. ![profile = app and config = account](images/profile-config.png) -You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. +You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) ```xml - + @@ -137,6 +143,8 @@ A lockdown profile section in the XML has the following entries: - [**AllowedApps**](#allowedapps) +- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) + - [**StartLayout**](#startlayout) - [**Taskbar**](#taskbar) @@ -161,22 +169,22 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. -Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. ->[!NOTE] ->You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). +- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). -Here are the predefined assigned access AppLocker rules for **UWP apps**: +When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: 1. Default rule is to allow all users to launch the signed package apps. 2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. >[!NOTE] + >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. + > >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. Here are the predefined assigned access AppLocker rules for **desktop apps**: @@ -185,8 +193,9 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**: 2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. 3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. -The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device. +The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. + ```xml @@ -196,11 +205,41 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula - + ``` +##### FileExplorerNamespaceRestrictions + +Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. + +The following example shows how to allow user access to the Downloads folder in the common file dialog box. + +```xml + + + + + + ... + + + + + + + ... + + + + + +``` + ##### StartLayout After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. @@ -298,7 +337,8 @@ You can assign: When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) + +The following example shows how to specify an account to sign in automatically. ```xml @@ -309,8 +349,22 @@ On domain-joined devices, local user accounts aren't shown on the sign-in screen ``` +In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". + +```xml + + + + + + +``` + +On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) + + >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). ##### Config for individual accounts @@ -479,10 +533,7 @@ Provisioning packages can be applied to a device during the first-run experience -### Validate provisioning -- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration. -- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. @@ -496,147 +547,9 @@ If your device is enrolled with a MDM server which supports applying the assigne The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Use MDM Bridge WMI Provider to configure assigned access - -Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. - -Here’s an example to set AssignedAccess configuration: - -1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Execute the following script: - -```ps -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> -"@ - -Set-CimInstance -CimInstance $obj -``` - - -## Validate multi-app kiosk configuration - -Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. -- Start shows the layout aligned with what you defined in the multi-app configuration XML. -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. @@ -756,3 +669,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont - Under **CommandLine**, enter `cmd /c *FileName*.bat`. +## Other methods + +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index d77388e0cb..1628b1c866 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

            Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

            -

            [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

            +

            [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

            [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

            Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

            -

            Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

            +

            Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

            [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

            diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 4f327eb125..0c704c06f5 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,5 +1,5 @@ --- -title: Manage Windows 10 and Microsoft Store tips, tricks, and suggestions (Windows 10) +title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. keywords: ["device management"] ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 09/20/2017 --- -# Manage Windows 10 and Microsoft Store tips, tricks, and suggestions +# Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions **Applies to** @@ -21,7 +21,7 @@ ms.date: 09/20/2017 - Windows 10 -Since its inception, Windows 10 has included a number of user experience features that provide useful tips, tricks, and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: +Since its inception, Windows 10 has included a number of user experience features that provide useful tips, "fun facts", and suggestions as you use Windows, as well as app suggestions from the Microsoft Store. These features are designed to help people get the most out of their Windows 10 experience by, for example, sharing new features, providing more details on the features they use, or sharing content available in the Microsoft Store. Examples of such user experiences include: * **Windows Spotlight on the lock screen**. Daily updated images on the lock screen that can include additional facts and tips in “hotspots” that are revealed on hover. @@ -34,11 +34,11 @@ Since its inception, Windows 10 has included a number of user experience feature * **Microsoft account notifications**. For users who have a connected Microsoft account, toast notifications about their account like parental control notifications or subscription expiration. >[!TIP] -> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, tricks, and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, tricks, or suggestions as they use Windows. +> On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. -## Options available to manage Windows 10 tips and tricks and Microsoft Store suggestions +## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions | Windows 10 edition | Disable |Show Microsoft apps only | Show Microsoft and popular third-party apps | | --- | --- | --- | --- | diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 0ee82de1b3..6857cf8aac 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 09/27/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -31,7 +31,7 @@ For example: **Troubleshooting steps** -1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). +1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 17162822c3..9979020ba7 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![step one](../images/one.png)![set up device](../images/set-up-device.png)

            Enter a name for the device.

            (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

            Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

            You can also select to remove pre-installed software from the device. ![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png) ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

            Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](../images/set-up-network-details-desktop.png) ![step three](../images/three.png) ![account management](../images/account-management.png)

            Enable account management if you want to configure settings on this page.

            You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

            To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

            To create a local administrator account, select that option and enter a user name and password.

            **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png) -![step four](../images/four.png) ![add applications](../images/add-applications.png)

            You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) +![step four](../images/four.png) ![add applications](../images/add-applications.png)

            You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

            To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](../images/add-certificates-details.png) ![finish](../images/finish.png)

            You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](../images/finish-details.png) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index bacec7e70a..9f7712c5d3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -20,7 +20,7 @@ ms.date: 09/06/2017 - Windows 10 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Classic Windows apps +## Settings for Windows desktop applications ### MSI installer @@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate -## Add a Classic Windows app using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b05f6637ed..c0cbd3ed3f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) + - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4bbbf8ad10..2a331f5839 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard) diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 1acc77b4c2..a4e515d653 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 10/02/2018 --- # Set up a shared or guest PC with Windows 10 @@ -76,6 +76,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: SetPowerPolicies | When set as **True**:
            - Prevents users from changing power settings
            - Turns off hibernate
            - Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | +[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. ##Configuring shared PC mode on Windows @@ -108,7 +109,7 @@ $sharedPC.KioskModeAUMID = "" $sharedPC.KioskModeUserTileDisplayText = "" $sharedPC.InactiveThreshold = 0 Set-CimInstance -CimInstance $sharedPC -Get-CimInstance -Namespace $namespaceName -ClassName $MDM_SharedPCClass +Get-CimInstance -Namespace $namespaceName -ClassName MDM_SharedPC ``` ### Create a provisioning package for shared use diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md new file mode 100644 index 0000000000..0b0e15e263 --- /dev/null +++ b/windows/configuration/setup-digital-signage.md @@ -0,0 +1,91 @@ +--- +title: Set up digital signs on Windows 10 (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: medium +ms.date: 10/02/2018 +--- + +# Set up digital signs on Windows 10 + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. + +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. + +>[!TIP] +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. + +>[!NOTE] +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business). + + +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) +2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) +3. Open Windows Configuration Designer and select **Provision kiosk devices**. +4. Enter a friendly name for the project, and select **Finish**. +5. On **Set up device**, select **Disabled**, and select **Next**. +6. On **Set up network**, enable network setup. + - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. +7. On **Account management**, select **Disabled**, and select **Next**. +8. On **Add applications**, select **Add an application**. + - For **Application name**, enter `Kiosk Browser`. + - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. + - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. + - The **Package family name** is populated automatically. + - Select **Next**. +9. On **Add certificates**, select **Next**. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. + - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. + - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. + - For **App type**, select **Universal Windows App**. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. +11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. + - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. + - In **BlockedUrl**, enter `*`. + - In **DefaultUrl**, enter `https://www.contoso.com/menu`. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. + + >[!TIP] + >For more information on kiosk browser settings, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. +14. On the **Export** menu, select **Provisioning package**. +15. Change the **Owner** to **IT Admin**, and select **Next**. +16. On **Select security details for the provisioning package**, select **Next**. +17. On **Select where to save the provisioning package**, select **Next**. +18. On **Build the provisioning package**, select **Build**. +19. On the **All done!** screen, click the **Output location**. +20. Copy the .ppkg file to a USB drive. +21. Attach the USB drive to the device that you want to use for your digital sign. +22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md deleted file mode 100644 index f2f227fd8c..0000000000 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ /dev/null @@ -1,487 +0,0 @@ ---- -title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.localizationpriority: medium -ms.date: 06/05/2018 ---- - -# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 Pro, Enterprise, and Education - - - -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).) - - - -## Choose a method for configuring your kiosks and digitals signs - -**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart. - ->[!TIP] ->For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content. - -**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. - ->[!WARNING] ->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. -> ->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - -### Methods for kiosks and digital signs running a UWP app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user -[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory -[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD - -### Methods for kiosks and digital signs running a Classic Windows app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory -[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD - - - - - -### Other settings to lock down - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -Recommendation | How to ---- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

            `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

            [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

            You must restart the device after changing the registry. -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

            **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - - -**How to edit the registry to have an account automatically logged on** - -1. Open Registry Editor (regedit.exe). - - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - ->[!TIP] ->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - - - -## Set up a kiosk or digital sign in local Settings - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) - -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - -## Set up a kiosk or digital sign using Windows PowerShell - - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - - -## Set up a kiosk or digital sign using a provisioning package - ->App type: UWP or Classic Windows -> ->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types -> ->Account type: Local standard user, Active Directory - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). - - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - - - - -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - - - - - - - - - - -
            ![step one](images/one.png)![set up device](images/set-up-device.png)

            Enable device setup if you want to configure settings on this page.

            **If enabled:**

            Enter a name for the device.

            (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

            Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

            You can also select to remove pre-installed software from the device.             		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
            ![step two](images/two.png) ![set up network](images/set-up-network.png)

            Enable network setup if you want to configure settings on this page.

            **If enabled:**

            Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.            		![Enter network SSID and type](images/set-up-network-details.png)
            ![step three](images/three.png) ![account management](images/account-management.png)

            Enable account management if you want to configure settings on this page.

            **If enabled:**

            You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

            To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

            **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

            To create a local administrator account, select that option and enter a user name and password.

            **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.             		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
            ![step four](images/four.png) ![add applications](images/add-applications.png)

            You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

            **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.             		![add an application](images/add-applications-details.png)
            ![step five](images/five.png) ![add certificates](images/add-certificates.png)

            To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.            		![add a certificate](images/add-certificates-details.png)
            ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

            You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

            If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

            In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.            		![Configure kiosk account and app](images/kiosk-account-details.png)
            ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

            On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.            		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
            ![finish](images/finish.png)

            You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.            		![Protect your package](images/finish-details.png)
            - - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - ->[!TIP] ->You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - -  - - - -## Set up a kiosk or digital sign in Intune or other MDM service - ->App type: UWP -> ->OS edition: Windows 10 Pro (version 1709), Ent, Edu -> ->Account type: Local standard user, Azure AD - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Enter a friendly name for the kiosk configuration. -10. Select **Kiosk - 1 setting available**. -10. Select **Add** to add a kiosk configuration. -10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**. -10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. -1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - - - -## Set up a kiosk or digital sign using Shell Launcher - ->App type: Classic Windows -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - ->[!NOTE] ->In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp). -> ->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). - ->[!WARNING] ->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. - -2. Expand **Device Lockdown**. - -2. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -  -## Related topics - -- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - - - diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index b75768d432..e95d1cc298 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 01/02/2018 +ms.date: 10/02/2018 ms.localizationpriority: medium --- @@ -39,6 +39,24 @@ On Windows 10 for desktop editions, the customized Start works by: IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions. +### Required order + +The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node: + +1. LayoutOptions +1. DefaultLayoutOverride +1. RequiredStartGroupsCollection +1. AppendDownloadOfficeTile –OR– AppendOfficeSuite (only one Office option can be used at a time) +1. AppendOfficeSuiteChoice +1. TopMFUApps +1. CustomTaskbarLayoutCollection +1. InkWorkspaceTopApps + +Comments are not supported in the `LayoutModification.xml` file. + + +### Supported elements and attributes + >[!NOTE] >To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file: >- Do not leave spaces or white lines in between each element. @@ -55,6 +73,7 @@ The following table lists the supported elements and attributes for the LayoutMo | [RequiredStartGroups](#requiredstartgroups)

            Parent:
            RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | | [AppendGroup](#appendgroup)

            Parent:
            RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | | [start:Tile](#specify-start-tiles)

            Parent:
            AppendGroup | AppUserModelID
            Size
            Row
            Column | Use to specify any of the following:
            - A Universal Windows app
            - A Windows 8 or Windows 8.1 app

            Note that AppUserModelID is case-sensitive. | +start:Folder

            Parent:
            start:Group | Name (in Windows 10, version 1809 and later only)
            Size
            Row
            Column
            LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). | start:DesktopApplicationTile

            Parent:
            AppendGroup | DesktopApplicationID
            DesktopApplicationLinkPath
            Size
            Row
            Column | Use to specify any of the following:
            - A Windows desktop application with a known AppUserModelID
            - An application in a known folder with a link in a legacy Start Menu folder
            - A Windows desktop application link in a legacy Start Menu folder
            - A Web link tile with an associated .url file that is in a legacy Start Menu folder | | start:SecondaryTile

            Parent:
            AppendGroup | AppUserModelID
            TileID
            Arguments
            DisplayName
            Square150x150LogoUri
            ShowNameOnSquare150x150Logo
            ShowNameOnWide310x150Logo
            Wide310x150LogoUri
            BackgroundColor
            ForegroundText
            IsSuggestedApp
            Size
            Row
            Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. | | TopMFUApps

            Parent:
            LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.

            **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md deleted file mode 100644 index 083777bcdd..0000000000 --- a/windows/configuration/start-taskbar-lockscreen.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 ---- - -# Configure Start layout, taskbar, and lock screen for Windows 10 PCs - - - -## In this section - -| Topic | Description | -| --- | --- | -| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

            **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | -| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. | -| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | - - -## Related topics - -- [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) \ No newline at end of file diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 7ee8769a77..a4e36a5bce 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -74,34 +74,34 @@ UE-V uses the http://schemas.microsoft.com/UserExperienceVirtualization/2012/Set These are the data types for the UE-V application template schema. -**GUID** +**GUID** GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. -**FilenameString** +**FilenameString** FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). -**IDString** +**IDString** IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). -**TemplateVersion** +**TemplateVersion** TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. -**Empty** +**Empty** Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates. -**Author** +**Author** The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. -**Range** +**Range** Range defines an integer class consisting of two child elements: **Minimum** and **Maximum**. This data type is implemented in the ProcessVersion data type. If specified, both Minimum and Maximum values must be included. -**ProcessVersion** +**ProcessVersion** ProcessVersion defines a type with four child elements: **Major**, **Minor**, **Build**, and **Patch**. This data type is used by the Process element to populate its ProductVersion and FileVersion values. The data for this type is a Range value. The Major child element is mandatory and the others are optional. -**Architecture** +**Architecture** Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture. -**Process** +**Process** The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element’s respective data type: @@ -151,26 +151,26 @@ The Process data type is a container used to describe processes to be monitored   -**Processes** +**Processes** The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. -**Path** +**Path** Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”. Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. -**FileMask** +**FileMask** FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. -**RegistrySetting** +**RegistrySetting** RegistrySetting represents a container for registry keys and values and the associated desired behavior on the part of the UE-V service. Four child elements are defined within this type: **Path**, **Name**, **Exclude**, and a sequence of the values **Path** and **Name**. -**FileSetting** +**FileSetting** FileSetting contains parameters associated with files and files paths. Four child elements are defined: **Root**, **Path**, **FileMask**, and **Exclude**. Root is mandatory and the others are optional. -**Settings** +**Settings** Settings is a container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings described earlier. In addition, it can also contain the following child elements with behaviors described:
            @@ -266,7 +266,7 @@ This value is queried to determine if a new version of a template should be appl **Type: String** -Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). +Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V). ### Processes and Process Element @@ -373,7 +373,7 @@ For example, in a suited application, it might be useful to provide reminders ab ``` syntax - + MyApplication.exe My Application Main Engine @@ -671,7 +671,7 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen - + @@ -708,7 +708,7 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen - + diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index c9e9108115..ab756d30d5 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -20,9 +20,9 @@ This topic includes information required to successfully install and use UE-V th In previous versions of UE-V, users could select which of their customized application settings to synchronize with the Company Settings Center, a user interface that was available on user devices. Additionally, administrators could configure the Company Settings Center to include a link to support resources so that users could easily get support on virtualized settings-related issues. -With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. +With the release of Windows 10, version 1607, the Company Settings Center was removed and users can no longer manage their synchronized settings. -Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. +Administrators can still define which user-customized application settings can synchronize (roam) with Group Policy or Windows PowerShell. **Note** With the removal of the Company Settings Center, the following group policies are no longer applicable: @@ -95,24 +95,24 @@ Operating system settings for Narrator and currency characters specific to the l WORKAROUND: None -## Hotfixes and Knowledge Base articles for UE-V +## Hotfixes and Knowledge Base articles for UE-V This section contains hotfixes and KB articles for UE-V. | KB Article | Title | Link | |------------|---------|--------| -| 3018608 | UE-V - TemplateConsole.exe crashes when UE-V WMI classes are missing | [support.microsoft.com/kb/3018608](http://support.microsoft.com/kb/3018608) | -| 2903501 | UE-V: User Experience Virtualization (UE-V) compatibility with user profiles | [support.microsoft.com/kb/2903501](http://support.microsoft.com/kb/2903501) | -| 2770042 | UE-V Registry Settings | [support.microsoft.com/kb/2770042](http://support.microsoft.com/kb/2770042) | -| 2847017 | Internet Explorer settings replicated by UE-V | [support.microsoft.com/kb/2847017](http://support.microsoft.com/kb/2847017) | -| 2769631 | How to repair a corrupted UE-V install | [support.microsoft.com/kb/2769631](http://support.microsoft.com/kb/2769631) | -| 2850989 | Migrating MAPI profiles with Microsoft UE-V is not supported | [support.microsoft.com/kb/2850989](http://support.microsoft.com/kb/2850989) | -| 2769586 | UE-V roams empty folders and registry keys | [support.microsoft.com/kb/2769586](http://support.microsoft.com/kb/2769586) | -| 2782997 | How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V) | [support.microsoft.com/kb/2782997](http://support.microsoft.com/kb/2782997) | -| 2769570 | UE-V does not update the theme on RDS or VDI sessions | [support.microsoft.com/kb/2769570](http://support.microsoft.com/kb/2769570) | -| 2850582 | How To Use Microsoft User Experience Virtualization With App-V Applications | [support.microsoft.com/kb/2850582](http://support.microsoft.com/kb/2850582) | -| 3041879 | Current file versions for Microsoft User Experience Virtualization | [support.microsoft.com/kb/3041879](http://support.microsoft.com/kb/3041879) | -| 2843592 | Information on User Experience Virtualization and High Availability | [support.microsoft.com/kb/2843592](http://support.microsoft.com/kb/2843592) | +| 3018608 | UE-V - TemplateConsole.exe crashes when UE-V WMI classes are missing | [support.microsoft.com/kb/3018608](https://support.microsoft.com/kb/3018608) | +| 2903501 | UE-V: User Experience Virtualization (UE-V) compatibility with user profiles | [support.microsoft.com/kb/2903501](https://support.microsoft.com/kb/2903501) | +| 2770042 | UE-V Registry Settings | [support.microsoft.com/kb/2770042](https://support.microsoft.com/kb/2770042) | +| 2847017 | Internet Explorer settings replicated by UE-V | [support.microsoft.com/kb/2847017](https://support.microsoft.com/kb/2847017) | +| 2769631 | How to repair a corrupted UE-V install | [support.microsoft.com/kb/2769631](https://support.microsoft.com/kb/2769631) | +| 2850989 | Migrating MAPI profiles with Microsoft UE-V is not supported | [support.microsoft.com/kb/2850989](https://support.microsoft.com/kb/2850989) | +| 2769586 | UE-V roams empty folders and registry keys | [support.microsoft.com/kb/2769586](https://support.microsoft.com/kb/2769586) | +| 2782997 | How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V) | [support.microsoft.com/kb/2782997](https://support.microsoft.com/kb/2782997) | +| 2769570 | UE-V does not update the theme on RDS or VDI sessions | [support.microsoft.com/kb/2769570](https://support.microsoft.com/kb/2769570) | +| 2850582 | How To Use Microsoft User Experience Virtualization With App-V Applications | [support.microsoft.com/kb/2850582](https://support.microsoft.com/kb/2850582) | +| 3041879 | Current file versions for Microsoft User Experience Virtualization | [support.microsoft.com/kb/3041879](https://support.microsoft.com/kb/3041879) | +| 2843592 | Information on User Experience Virtualization and High Availability | [support.microsoft.com/kb/2843592](https://support.microsoft.com/kb/2843592) | ## Have a suggestion for UE-V? diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index c84d8f3603..fcc4cb1fa3 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -18,9 +18,9 @@ ms.date: 04/19/2017 For information that can help with troubleshooting UE-V for Windows 10, see: -- [UE-V FAQ Wiki](http://social.technet.microsoft.com/wiki/contents/articles/35333.ue-v-important-changes-in-ue-v-functionality-after-the-windows-10-anniversary-update.aspx) +- [UE-V FAQ Wiki](https://social.technet.microsoft.com/wiki/contents/articles/35333.ue-v-important-changes-in-ue-v-functionality-after-the-windows-10-anniversary-update.aspx) -- [UE-V: List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx) +- [UE-V: List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14271.ue-v-list-of-microsoft-support-knowledge-base-articles.aspx) - [User Experience Virtualization Release Notes](uev-release-notes-1607.md) diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index b1547d99cd..a9f4434dfb 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount @@ -43,7 +43,7 @@ Specifies the settings you can configure when joining a device to a domain, incl | --- | --- | --- | | Account | string | Account to use to join computer to domain | | AccountOU | Enter the full path for the organizational unit. For example: OU=testOU,DC=domain,DC=Domain,DC=com. | Name of organizational unit for the computer account | -| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.

            ComputerName is a string with a maximum length of 15 bytes of content:

            - ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

            - ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

            - ComputerName cannot use some non-standard characters, such as emoji.

            Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](http://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | +| ComputerName | Specify a unique name for the domain-joined computers using %RAND:x%, where x is an integer less than 15 digits long, or using %SERIAL% characters in the name.

            ComputerName is a string with a maximum length of 15 bytes of content:

            - ComputerName can use ASCII characters (1 byte each) and/or multi-byte characters such as Kanji, so long as you do not exceed 15 bytes of content.

            - ComputerName cannot use spaces or any of the following characters: \{ | \} ~ \[ \\ \] ^ ' : ; < = > ? @ ! " \# $ % ` \( \) + / . , \* &, or contain any spaces.

            - ComputerName cannot use some non-standard characters, such as emoji.

            Computer names that cannot be validated through the DnsValidateName function cannot be used, for example, computer names that only contain numbers (0-9). For more information, see the [DnsValidateName function](https://go.microsoft.com/fwlink/?LinkId=257040). | Specifies the name of the Windows device (computer name on PCs) | | DomainName | string (cannot be empty) | Specify the name of the domain that the device will join | | Password | string (cannot be empty) | Corresponds to the password of the user account that's authorized to join the computer account to the domain. | diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md deleted file mode 100644 index 058450c727..0000000000 --- a/windows/configuration/wcd/wcd-applicationmanagement.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: ApplicationManagement (Windows 10) -description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -ms.localizationpriority: medium -ms.author: jdecker -ms.topic: article -ms.date: 09/12/2017 ---- - -# ApplicationManagement (Windows Configuration Designer reference) - -Use these settings to manage app installation and management. - ->[!NOTE] ->ApplicationManagement settings are not available in Windows 10, version 1709, and later. - -## Applies to - -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](#allowalltrustedapps) | | | | | X | -| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) | | | | | X | -| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) | | | | | X | -| [RestrictAppToSystemVolume](#restrictapptosystemvolume) | | | | | X | - -## AllowAllTrustedApps - -Specifies whether non-Microsoft Store apps are allowed. - -| Value | Description | -| --- | --- | -| No | Only Microsoft Store apps are allowed | -| Yes | Non-Microsoft Store apps are allowed | - -## AllowAppStoreAutoUpdate - -Specifies whether automatic update of apps from Microsoft Store are allowed - -| Value | Description | -| --- | --- | -| Disallowed | Automatic update of apps is not allowed | -| Allowed | Automatic update of apps is allowed | - - -## RestrictAppDataToSystemVolume - -Specifies whether application data is restricted to the system drive. - -| Value | Description | -| --- | --- | -| 0 | Not restricted | -| 1 | Restricted | - - -## RestrictAppToSystemVolume - -Specifies whether the installation of applications is restricted to the system drive. - -| Value | Description | -| --- | --- | -| 0 | Not restricted | -| 1 | Restricted | - -## Related topics - -- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) -- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) -- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) -- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 3ed958488d..c7cd5a030f 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Browser (Windows Configuration Designer reference) @@ -19,10 +19,32 @@ Use to configure browser settings that should only be set by OEMs who are part o | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowPrelaunch](#allowprelaunch) | | | X | | | +| [FavoriteBarItems](#favoritebaritems) | X | | | | | | [Favorites](#favorites) | | X | | | | | [PartnerSearchCode](#partnersearchcode) | X | X | X | | | | [SearchProviders](#searchproviders) | | X | | | | + +## AllowPrelaunch + +Use this setting to allow Microsoft Edge to pre-launch during Windows sign-in, when the system is idle, and each time that Microsoft Edge is closed. Pre-launch minimizes the amount of time required to start Microsoft Edge. + +Select between **Prevent Pre-launching** and **Allow Pre-launching**. + +## FavoriteBarItems + +Use to add items to the Favorites Bar in Microsoft Edge. + +1. Enter a name for the item, and select **Add**. (The name you enter here is only used to distinguish the group of settings, and is not shown on the device when the settings are applied.) +2. In **Available customizations**, select the item that you added, and then configure the following settings for that item: + +Setting | Description +--- | --- +ItemFavIconFile | Enter the path to the icon file, local to the device where the browser will run. The icon file must be added to the device to the specified path. +ItemName | Enter the name for the item, which will be displayed on the Favorites Bar. +ItemUrl | Enter the target URL for the item. + ## Favorites Use to configure the default list of Favorites that show up in the browser. diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index 66fd0b6bc1..b7b52b37af 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -8,11 +8,13 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # CellCore (Windows Configuration Designer reference) +>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore is not available in Windows 10, version 1809. + Use to configure settings for cellular data. >[!IMPORTANT] diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 290e3f52cb..f6c9545c4a 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/21/2017 +ms.date: 10/02/2018 --- # Cellular (Windows Configuration Designer reference) @@ -24,39 +24,54 @@ Use to configure settings for cellular connections. | --- | :---: | :---: | :---: | :---: | :---: | | All settings | X | | | | | +## PerDevice +See [SignalBarMappingTable](#signalbarmappingtable) + +## PerSimSettings To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it. -## AccountExperienceURL +### AccountExperienceURL Enter the URL for the mobile operator's web page. -## AppID +### AppID Enter the AppID for the mobile operator's app in Microsoft Store. -## BrandingIcon +### BrandingIcon Browse to and select an .ico file. -## BrandingIconPath +### BrandingIconPath Enter the destination path for the BrandingIcon .ico file. -## BrandingName +### BrandingName Enter the service provider name for the mobile operator. -## NetworkBlockList - -Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). - -## SIMBlockList +### NetworkBlockList Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). -## UseBrandingNameOnRoaming +### SignalBarMappingTable + +>[!NOTE] +>SignalBarMappingTable can be configured per device or per sim. + +Use the **SignalBarMappingTable** settings to customize the number of bars displayed based on signal strength. Set a signal strength minimum for each bar number. + +1. Expand **SignalBarMappingTable**, select a bar number in **SignalForBars**, and select **Add**. +2. Select the signal bar number in **Available customizations**, and enter a minimum signal strength value, between 0 and 31. + +### SIMBlockList + +Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). + + +### UseBrandingNameOnRoaming Select an option for displaying the BrandingName when the device is roaming. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md new file mode 100644 index 0000000000..b51c2ab60e --- /dev/null +++ b/windows/configuration/wcd/wcd-changes.md @@ -0,0 +1,83 @@ +--- +title: Changes to settings in Windows Configuration Designer (Windows 10) +description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# Changes to settings in Windows Configuration Designer + +Settings added in Windows 10, version 1809 + + +- [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch) +- [Browser > FavoriteBarItems](wcd-browser.md#favoritebaritems) +- [Cellular > SignalBarMappingTable](wcd-cellular.md#signalbarmappingtable) +- [KioskBrowser](wcd-kioskbrowser.md) +- [Location](wcd-location.md) +- [Policies > ApplicationManagement > LaunchAppAfterLogOn](wcd-policies.md#applicationmanagement) +- [Policies > Authentication:](wcd-policies.md#authentication) + - EnableFastFirstSignin + - EnableWebSignin + - PreferredAadTenantDomainName +- [Policies > Browser:](wcd-policies.md#browser) + - AllowFullScreenMode + - AllowPrelaunch + - AllowPrinting + - AllowSavingHistory + - AllowSideloadingOfExtensions + - AllowTabPreloading + - AllowWebContentOnNewTabPage + - ConfigureFavoritesBar + - ConfigureHomeButton + - ConfigureKioskMode + - ConfigureKioskResetAfterIdleTimer + - ConfigureOpenMicrosoftEdgeWith + - ConfigureTelemetryForMicrosoft365 + - FirstRunURL + - PreventCertErrorOverrides + - PreventTurningOffRequiredExtensions + - SetHomeButtonURL + - SetNewTabPageURL + - UnlockHomeButton +- [Policies > DeliveryOptimization:](wcd-policies.md#deliveryoptimization) + - DODelayBackgroundDownloadFromHttp + - DODelayForegroundDownloadFromHttp + - DOGroupIdSource + - DOPercentageMaxBackDownloadBandwidth + - DOPercentageMaxForeDownloadBandwidth + - DORestrictPeerSelectionsBy + - DOSetHoursToLimitBackgroundDownloadBandwidth + - DOSetHoursToLimitForegroundDownloadBandwidth +- [Policies > KioskBrowser](wcd-policies.md#kioskbrowser) > EnableEndSessionButton +- [Policies > Search](wcd-policies.md#search) > DoNotUseWebResults +- [Policies > System:](wcd-policies.md#system) + - DisableDeviceDelete + - DisableDiagnosticDataViewer +- [Policies > Update:](wcd-policies.md#update) + - AutoRestartDeadlinePeriodInDaysForFeatureUpdates + - EngagedRestartDeadlineForFeatureUpdates + - EngagedRestartSnoozeScheduleForFeatureUpdates + - EngagedRestartTransitionScheduleForFeatureUpdates + - ExcludeWUDriversInQualityUpdate + - SetDisablePauseUXAccess + - SetDisableUXWUAccess + - UpdateNotificationLevel +- [UnifiedWriteFilter > OverlayFlags](wcd-unifiedwritefilter.md#overlayflags) +- [UnifiedWriteFilter > ResetPersistentState](wcd-unifiedwritefilter.md#resetpersistentstate) +- [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) + + +Settings removed in Windows 10, version 1809 + +- [CellCore](wcd-cellcore.md) +- [Policies > Browser:](wcd-policies.md#browser) + - AllowBrowser + - PreventTabReloading + diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index b797544274..38bdf81ca7 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -19,12 +19,12 @@ Use to configure profiles that a user will connect with, such as an email accoun | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Email](#email) | X | X | X | | X | -| [Exchange](#exchange) | X | X | X | | X | -| [KnownAccounts](#knownaccounts) | X | X | X | | X | -| [VPN](#vpn) | X | X | X | X | X | -| [WiFiSense](#wifisense) | X | X | X | | X | -| [WLAN](#wlan) | X | X | X | X | X | +| [Email](#email) | X | X | X | | | +| [Exchange](#exchange) | X | X | X | | | +| [KnownAccounts](#knownaccounts) | X | X | X | | | +| [VPN](#vpn) | X | X | X | X | | +| [WiFiSense](#wifisense) | X | X | X | | | +| [WLAN](#wlan) | X | X | X | X | | ## Email diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index 3c2044f533..cb1554991e 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 08/08/2018 --- # FirstExperience (Windows Configuration Designer reference) @@ -27,5 +27,5 @@ PreferredRegion | Enter the [geographical location identifier](https://msdn.micr PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx) SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. -SkipWifi | Set to **True** to skip connecting to a Wi-fi network. +SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.

            **Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md new file mode 100644 index 0000000000..29f19e45e4 --- /dev/null +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -0,0 +1,44 @@ +--- +title: KioskBrowser (Windows 10) +description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# KioskBrowser (Windows Configuration Designer reference) + +Use KioskBrowser settings to configure Internet sharing. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | | | X | + +>[!NOTE] +>To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser). + +Kiosk Browser settings | Use this setting to +--- | --- +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

            For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

            If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. +Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. +Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. + +>[!IMPORTANT] +>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> +> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). +>4. Save the XML file. +>5. Open the project again in Windows Configuration Designer. +>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md new file mode 100644 index 0000000000..f54b9343b1 --- /dev/null +++ b/windows/configuration/wcd/wcd-location.md @@ -0,0 +1,26 @@ +--- +title: Location (Windows 10) +description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# Location (Windows Configuration Designer reference) + +Use Location settings to configure location services. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [EnableLocation](#enablelocation) | | | | | X | + +## EnableLocation + +Use this setting to enable or disable location services for the device. diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 1ba48ada16..9e65e7f7e7 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -8,35 +8,35 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Policies (Windows Configuration Designer reference) -This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider). +This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). ## AboveLock | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | | -| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | | +| [AllowActionCenterNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | | +| [AllowToasts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | | ## Accounts | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | -| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | | -| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | -| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | +| [AllowAddingNonMicrosoftAccountManually](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | +| [AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | | +| [AllowMicrosoftAccountSigninAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | +| [DomainNamesForEmailSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | ## ApplicationDefaults | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | +| [DefaultAssociationsConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | ##ApplicationManagement @@ -44,15 +44,16 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | | -| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | | -| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | -| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | -| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | -| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | -| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | -| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | | -| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | | +| [AllowAllTrustedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | X | +| [AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | X | +| [AllowDeveloperUnlock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | +| [AllowGameDVR](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | +| [AllowSharedUserAppData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | +| [AllowStore](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | +| [ApplicationRestrictions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | +| [LaunchAppAfterLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | X | | | | | +| [RestrictAppDataToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | X | +| [RestrictAppToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | X | @@ -61,94 +62,115 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X | +| [AllowFastReconnect](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X | +| [EnableFastFirstSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | | X | +| [EnableWebSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | | X | +| [PreferredAadTenantDomainName](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | | X | ## BitLocker | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | | +| [EncryptionMethod](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | | ## Bluetooth | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | -| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | -| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X | +| [AllowAdvertising](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | +| [AllowDiscoverableMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | +| [AllowPrepairing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X | | AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X | -| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | -| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | | +| [LocalDeviceName](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | +| [ServicesAllowedList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | X | ## Browser | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | -| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | X | | -| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | X | | | | | -[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | | | | | -| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | X | | -| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | -| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | X | | -| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | -| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | -| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | -| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | X | | -| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | | -| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | X | | -| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | | -| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | | -| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | X | | -| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | | -[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | | | | | -| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | -| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | | -| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | -[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | | | | | -| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | -| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | -| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | | -| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | -[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | | | | | -| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | | -| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | -| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | | -| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | | -| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | | -PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. | X | | | | | -| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | | -[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | | | | | -| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | -| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | | -| [ShowMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | -[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | | | | | +| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | +| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | X | +| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | | | | +[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | | | | +| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | X | +| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | +| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | X | +| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | +| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | +| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | +| [AllowFullScreenMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | X | X | X | | X | +| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | X | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | X | +| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | X | +| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | | +| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | | | | | +| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | X | X | X | | X | +| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | X | | | | | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | X | X | | X | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | X | +| [AllowSideloadingOfExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | X | | | | | +| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X | +| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | | | | | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X | +[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | X | +| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | | +| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | | +| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | | +| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | | | | | +| [ConfigureOpenMicrosoftEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | X | | | | | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | | | | | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | +[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | | | | +| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | +| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | +| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | | | | +| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | +[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | | | | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | X | +| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X | +| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | X | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | X | +PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X | +[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | | +| [SendIntranetTraffictoInternetExplorer ](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | +| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X | +| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | | +| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | | +| [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | +| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | X | | | | | +[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X | | | | ## Camera | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | +| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | ## Connectivity | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | | -| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | | -| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | | -| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | | -| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | | -| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | | -| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | | -| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | | -| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | | -| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | | +| [AllowBluetooth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X | +| [AllowCellularData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | X | +| [AllowCellularDataRoaming](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | X | +| [AllowConnectedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | X | +| [AllowNFC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | X | +| [AllowUSBConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | X | +| [AllowVPNOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | X | +| [AllowVPNRoamingOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | X | +| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | X | +| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | X | ## CredentialProviders @@ -160,60 +182,68 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | | -| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | | +| [AllowFipsAlgorithmPolicy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | | +| [TLSCiperSuites](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | | ## Defender | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | | -| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | | -| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | | -| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | | -| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | | -| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | | -| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | | -| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | | -| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | | -| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | | -| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | | -| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | | -| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | | -| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | | -| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | | -| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | | -| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | | -| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | | -| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | | -| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | | -| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | | -| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | | -| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | | -| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | | -| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | | -| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | | +| [AllowArchiveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | | +| [AllowBehaviorMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | | +| [AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | | +| [AllowEmailScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | | +| [AllowFullScanOnMappedNetworkDrives](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | | +| [AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | | +| [AllowIntrusionPreventionSystem](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | | +| [AllowIOAVProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | | +| [AllowOnAccessProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | | +| [AllowRealtimeMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | | +| [AllowScanningNetworkFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | | +| [AllowScriptScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | | +| [AllowUserUIAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | | +| [AvgCPULoadFactor](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | | +| [DaysToRetainCleanedMalware](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | | +| [ExcludedExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | | +| [ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | | +| [ExcludedProcesses](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | | +| [RealTimeScanDirection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | | +| [ScanParameter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | | +| [ScheduleQuickScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | | +| [ScheduleScanDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | | +| [ScheduleScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | | +| [SignatureUpdateInterval](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | | +| [SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | | +| [ThreatSeverityDefaultAction](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | | ## DeliveryOptimization | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | | -| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | | -| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | | -| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | | -| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | | -| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | | -| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | | -| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | | -| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | | -| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | | -| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | | -| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | | -| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | | -| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | | -| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | | -| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOAbsoluteMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | | +| [DOAllowVPNPeerCaching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | | +| [DODelayBackgroundDownloadFromHttp](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | | | | | +| [DODelayForegroundDownloadFromHttp](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | | | | | +| [DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | | +| [DOGroupId](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | | +| [DOGroupIdSource](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | X | | | | | +| [DOMaxCacheAge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | | +| [DOMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | | +| [DOMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | | +| [DOMaxUploadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | | +| [DOMinBackgroundQos](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | | +| [DOMinBatteryPercentageAllowedToUpload](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | | +| [DOMinDiskSizeAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | | +| [DOMinFileSizeToCache](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | | +| [DOMinRAMAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | | +| [DOModifyCacheDrive](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | | +| [DOMonthlyUploadDataCap](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | | +| [DOPercentageMaxBackDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOPercentageMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOPercentageMaxForeDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DORestrictPeerSelectionBy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | X | | | | | +| [DOSetHoursToLimitBackgroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOSetHoursToLimitForegroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | ## DeviceGuard @@ -225,18 +255,18 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | -| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | -| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | | -|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | | -| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | | -| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | | -| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | | -| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | | -| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | | -| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | | -| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | | -| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | +| [AllowIdleReturnWithoutPassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | +| [AllowScreenTimeoutWhileLockedUserConfig](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | +| [AllowSimpleDevicePassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | | +|[AlphanumericDevicePasswordRequired](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | | +| [DevicePasswordEnabled](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | | +| [DevicePasswordExpiration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | | +| [DevicePasswordHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | | +| [MaxDevicePasswordFailedAttempts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | | +| [MaxInactivityTimeDeviceLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | | +| [MinDevicePasswordComplexCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | | +| [MinDevicePasswordLength](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | | +| [ScreenTimeoutWhileLocked](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | ## DeviceManagement @@ -251,24 +281,24 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | -| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | | -| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | -| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | -| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | | -| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | -| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | -| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | | -| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | | -| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | | -| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | | -| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | | +| [AllowCopyPaste](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | +| [AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | | +| [AllowDeviceDiscovery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | +| [AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | +| [AllowManualMDMUnenrollment](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | | +| [AllowScreenCapture](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | +| [AllowSIMErrorDialogPromptWhenNoSIM](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | +| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | | +| [AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | | +| [AllowTaskSwitcher](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | | +| [AllowThirdPartySuggestionsInWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | | +| [AllowVoiceRecording](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | | | [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | | -| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | | -| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | | -| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | | -| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | | -| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | | +| [AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | | +| [AllowWindowsSpotlightOnActionCenter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | | +| [AllowWindowsSpotlightWindowsWelcomeExperience](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | | +| [AllowWindowsTips](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | | +| [ConfigureWindowsSpotlightOnLockScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | | ## ExploitGuard @@ -281,7 +311,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | +| [AllowAdvancedGamingServices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | ## KioskBrowser @@ -293,24 +323,33 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. [BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | | [BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | | [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | | +[EnableEndSessionButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | X | | | | | [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | | [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | | [RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | | +To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: + +1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +3. Insert the null character string in between each URL (e.g www.bing.comwww.contoso.com). +4. Save the XML file. +5. Open the project again in Windows Configuration Designer. +6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. ## Location | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | +| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | ## Privacy | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | -| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | | +| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | +| [AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | | ## Search @@ -319,16 +358,17 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. | --- | --- | :---: | :---: | :---: | :---: | :---: | [AllowCloudSearch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | | [AllowCortanaInAAD](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | | -| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | -| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | | -| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | +| [AllowIndexingEncryptedStoresOrItems](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | +| [AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | | +| [AllowUsingDiacritics](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | | [AllowWindowsIndexer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

            - **Off** setting disables Windows indexer
            - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
            - **Enterprise** setting reduces potential network loads for enterprises
            - **Standard** setting is appropriate for consuemrs | X | X | | | | -| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | -| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | -| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | -| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | | -| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | | -| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | | +| [AlwaysUseAutoLangDetection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | +| [DoNotUseWebResults](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | X | X | | | | +| [DisableBackoff](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | +| [DisableRemovableDriveIndexing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | +| [PreventIndexingLowDiskSpaceMB](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | | +| [PreventRemoteQueries](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | | +| [SafeSearchPermissions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | | @@ -336,22 +376,22 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X | -| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | -| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X | -| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | -| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | -| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X | -| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | +| [AllowAddProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X | +| [AllowManualRootCertificateInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | +| [AllowRemoveProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X | +| [AntiTheftMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | +| [RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | +| [RequireProvisioningPackageSignature](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X | +| [RequireRetrieveHealthCertificateOnBoot](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | ## Settings | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | -| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | -| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | | -| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | +| [AllowAutoPlay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | +| [AllowDataSense](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | +| [AllowVPN](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | | +| [ConfigureTaskbarCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | [PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | | ## Start @@ -369,40 +409,42 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. | [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | | | [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | | DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | | -| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | -| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | -| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | -| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | | -| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | | -| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | | +| [ForceStartSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | +| [HideAppList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | +| [HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | +| [HideFrequentlyUsedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | | +| [HideHibernate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | | +| [HideLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | | | HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | | -| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | | -| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | | -| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | | -| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | | -| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | | -| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | | -| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | | -| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | | -| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | | -| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | | -| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | | -| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | | +| [HidePowerButton](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | | +| [HideRecentJumplists](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | | +| [HideRecentlyAddedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | | +| [HideRestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | | +| [HideShutDown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | | +| [HideSignOut](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | | +| [HideSleep](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | | +| [HideSwitchAccount](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | | +| [HideUserTile](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | | +| [ImportEdgeAssets](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | | +| [NoPinningToTaskbar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | | +| [StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | | ## System | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | -| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X | -| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | -| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | -| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X | -| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | | -| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | +| [AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | +| [AllowEmbeddedMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X | +| [AllowExperimentation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | +| [AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | +| [AllowStorageCard](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X | +| [AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | | +| [AllowUserToResetPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | | ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | | -| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | +| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | | | | +| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | | | | +| [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | | [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | | @@ -410,98 +452,106 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | | -| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | | -| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | | -| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | | -| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | | -| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | | -| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | | -| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | | -| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | | -| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | -| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | -| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | -| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [AllowIMELogging](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | | +| [AllowIMENetworkAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | | +| [AllowInputPanel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | | +| [AllowJapaneseIMESurrogatePairCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | | +| [AllowJapaneseIVSCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | | +| [AllJapaneseNonPublishingStandardGlyph](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | | +| [AllowJapaneseUserDictionary](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | | +| [AllowKeyboardTextSuggestions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | | +| [AllowLanguageFeaturesUninstall](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | | +| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | +| [ExcludeJapaneseIMEExceptISO208](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptISO208andEUDC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptShiftJIS](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | ## TimeLanguageSettings | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | | +| [AllowSet24HourClock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | | ## Update | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | -| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | -| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | -| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [ActiveHoursEnd](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | +| [ActiveHoursMaxRange](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | +| [ActiveHoursStart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | +| [AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | -| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | -| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | -| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | +| [AllowMUUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | +| [AllowNonMicrosoftSignedUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | +| [AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | | [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | -| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | -| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | -| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | -| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | -| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | +| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | +| [AutoRestartNotificationSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | +| [AutoRestartRequiredNotificationDismissal](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | +| [BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | +| [DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | +| [DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | | [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X | | [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X | -| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | +| [DetectionFrequency](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | | [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X | -| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | -| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | -| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | -| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | +| [EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [EngagedRestartTransitionScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [ExcludeWUDriversInQualityUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X | +| [FillEmptyContentUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | | ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X | | PhoneUpdateRestrictions | Deprecated | | X | | | | -| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | -| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | +| [RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | +| [ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | | [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X | | [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | -| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || -| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | -| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | -| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | -| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | -| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | +| [ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | +| [ScheduleImminentRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || +| [ScheduleRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | +| [SetAutoRestartNotificationDisable](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | +| [SetDisablePauseUXAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X | +| [SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X | +| [SetEDURestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | +| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X | +| [UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | +| [UpdateServiceUrlAlternate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | ## WiFi | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | | -| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | -| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | -| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | -| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | +| [AllowAutoConnectToWiFiSenseHotspots](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | | +| [AllowInternetSharing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | +| [AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | +| [AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | +| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | ## WindowsInkWorkspace | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | | -| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | | +| [AllowSuggestedAppsInWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | | +| [AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | | ## WindowsLogon | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | | +| [HideFastUserSwitching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | | ## WirelessDisplay | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file +| [AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 744ae6a3b6..0f63fc68e7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # ProvisioningCommands (Windows Configuration Designer reference) -Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. +Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. ## Applies to diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 09c6c4a000..73739a9e70 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -15,8 +15,6 @@ ms.date: 10/16/2017 Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. ->[!TIP] ->You can use the [ApplicationManagement](wcd-applicationmanagement.md) settings node to configure only the account management settings without enabling shared PC mode. ## Applies to diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 2f7f8216e2..a9e588a6f8 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available ## ShellLauncher settings -Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). >[!WARNING] >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 3eb2ee43c6..436c29160d 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -19,7 +19,7 @@ Use TabletMode to configure settings related to tablet mode. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | | X | +| All settings | X | X | X | | | ## ConvertibleSlateModePromptPreference diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 9102c70cbe..7ca1ec138a 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 10/02/2018 --- # UnifiedWriteFilter (reference) @@ -39,6 +39,13 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra Set to **True** to enable UWF. +## OverlayFlags + +OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file. + +- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file +- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file. + ## OverlaySize Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024. @@ -58,6 +65,10 @@ Use **Add** to add a registry entry to the exclusion list after you restart the Use **Remove** to remove a registry entry from the exclusion list after you restart the device. +## ResetPersistentState + +Set to **True** to reset UWF settings to the original state that was captured at installation time. + ## Volumes Enter a drive letter for a volume to be protected by UWF. diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 9a9127182d..96e4967e7a 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -25,9 +25,9 @@ Use UniversalAppInstall settings to install Windows apps from the Microsoft Stor | --- | :---: | :---: | :---: | :---: | :---: | | [DeviceContextApp](#devicecontextapp) | X | | X | | | | [DeviceContextAppLicense](#devicecontextapplicense) | X | | X | | | -| [StoreInstall](#storeinstall) | X | X | X | X | X | -| [UserContextApp](#usercontextapp) | X | X | X | X | X | -| [UserContextAppLicense](#usercontextapplicense) | X | X | X | X | X | +| [StoreInstall](#storeinstall) | X | X | X | | X | +| [UserContextApp](#usercontextapp) | X | X | X | | X | +| [UserContextAppLicense](#usercontextapplicense) | X | X | X | | X | ## DeviceContextApp diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 0a2c9c16eb..d5455b7f01 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -8,14 +8,11 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 07/19/2018 +ms.date: 10/02/2018 --- # WindowsHelloForBusiness (Windows Configuration Designer reference) ->[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md). diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 546e98f694..1064831115 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # WLAN (reference) diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 57c84d177d..6ddc8bd462 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -22,7 +22,6 @@ This section describes the settings that you can configure in [provisioning pack [AccountManagement](wcd-accountmanagement.md) | | | | X | | | [Accounts](wcd-accounts.md) | X | X | X | X | X | | [ADMXIngestion](wcd-admxingestion.md) | X | | | | | -| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X | | [AssignedAccess](wcd-assignedaccess.md) | X | | | X | | | [AutomaticTime](wcd-automatictime.md) | | X | | | | | [Browser](wcd-browser.md) | X | X | X | X | | @@ -33,7 +32,7 @@ This section describes the settings that you can configure in [provisioning pack | [Certificates](wcd-certificates.md) | X | X | X | X | X | | [CleanPC](wcd-cleanpc.md) | X | | | | | | [Connections](wcd-connections.md) | X | X | X | X | | -| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X | +| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | | | [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | | | [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | | | [DeveloperSetup](wcd-developersetup.md) | | | | X | | @@ -49,7 +48,9 @@ This section describes the settings that you can configure in [provisioning pack | [HotSpot](wcd-hotspot.md) | X | X | X | X | X | | [InitialSetup](wcd-initialsetup.md) | | X | | | | | [InternetExplorer](wcd-internetexplorer.md) | | X | | | | +| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | | [Licensing](wcd-licensing.md) | X | | | | | +| [Location](wcd-location.md) | | | | | X | | [Maps](wcd-maps.md) |X | X | X | X | | | [Messaging](wcd-messaging.md) | | X | | | | | [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | | diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index a1482a0a62..00f8037780 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -20,7 +20,7 @@ ms.date: 06/19/2018 - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) +> **Looking for consumer information?** See [Customize the Start menu](https://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. @@ -29,7 +29,7 @@ Organizations might want to deploy a customized Start and taskbar configuration > >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. > ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). +>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) @@ -77,7 +77,7 @@ There are three categories of apps that might be pinned to a taskbar: >[!NOTE] >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. - + The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). ![Windows left, user center, enterprise to the right](images/taskbar-generic.png) @@ -101,14 +101,14 @@ In a clean install, if you apply a taskbar layout, only the apps that you specif ### Taskbar configuration applied to Windows 10 upgrades -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. +When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: * If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. * If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. * If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. * New apps specified in updated layout file are pinned to right of user's pinned apps. - + [Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). ## Start layout configuration errors @@ -116,9 +116,9 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events: - **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format. -- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk. +- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk. + - ## Related topics diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 09a31768aa..aaf7da1a9a 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -58,15 +58,18 @@ To turn off Windows Spotlight locally, go to **Settings** > **Personalization Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. +>[!NOTE] +>These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor. + | Group Policy | MDM | Description | Applies to | | --- | --- | --- | --- | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | -| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | -| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | -| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | -**User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | +| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | +**Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 | diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 80adf12056..6577188cbc 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -20,7 +20,8 @@ ## [Deploy Windows 10](deploy.md) ### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 in S mode](windows-10-pro-in-s-mode.md) +### [Windows 10 in S mode](s-mode.md) +#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) @@ -238,6 +239,7 @@ ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) ## [Windows Analytics](update/windows-analytics-overview.md) +### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md) ### [Windows Analytics and privacy](update/windows-analytics-privacy.md) ### [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) #### [Upgrade Readiness architecture](upgrade/upgrade-readiness-architecture.md) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index f2c43e0b7a..57d548abf9 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -60,7 +60,7 @@ You probably have on-premises Active Directory Domain Services (AD DS) domains. You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. -**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. +**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. ![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png) @@ -68,7 +68,7 @@ You might ask why you need to synchronize these identities. The answer is so tha For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: -- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ## Preparing for deployment: reviewing requirements @@ -89,8 +89,8 @@ The following methods are available to assign licenses: ![portal](images/al02.png) 3. You can assign licenses by uploading a spreadsheet. -4. A per-user [PowerShell scripted method](http://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. -5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. +4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. +5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. ## Explore the upgrade experience @@ -105,19 +105,19 @@ Users can join a Windows 10 Pro device to Azure AD the first time they start the 1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. Who owns this PC? page in Windows 10 setup - + **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup** 2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**. Choose how you'll connect - page in Windows 10 setup - + **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup** 3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**. Let's get you signed in - page in Windows 10 setup - + **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup** Now the device is Azure AD joined to the company’s subscription. @@ -130,19 +130,19 @@ Now the device is Azure AD joined to the company’s subscription. 1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. Connect to work or school configuration - + **Figure 5. Connect to work or school configuration in Settings** 2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**. Set up a work or school account - + **Figure 6. Set up a work or school account** 3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**. Let's get you signed in - dialog box - + **Figure 7. The “Let’s get you signed in” dialog box** Now the device is Azure AD joined to the company’s subscription. @@ -157,7 +157,7 @@ Now the device is Azure AD joined to the company’s subscription. Windows 10 Pro activated
            **Figure 7a - Windows 10 Pro activation in Settings**
            -Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). +Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). ### Step 3: Sign in using Azure AD account diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 8cde17231e..7c7f1d1ff8 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 09/19/2017 +ms.date: 09/12/2018 author: greg-lindsay --- @@ -25,6 +25,12 @@ This topic provides an overview of new solutions and online content related to d - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## Windows 10 servicing and support + +Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. + +![Support lifecycle](images/support-cycle.png) + ## Windows 10 Enterprise upgrade Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md). diff --git a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index b326586cf3..ffe112508b 100644 --- a/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -19,7 +19,7 @@ ms.date: 07/27/2017 - Windows 10 versions 1507, 1511 >[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). >Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). @@ -97,7 +97,7 @@ Operating system deployment with Configuration Manager is part of the normal sof - [Deploy Windows To Go in your organization](../deploy-windows-to-go.md) -- [Sideload Windows Store apps](http://technet.microsoft.com/library/dn613831.aspx) +- [Sideload Windows Store apps](https://technet.microsoft.com/library/dn613831.aspx) - [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 8557a2883c..2e2da9aa71 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -21,7 +21,7 @@ ms.date: 04/19/2017 This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. >[!NOTE] ->This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](http://go.microsoft.com/fwlink/p/?linkid=230693). +>This topic includes sample Windows PowerShell cmdlets that you can use to automate some of the procedures described. For more information, see [Using Cmdlets](https://go.microsoft.com/fwlink/p/?linkid=230693). ## Deployment tips @@ -62,7 +62,7 @@ In this step we are creating the operating system image that will be used on the 3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. >[!NOTE]   - >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](http://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](http://go.microsoft.com/fwlink/p/?LinkId=619151). + >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](https://go.microsoft.com/fwlink/p/?LinkId=619151). 4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens. @@ -107,15 +107,15 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. - # + # # To skip the confirmation prompt, append –confirm:$False - Clear-Disk –InputObject $Disk[0] -RemoveData + Clear-Disk –InputObject $Disk[0] -RemoveData - # This command initializes a new MBR disk + # This command initializes a new MBR disk Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR # This command creates a 350 MB system partition - $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive + $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive # This formats the volume with a FAT32 Filesystem # To skip the confirmation dialog, append –Confirm:$False @@ -139,10 +139,10 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as >[!TIP]   >The index number must be set correctly to a valid Enterprise image in the .WIM file. - + ``` syntax #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 4. Now use the [bcdboot](https://go.microsoft.com/fwlink/p/?LinkId=619163) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: @@ -198,21 +198,21 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as true true - + ``` @@ -293,7 +293,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i 1. Start the host computer and sign in using a user account with privileges to add workstations to the domain and then run the following command from an elevated command prompt replacing the example placeholder parameters (denoted by <>) with the ones applicable for your environment: ``` syntax - djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse + djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` >[!NOTE]   @@ -311,15 +311,15 @@ Making sure that Windows To Go workspaces are effective when used off premises i $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. - # + # # To skip the confirmation prompt, append –confirm:$False - Clear-Disk –InputObject $Disk[0] -RemoveData + Clear-Disk –InputObject $Disk[0] -RemoveData - # This command initializes a new MBR disk + # This command initializes a new MBR disk Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR # This command creates a 350 MB system partition - $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive + $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive # This formats the volume with a FAT32 Filesystem # To skip the confirmation dialog, append –Confirm:$False @@ -344,16 +344,16 @@ Making sure that Windows To Go workspaces are effective when used off premises i >[!TIP]   >The index number must be set correctly to a valid Enterprise image in the .WIM file. - + ``` syntax #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 6. After those commands have completed, run the following command: ``` syntax - djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows + djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows ``` 7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172): @@ -364,9 +364,9 @@ Making sure that Windows To Go workspaces are effective when used off premises i true @@ -377,9 +377,9 @@ Making sure that Windows To Go workspaces are effective when used off premises i true @@ -388,7 +388,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i Work - + ``` @@ -457,15 +457,15 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot $Disk = Get-Disk | Where-Object {$_.Path -match "USBSTOR" -and $_.Size -gt 20Gb -and -not $_.IsBoot } #Clear the disk. This will delete any data on the disk. (and will fail if the disk is not yet initialized. If that happens, simply continue with ‘New-Partition…) Validate that this is the correct disk that you want to completely erase. - # + # # To skip the confirmation prompt, append –confirm:$False - Clear-Disk –InputObject $Disk[0] -RemoveData + Clear-Disk –InputObject $Disk[0] -RemoveData - # This command initializes a new MBR disk + # This command initializes a new MBR disk Initialize-Disk –InputObject $Disk[0] -PartitionStyle MBR # This command creates a 350 MB system partition - $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive + $SystemPartition = New-Partition –InputObject $Disk[0] -Size (350MB) -IsActive # This formats the volume with a FAT32 Filesystem # To skip the confirmation dialog, append –Confirm:$False @@ -484,15 +484,15 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot # This command toggles the NODEFAULTDRIVELETTER flag on the partition which prevents drive letters being assigned to either partition when inserted into a different computer. Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE ``` - + Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM): - + >[!TIP]   >The index number must be set correctly to a valid Enterprise image in the .WIM file. - + ``` syntax #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ + dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ ``` 5. In the same PowerShell session use the following cmdlet to add a recovery key to the drive: @@ -515,10 +515,10 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot ``` syntax # Create a variable to store the password - $spwd = ConvertTo-SecureString -String -AsplainText –Force - Enable-BitLocker W: -PasswordProtector $spwd + $spwd = ConvertTo-SecureString -String -AsplainText –Force + Enable-BitLocker W: -PasswordProtector $spwd ``` - + >[!WARNING]   >To have BitLocker only encrypt used space on the disk append the parameter `–UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. @@ -526,7 +526,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot >[!WARNING]   >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - + If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).  9. Safely remove the Windows To Go drive. @@ -585,9 +585,9 @@ The sample script creates an unattend file that streamlines the deployment proce >[!TIP]   >To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: - + >`Get-Help -Online` - + >This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. #### Windows To Go multiple drive provisioning sample script @@ -775,14 +775,14 @@ param ( Set-Content $unattendFile $fileContent #return the file object - $unattendFile + $unattendFile } Function CreateRegistryPolicyFile { $saveFileLocaiton = "" + (get-location) + "\registry.pol" - $policyFile = New-Object MS.PolicyFileEditor.PolicyFile + $policyFile = New-Object MS.PolicyFileEditor.PolicyFile $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseAdvancedStartup", 1) $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "EnableBDEWithNoTPM", 1) $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPM", 2) @@ -790,7 +790,7 @@ Function CreateRegistryPolicyFile { $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKey", 2) $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "UseTPMKeyPIN", 2) $policyFile.SetDWORDValue("Software\Policies\Microsoft\FVE", "OSEnablePrebootInputProtectorsOnSlates", 1) - $policyFile.SaveFile($saveFileLocaiton) + $policyFile.SaveFile($saveFileLocaiton) $saveFileLocaiton } @@ -815,7 +815,7 @@ else{ $starttime = get-date #Add type information for modifing the Registy Policy file -Add-Type -TypeDefinition $Source -Language CSharp +Add-Type -TypeDefinition $Source -Language CSharp #Create helper files $unattendFile = CreateUnattendFile -Arch $Arch @@ -870,10 +870,10 @@ foreach ($disk in $Disks) Format-Volume -NewFileSystemLabel "UFD-Windows" -FileSystem NTFS -Partition $OSPartition -confirm:$False | Out-Null -#The No default drive letter prevents other computers from displaying contents of the drive when connected as a Data drive. +#The No default drive letter prevents other computers from displaying contents of the drive when connected as a Data drive. Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE - Set-Partition -InputObject $SystemPartition -NewDriveLetter $SystemDriveLetter - Set-Partition -InputObject $OSPartition -NewDriveLetter $OSDriveLetter + Set-Partition -InputObject $SystemPartition -NewDriveLetter $SystemDriveLetter + Set-Partition -InputObject $OSPartition -NewDriveLetter $OSDriveLetter dism /apply-image /index:1 /applydir:${OSDriveLetter}:\ /imagefile:$InstallWIMPath if (!$?){ @@ -889,7 +889,7 @@ foreach ($disk in $Disks) md ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine | out-null copy $policyFilePath ${OSDriveLetter}:\windows\System32\GroupPolicy\Machine -#modify the registry of the image to set SanPolicy. This is also where you could set the default +#modify the registry of the image to set SanPolicy. This is also where you could set the default #keyboard type for USB keyboards. write-output "Modify SAN Policy" reg load HKLM\PW-System ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log @@ -911,10 +911,10 @@ foreach ($disk in $Disks) #> if ($DomainName) { -#using get-random, we will create a random computer name for the drive. +#using get-random, we will create a random computer name for the drive. $suffix = Get-Random $computername = "wtg-" + $suffix - djoin /provision /domain $DomainName /savefile ${OSDriveLetter}:\tempBLOB.bin /reuse /machine $computername + djoin /provision /domain $DomainName /savefile ${OSDriveLetter}:\tempBLOB.bin /reuse /machine $computername djoin /requestodj /loadfile ${OSDriveLetter}:\tempBLOB.bin /windowspath ${OSDriveLetter}:\windows > info.log del ${OSDriveLetter}:\tempBLOB.bin @@ -934,7 +934,7 @@ foreach ($disk in $Disks) { write-output "Flush Cache not supported, Be sure to safely remove the WTG device." } - + } -ArgumentList @($installWIMPath, $unattendFile, $disk, $driveLetters[$driveIndex-1][0], $driveLetters[$driveIndex][0], $DomainName, $registryPolFilePath) } @@ -970,9 +970,9 @@ In the PowerShell provisioning script, after the image has been applied, you can ``` syntax reg load HKLM\WTG-Keyboard ${OSDriveLetter}:\Windows\System32\config\SYSTEM > info.log reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v LayerDriver /d JPN:kbd106dll /t REG_SZ /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f + reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardIdentifier /d PCAT_106KEY /t REG_SZ /f reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardSubtype /d 2 /t REG_DWORD /f - reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f + reg add HKLM\WTG-Keyboard\ControlSet001\Services\i8042prt\Parameters /v OverrideKeyboardType /d 7 /t REG_DWORD /f reg unload HKLM\WTG-Keyboard ``` diff --git a/windows/deployment/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/images/CreateSolution-Part1-Marketplace.png new file mode 100644 index 0000000000..25793516c2 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part1-Marketplace.png differ diff --git a/windows/deployment/images/CreateSolution-Part2-Create.png b/windows/deployment/images/CreateSolution-Part2-Create.png new file mode 100644 index 0000000000..ec63f20402 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part2-Create.png differ diff --git a/windows/deployment/images/CreateSolution-Part3-Workspace.png b/windows/deployment/images/CreateSolution-Part3-Workspace.png new file mode 100644 index 0000000000..1d74aa39d0 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part3-Workspace.png differ diff --git a/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png new file mode 100644 index 0000000000..7a3129f467 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png differ diff --git a/windows/deployment/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/images/CreateSolution-Part5-GoToResource.png new file mode 100644 index 0000000000..c3cb382097 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part5-GoToResource.png differ diff --git a/windows/deployment/images/UR-Azureportal1.PNG b/windows/deployment/images/UR-Azureportal1.PNG new file mode 100644 index 0000000000..2a3f8f1b73 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal1.PNG differ diff --git a/windows/deployment/images/UR-Azureportal2.PNG b/windows/deployment/images/UR-Azureportal2.PNG new file mode 100644 index 0000000000..e7db8b3787 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal2.PNG differ diff --git a/windows/deployment/images/UR-Azureportal3.PNG b/windows/deployment/images/UR-Azureportal3.PNG new file mode 100644 index 0000000000..6fae2e1738 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal3.PNG differ diff --git a/windows/deployment/images/UR-Azureportal4.PNG b/windows/deployment/images/UR-Azureportal4.PNG new file mode 100644 index 0000000000..3087797a46 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal4.PNG differ diff --git a/windows/deployment/images/autopilotworkflow.png b/windows/deployment/images/autopilotworkflow.png new file mode 100644 index 0000000000..a79609f6f7 Binary files /dev/null and b/windows/deployment/images/autopilotworkflow.png differ diff --git a/windows/deployment/images/s-mode-flow-chart.png b/windows/deployment/images/s-mode-flow-chart.png new file mode 100644 index 0000000000..c3c43cc027 Binary files /dev/null and b/windows/deployment/images/s-mode-flow-chart.png differ diff --git a/windows/deployment/images/smodeconfig.PNG b/windows/deployment/images/smodeconfig.PNG new file mode 100644 index 0000000000..2ab1fc0813 Binary files /dev/null and b/windows/deployment/images/smodeconfig.PNG differ diff --git a/windows/deployment/images/support-cycle.png b/windows/deployment/images/support-cycle.png new file mode 100644 index 0000000000..3f4b4e87c0 Binary files /dev/null and b/windows/deployment/images/support-cycle.png differ diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md index 7c0ba92950..cf1fef543a 100644 --- a/windows/deployment/planning/TOC.md +++ b/windows/deployment/planning/TOC.md @@ -3,6 +3,7 @@ ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) ## [Windows 10 compatibility](windows-10-compatibility.md) ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) +## [Windows 10, version 1809 - Features removed or planned for replacement](windows-10-1809-removed-features.md) ## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md) ## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md) ## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md) diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md index a84f82eb0a..ecdf8207f7 100644 --- a/windows/deployment/planning/act-technical-reference.md +++ b/windows/deployment/planning/act-technical-reference.md @@ -39,7 +39,7 @@ Use Upgrade Analytics to get: The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) -At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues. +At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatibility Administrator, which helps you to resolve potential compatibility issues. ## In this section @@ -47,4 +47,4 @@ At the same time, we've kept the Standard User Analyzer tool, which helps you te |------|------------| |[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. | |[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. | -|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | \ No newline at end of file +|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. | diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index d3f6b8dab2..60147ba008 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 06/01/2018 +ms.date: 08/16/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1803 @@ -34,6 +34,7 @@ We've removed the following features and functionalities from the installed prod |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.

            However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| + ## Features we’re no longer developing We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. @@ -48,5 +49,5 @@ If you have feedback about the proposed replacement of any of these features, yo |Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| -|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.| +|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| |Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md new file mode 100644 index 0000000000..6d5df32e07 --- /dev/null +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -0,0 +1,50 @@ +--- +title: Windows 10, version 1809 - Features that have been removed +description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release +ms.prod: w10 +ms.mktglfcycl: plan +ms.localizationpriority: medium +ms.sitesec: library +author: lizap +ms.author: elizapo +ms.date: 08/31/2018 +--- +# Features removed or planned for replacement starting with Windows 10, version 1809 + +> Applies to: Windows 10, version 1809 + +Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809. + +> [!TIP] +> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes. +> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md). + +**The list is subject to change and might not include every affected feature or functionality.** + +## Features we removed in this release + +We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method. + +|Feature |Instead you can use...| +|-----------|-------------------- +|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| +|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/en-us/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| +|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| +|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| +|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| +|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| + +## Features we’re no longer developing + +We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources. + +If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). + +|Feature |Instead you can use...| +|-----------|---------------------| +|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| +|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| +|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| + + diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index d7cda9357a..b79237a3e1 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library -author: +author: ms.date: 08/18/2017 --- @@ -58,7 +58,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi ### Which deployment tools support Windows 10? Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. -- [MDT](http://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. +- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. - Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. @@ -100,9 +100,9 @@ For more information on pros and cons for these tools, see [Servicing Tools](/wi ### Where can I find information about new features and changes in Windows 10 Enterprise? -For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. -Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. +Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -124,6 +124,6 @@ The desktop experience in Windows 10 has been improved to provide a better exper Use the following resources for additional information about Windows 10. - If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. -- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](http://answers.microsoft.com/windows/forum/windows_10). +- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10). - If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. \ No newline at end of file diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md new file mode 100644 index 0000000000..de261b876c --- /dev/null +++ b/windows/deployment/s-mode.md @@ -0,0 +1,45 @@ +--- +title: Windows 10 Pro in S mode +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +ms.date: 10/02/2018 +author: Mikeblodge +--- + +# Windows 10 in S mode - What is it? +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +![Configuration and features of S mode](images/smodeconfig.png) + +## S mode key features +**Microsoft-verified security** + +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware. + +**Performance that lasts** + +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. + +**Choice and flexibility** + +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) at any time and search the web for more choices. + +![Switching out of S mode flow chart](images/s-mode-flow-chart.png) + + +## Deployment +Windows 10 S mode is built for [Modern Management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Auto Pilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot). The best way to start using an S mode device is to embrace Modern Management fully when designing the deployment plan. Windows Auto Pilot allows you to deploy the deivce directly to the employee without having to touch the physical device. Instead of manually deploying a custom image to a machine, Windows Auto Pilot will start with a generic PC that can only be used to join the company domain; Polices are then deployed automatically through Modern Device Management. + +![Windows auto pilot work flow](images/autopilotworkflow.png) + +## Related links + +- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) +- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index e76b08389c..b9e3e2cb31 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin ms.author: daniha -ms.date: 10/17/2017 +ms.date: 09/18/2018 --- # Change history for Update Windows 10 @@ -15,6 +15,13 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + ## RELEASE: Windows 10, version 1709 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). @@ -38,6 +45,5 @@ All topics were updated to reflect the new [naming changes](waas-overview.md#nam ## RELEASE: Windows 10, version 1703 The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](waas-windows-insider-for-business.md) -* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) -* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) \ No newline at end of file +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index c32997aca0..5ae3940112 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -1,11 +1,11 @@ --- title: Get started with Device Health -description: Configure Device Health in OMS to see statistics on frequency and causes of crashes of devices in your network. -keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers +description: Configure Device Health in Azure Log Analytics to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. +keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 06/12/2018 +ms.date: 09/11/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -14,71 +14,59 @@ ms.localizationpriority: medium # Get started with Device Health -This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health. +This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. -Steps are provided in sections that follow the recommended setup process: - -1. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite. -2. [Enroll devices in Windows Analytics](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices. -3. [Use Device Health to monitor frequency and causes of device crashes](#use-device-health-to-monitor-frequency-and-causes-of-device-crashes) once your devices are enrolled. +- [Get started with Device Health](#get-started-with-device-health) + - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription) + - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) + - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more) + - [Related topics](#related-topics) -## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics +## Add the Device Health solution to your Azure subscription -Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +Device Health is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: -**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace. +2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. + ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) -**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe: - -1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) - - -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - [![OMS Sign-in dialog box for account name and password](images/uc-03a.png)](images/uc-03.png) - - -3. Create a new OMS workspace. - - [![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png)](images/uc-04.png) - -4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - - [![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) - -5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - - [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png) - -6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page. - - [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png) - -7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added. - - [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg) - - - -After you have added Device Health and devices have a Commercial ID, you will begin receiving data. It will typically take 24-48 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. - ->[!NOTE] ->You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic. + ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) +3. Choose an existing workspace or create a new workspace to host the Device Health solution. + ![Azure portal showing Log Analytics workspace fly-in](images/CreateSolution-Part3-Workspace.png) + - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. +4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Log Analytics found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. ## Enroll devices in Windows Analytics -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: +1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) +2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. +For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." -## Use Device Health to monitor frequency and causes of device crashes +## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more -Once your devices are enrolled, you can move on to [Using Device Health](device-health-using.md). +Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md). +>[!NOTE] +>You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices. ## Related topics diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 6e78e96a31..42e88d5675 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -18,7 +18,7 @@ ms.author: jaimeo Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. -Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. @@ -45,14 +45,13 @@ Use of Windows Analytics Device Health requires one of the following licenses: - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) - Windows VDA E3 or E5 per-device or per-user subscription -- Windows Server 2016 and on -You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. +You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. ## Device Health architecture - + The Device Health architecture and data flow is summarized by the following five-step process: diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md new file mode 100644 index 0000000000..b073e9cd2f --- /dev/null +++ b/windows/deployment/update/how-windows-update-works.md @@ -0,0 +1,142 @@ +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# How does Windows Update work? + +>Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator vertifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + >[!IMPORTANT] + >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
            00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
            3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + >[!NOTE] + >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). \ No newline at end of file diff --git a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png new file mode 100644 index 0000000000..25793516c2 Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png differ diff --git a/windows/deployment/update/images/CreateSolution-Part2-Create.png b/windows/deployment/update/images/CreateSolution-Part2-Create.png new file mode 100644 index 0000000000..ec63f20402 Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part2-Create.png differ diff --git a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png new file mode 100644 index 0000000000..1d74aa39d0 Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png differ diff --git a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png new file mode 100644 index 0000000000..7a3129f467 Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png differ diff --git a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png new file mode 100644 index 0000000000..c3cb382097 Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG new file mode 100644 index 0000000000..cd44ab666c Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png new file mode 100644 index 0000000000..7b1b17ac18 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAfav.PNG b/windows/deployment/update/images/azure-portal-LAfav.PNG new file mode 100644 index 0000000000..8ad9f63fd0 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAfav.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LAfav1.png b/windows/deployment/update/images/azure-portal-LAfav1.png new file mode 100644 index 0000000000..64ae8b1d74 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAfav1.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-sterile.png new file mode 100644 index 0000000000..1cdeffa2b7 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain-sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png new file mode 100644 index 0000000000..b9cfa6bbc1 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png differ diff --git a/windows/deployment/update/images/azure-portal-LAmain.PNG b/windows/deployment/update/images/azure-portal-LAmain.PNG new file mode 100644 index 0000000000..1cebfa9b8c Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAmain.PNG differ diff --git a/windows/deployment/update/images/azure-portal-LAsearch.PNG b/windows/deployment/update/images/azure-portal-LAsearch.PNG new file mode 100644 index 0000000000..1d446241d5 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-LAsearch.PNG differ diff --git a/windows/deployment/update/images/azure-portal-UR-settings.png b/windows/deployment/update/images/azure-portal-UR-settings.png new file mode 100644 index 0000000000..c716134e9a Binary files /dev/null and b/windows/deployment/update/images/azure-portal-UR-settings.png differ diff --git a/windows/deployment/update/images/azure-portal-create-resource-boxes.png b/windows/deployment/update/images/azure-portal-create-resource-boxes.png new file mode 100644 index 0000000000..a90344e02d Binary files /dev/null and b/windows/deployment/update/images/azure-portal-create-resource-boxes.png differ diff --git a/windows/deployment/update/images/azure-portal-create-resource.PNG b/windows/deployment/update/images/azure-portal-create-resource.PNG new file mode 100644 index 0000000000..0f1b962e07 Binary files /dev/null and b/windows/deployment/update/images/azure-portal-create-resource.PNG differ diff --git a/windows/deployment/update/images/azure-portal1.PNG b/windows/deployment/update/images/azure-portal1.PNG new file mode 100644 index 0000000000..f4c2aff38a Binary files /dev/null and b/windows/deployment/update/images/azure-portal1.PNG differ diff --git a/windows/deployment/update/images/azure-portal1_allserv.png b/windows/deployment/update/images/azure-portal1_allserv.png new file mode 100644 index 0000000000..63e1bcbad3 Binary files /dev/null and b/windows/deployment/update/images/azure-portal1_allserv.png differ diff --git a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png new file mode 100644 index 0000000000..e757a3d3c0 Binary files /dev/null and b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png differ diff --git a/windows/deployment/update/images/update-commit-step.png b/windows/deployment/update/images/update-commit-step.png new file mode 100644 index 0000000000..d9b3d0cd2d Binary files /dev/null and b/windows/deployment/update/images/update-commit-step.png differ diff --git a/windows/deployment/update/images/update-component-name.png b/windows/deployment/update/images/update-component-name.png new file mode 100644 index 0000000000..79152f5aeb Binary files /dev/null and b/windows/deployment/update/images/update-component-name.png differ diff --git a/windows/deployment/update/images/update-download-step.png b/windows/deployment/update/images/update-download-step.png new file mode 100644 index 0000000000..a7e8f1a3e5 Binary files /dev/null and b/windows/deployment/update/images/update-download-step.png differ diff --git a/windows/deployment/update/images/update-inconsistent.png b/windows/deployment/update/images/update-inconsistent.png new file mode 100644 index 0000000000..ac0768471a Binary files /dev/null and b/windows/deployment/update/images/update-inconsistent.png differ diff --git a/windows/deployment/update/images/update-install-step.png b/windows/deployment/update/images/update-install-step.png new file mode 100644 index 0000000000..896535b52e Binary files /dev/null and b/windows/deployment/update/images/update-install-step.png differ diff --git a/windows/deployment/update/images/update-process-id.png b/windows/deployment/update/images/update-process-id.png new file mode 100644 index 0000000000..4045f4ee7e Binary files /dev/null and b/windows/deployment/update/images/update-process-id.png differ diff --git a/windows/deployment/update/images/update-scan-log-1.png b/windows/deployment/update/images/update-scan-log-1.png new file mode 100644 index 0000000000..69691066ac Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-1.png differ diff --git a/windows/deployment/update/images/update-scan-log-2.png b/windows/deployment/update/images/update-scan-log-2.png new file mode 100644 index 0000000000..7b059f7011 Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-2.png differ diff --git a/windows/deployment/update/images/update-scan-log-3.png b/windows/deployment/update/images/update-scan-log-3.png new file mode 100644 index 0000000000..e6abcd1024 Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-3.png differ diff --git a/windows/deployment/update/images/update-scan-step.png b/windows/deployment/update/images/update-scan-step.png new file mode 100644 index 0000000000..b603de2625 Binary files /dev/null and b/windows/deployment/update/images/update-scan-step.png differ diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png new file mode 100644 index 0000000000..803c35d447 Binary files /dev/null and b/windows/deployment/update/images/update-terminology.png differ diff --git a/windows/deployment/update/images/update-time-log.png b/windows/deployment/update/images/update-time-log.png new file mode 100644 index 0000000000..4b311c1ce8 Binary files /dev/null and b/windows/deployment/update/images/update-time-log.png differ diff --git a/windows/deployment/update/images/update-update-id.png b/windows/deployment/update/images/update-update-id.png new file mode 100644 index 0000000000..efcf6b09a8 Binary files /dev/null and b/windows/deployment/update/images/update-update-id.png differ diff --git a/windows/deployment/update/images/windows-update-workflow.png b/windows/deployment/update/images/windows-update-workflow.png new file mode 100644 index 0000000000..e597eaec2a Binary files /dev/null and b/windows/deployment/update/images/windows-update-workflow.png differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 16dd909dd8..ae2fc715ad 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 05/29/2018 +ms.date: 09/24/2018 --- # Servicing stack updates @@ -22,18 +22,26 @@ The "servicing stack" is the code that installs other operating system updates. ## Why should servicing stack updates be installed and kept up to date? -Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. +Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process. ## When are they released? Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +However, there are some operating system fixes that aren’t included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + +If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.** + ## Is there any special guidance? Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. ## Installation notes -• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. -• Installing servicing stack update does not require restarting the device, so installation should not be disruptive. -• Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 78aa48d1cf..89e5ebf0c7 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -8,12 +8,15 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 03/15/2018 +ms.date: 08/21/2018 ms.localizationpriority: medium --- # Get started with Update Compliance +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 47523a44c6..2719e89d62 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -18,9 +18,9 @@ ms.localizationpriority: medium With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md). -Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). -Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. +Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. Update Compliance provides the following: @@ -38,10 +38,10 @@ See the following topics in this guide for detailed information about configurin Click the following link to see a video demonstrating Update Compliance features. -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) +[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) ## Update Compliance architecture - + The Update Compliance architecture and data flow is summarized by the following five-step process: **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
            diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index d36e9fcaab..8446553143 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: DaniHalfin ms.localizationpriority: medium ms.author: daniha -ms.date: 07/27/2017 +ms.date: 09/24/2018 --- # Optimize Windows 10 update delivery @@ -27,7 +27,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. -- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. @@ -38,7 +38,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | | --- | --- | --- | --- | --- | -| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | +| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | >[!NOTE] diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0e3ae864cf..9cfb7ab6bf 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 09/24/2018 --- # Overview of Windows as a service @@ -70,7 +70,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha ### Naming changes As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using: -* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". +* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] @@ -121,7 +121,12 @@ Once the latest release went through pilot deployment and testing, you choose th When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). -Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release + +Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. + +>[!NOTE] +All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle. + >[!NOTE] >Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. @@ -138,9 +143,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices. +The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading. >[!NOTE] >If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index d17beb7903..325a6a229a 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,12 +8,15 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/20/2018 -ms.localizationpriority: high +ms.date: 08/21/2018 +ms.localizationpriority: medium --- # Frequently asked questions and troubleshooting Windows Analytics +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + This topic compiles the most common issues encountered with configuring and using Windows Analytics, as well as general questions. This FAQ, along with the [Windows Analytics Technical Community](https://techcommunity.microsoft.com/t5/Windows-Analytics/ct-p/WindowsAnalytics), are recommended resources to consult before contacting Microsoft support. ## Troubleshooting common problems diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md new file mode 100644 index 0000000000..34fd777734 --- /dev/null +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -0,0 +1,63 @@ +--- +title: Windows Analytics in the Azure Portal +description: Use the Azure Portal to add and configure Windows Analytics solutions +keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.date: 09/12/2018 +ms.pagetype: deploy +author: jaimeo +ms.author: jaimeo +ms.localizationpriority: medium +--- + +# Windows Analytics in the Azure portal + +Windows Analytics uses Azure Log Analytics (formerly known as Operations Management Suite or OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. + +**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences, which this topic will explain. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +## Navigation and permissions in the Azure portal + +Go to the [Azure portal](https://portal.azure.com), select **All services**, and search for *Log Analytics*. Once it appears, you can select the star to add it to your favorites for easy access in the future. + +[![Azure portal all services page with Log Analytics found and selected as favorite](images/azure-portal-LAfav1.png)](images/azure-portal-LAfav1.png) + +### Permissions + +>[!IMPORTANT] +>Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription. + +To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: + +[![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) + +If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**. + +The Azure subscription requires at least "Log Analytics Reader" permission. Making changes (for example, to set app importance in Upgrade Readiness) requires "Log Analytics Contributor" permission. You can view your current role and make changes in other roles by using the Access control (IAM) tab in Azure. These permissions will be inherited by Azure Log Analytics. + +When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. + +[![Log Analytics workspace page showing workspace summary](images/azure-portal-LA-wkspcsumm_sterile.png)](images/azure-portal-LA-wkspcsumm_sterile.png) + +## Adding Windows Analytics solutions + +In the Azure portal, the simplest way to add Windows Analytics solutions (Upgrade Readiness, Update Compliance, and Device Health) is to select **+ Create a resource** and then type the solution name in the search box. In this example, the search is for "Device Health": + +[![Add WA solutions with "create a resource"](images/azure-portal-create-resource-boxes.png)](images/azure-portal-create-resource-boxes.png) + +Select the solution from the list that is returned by the search, and then select **Create** to add the solution. + +## Navigating to Windows Analytics solutions settings + +To adjust settings for a Windows Analytics solution, first navigate to the **Solutions** tab for your workspace, and then select the solution to configure. In this example, Upgrade Readiness is being adjusted by selecting **CompatibilityAssessment**: + +[![Select WA solution to adjust settings](images/temp-azure-portal-soltn-setting.png)](images/temp-azure-portal-soltn-setting.png) + +From there, select the settings page to adjust specific settings: + +[![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) + +>[!NOTE] +>To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. \ No newline at end of file diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 610f176f33..9539a482fc 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/18/2018 +ms.date: 10/01/2018 ms.localizationpriority: medium --- @@ -26,7 +26,7 @@ If you've already done that, you're ready to enroll your devices in Windows Anal ## Copy your Commercial ID key -Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers. +Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically. Copy your commercial ID key in OMS and then deploy it to user computers. @@ -48,13 +48,14 @@ To enable data sharing, configure your proxy sever to whitelist the following en | `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803| | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | -| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows versions that have KB4458469 installed | +| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | -| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health for device tickets. | +| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | | `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | -| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. **Note:** In this context login.live.com is *not* used for access to Microsoft Account consumer services. The endpoint is used only as part of the WIndows Error Reporting protocol to enhance the integrity of error reports. | +| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | >[!NOTE] @@ -68,7 +69,7 @@ If your organization uses proxy server authentication for outbound traffic, use - **Best option: Bypass** Configure your proxy servers to **not** require proxy authentication for traffic to the diagnostic data endpoints. This is the most comprehensive solution and it works for all versions of Windows 10. - **User proxy authentication:** Alternatively, you can configure devices to use the logged on user's context for proxy authentication. First, update the devices to Windows 10, version 1703 or later. Then, ensure that users of the devices have proxy permission to reach the diagnostic data endpoints. This requires that the devices have console users with proxy permissions, so you couldn't use this method with headless devices. -- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints. +- **Device proxy authentication:** Another option--the most complex--is as follows: First, configure a system level proxy server on the devices. Then, configure these devices to use machine-account-based outbound proxy authentication. Finally, configure proxy servers to allow the machine accounts access to the diagnostic data endpoints. ## Deploy the compatibility update and related updates @@ -77,13 +78,13 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| | Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. | -| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
            Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
            For more information about this update, see | -| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
            Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
            For more information about this update, see | +| Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
            Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
            For more information about this update, see | +| Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
            Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
            For more information about this update, see | ->[!IMPORTANT] +>[!IMPORTANT] >Restart devices after you install the compatibility updates for the first time. ->[!NOTE] +>[!NOTE] >We recommend you configure your update management tool to automatically install the latest version of these updates. There is a related optional update, [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513), which can provide updated configuration and definitions for older compatibiltiy updates. For more information about this optional update, see . @@ -92,7 +93,7 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n | **Site discovery** | **Update** | |----------------------|-----------------------------------------------------------------------------| -| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
            Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
            For more information about this update, see

            Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | +| [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery) | [KB3080149](https://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
            Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
            For more information about this update, see

            Install the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | ## Set diagnostic data levels @@ -117,21 +118,21 @@ Certain Windows Analytics features have additional settings you can use. - For devices running Windows 10, version 1607 or earlier, Windows diagnostic data must also be set to Enhanced (see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level)) in order to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10 and Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for more information about enabling, configuring, and validating Windows Defender AV. - **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops) and Windows Server 2016. The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). - + - **IE site discovery** is an optional feature of Upgrade Readiness that provides an inventory of websites that are accessed by client devices using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. To enable IE site discovery, make sure the required updates are installed (per previous section) and enable IE site discovery in the deployment script batch file. ## Deploying Windows Analytics at scale -When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining devices in your organization. +When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining devices in your organization. ### Automate data collection -To ensure that user computers are receiving the most up-to-date data from Microsoft, we recommend that you establish the following data sharing and analysis processes: +To ensure that user computers are receiving the most up-to-date data from Microsoft, we recommend that you establish the following data sharing and analysis processes: - Enable automatic updates for the compatibility update and related updates. These updates include the latest application and driver issue information as we discover it during testing. - Schedule the Upgrade Readiness deployment script to automatically run monthly. Scheduling the script ensures that full inventory is sent monthly even if devices were not connected or had low battery power at the time the system normally sends inventory. Make sure to run the production version of the script, which is lighter weight and non-interactive. The script also has a number of built-in error checks, so you can monitor the results. If you can't run the deployment script at scale, another option is to configure things centrally via Group Policy or Mobile Device Management (MDM). Although we recommend using the deployment script, both options are discussed in the sections below. -When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the changes is created when the update package is installed. For Windows 10 devices, this task is already included in the operating system. A full scan averages about 2 MB, but the scans for changes are very small. The scheduled task is named "Windows Compatibility Appraiser" and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Changes are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. +When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the changes is created when the update package is installed. For Windows 10 devices, this task is already included in the operating system. A full scan averages about 2 MB, but the scans for changes are very small. The scheduled task is named "Windows Compatibility Appraiser" and can be found in the Task Scheduler Library under Microsoft > Windows > Application Experience. Changes are invoked via the nightly scheduled task. It attempts to run around 3:00AM every day. If the system is powered off at that time, the task will run when the system is turned on. ### Distribute the deployment script at scale @@ -155,14 +156,14 @@ These policies are under Microsoft\Windows\DataCollection: You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation. -The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys: +The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys: - IEOptInLevel = 0 Internet Explorer data collection is disabled - IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones - IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones - IEOptInLevel = 3 Data collection is enabled for all sites -For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)). +For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://docs.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)). ### Distribution at scale without using the deployment script diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 49c1fc93cc..04358b5b05 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -44,7 +44,7 @@ See these topics for additional background information about related privacy iss - [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) -- [Learn about security and privacy at Microsoft datacenters](http://www.microsoft.com/datacenters) +- [Learn about security and privacy at Microsoft datacenters](https://www.microsoft.com/datacenters) - [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/) - [Trust Center](https://www.microsoft.com/trustcenter) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md new file mode 100644 index 0000000000..d507deedb3 --- /dev/null +++ b/windows/deployment/update/windows-update-error-reference.md @@ -0,0 +1,362 @@ +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update error codes by component + +>Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +|Error code|Message|Description| +|-|-|-| +|0x80243FFF|WU_E_AUCLIENT_UNEXPECTED|There was a user interface error not covered by another WU_E_AUCLIENT_* error code.| +|0x8024A000|WU_E_AU_NOSERVICE|Automatic Updates was unable to service incoming requests. | +|0x8024A002|WU_E_AU_NONLEGACYSERVER|The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded.|  +|0x8024A003 |WU_E_AU_LEGACYCLIENTDISABLED| The old version of the Automatic Updates client was disabled.|  +|0x8024A004|WU_E_AU_PAUSED|Automatic Updates was unable to process incoming requests because it was paused.|  +|0x8024A005|WU_E_AU_NO_REGISTERED_SERVICE| No unmanaged service is registered with AU.|  +|0x8024AFFF|WU_E_AU_UNEXPECTED| An Automatic Updates error not covered by another WU_E_AU * code.|  + +## Windows Update UI errors + +|Error code|Message|Description| +|-|-|-| +|0x80243001|WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION|The results of download and installation could not be read from the registry due to an unrecognized data format version.|  +|0x80243002|WU_E_INSTALLATION_RESULTS_INVALID_DATA|The results of download and installation could not be read from the registry due to an invalid data format.|  +|0x80243003|WU_E_INSTALLATION_RESULTS_NOT_FOUND |The results of download and installation are not available; the operation may have failed to start.|  +|0x80243004| WU_E_TRAYICON_FAILURE| A failure occurred when trying to create an icon in the taskbar notification area.| +|0x80243FFD| WU_E_NON_UI_MODE| Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +|0x80243FFE| WU_E_WUCLTUI_UNSUPPORTED_VERSION| Unsupported version of WU client UI exported functions.  | +|0x80243FFF| WU_E_AUCLIENT_UNEXPECTED| There was a user interface error not covered by another WU_E_AUCLIENT_* error code.  | + +## Inventory errors + +|Error code|Message|Description| +|-|-|-| +|0x80249001| WU_E_INVENTORY_PARSEFAILED| Parsing of the rule file failed. | +|0x80249002| WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. | +|0x80249003| WU_E_INVENTORY_RESULT_UPLOAD_FAILED| Failed to upload inventory result to the server. | +|0x80249004| WU_E_INVENTORY_UNEXPECTED| There was an inventory error not covered by another error code.|  +|0x80249005| WU_E_INVENTORY_WMI_ERROR| A WMI error occurred when enumerating the instances for a particular class.  | + +## Expression evaluator errors + +|Error code|Message|Description| +|-|-|-| +|0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized.| +|0x8024E002| WU_E_EE_INVALID_EXPRESSION| An expression evaluator operation could not be completed because an expression was invalid.  | +|0x8024E003| WU_E_EE_MISSING_METADATA| An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | +|0x8024E004| WU_E_EE_INVALID_VERSION| An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | +| 0x8024E005| WU_E_EE_NOT_INITIALIZED| The expression evaluator could not be initialized.|  +| 0x8024E006| WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute.| +| 0x8024E007| WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | +| 0x8024EFFF| WU_E_EE_UNEXPECTED| There was an expression evaluator error not covered by another WU_E_EE_* error code.  | + +## Reporter errors + +|Error code|Message|Description| +|-|-|-| +| 0x80247001| WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid.|  +|0x80247002| WU_E_OL_NEWCLIENT_REQUIRED| An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.|  +| 0x80247FFF| WU_E_OL_UNEXPECTED| Search using the scan package failed. | +| 0x8024F001| WU_E_REPORTER_EVENTCACHECORRUPT| The event cache file was defective. | +| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed.|  +| 0x8024F003| WU_E_INVALID_EVENT| The XML in the event namespace descriptor could not be parsed.|  +| 0x8024F004| WU_E_SERVER_BUSY| The server rejected an event because the server was too busy.|  +| 0x8024FFFF| WU_E_REPORTER_UNEXPECTED| There was a reporter error not covered by another error code. | + +## Redirector errors +The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. + +|Error code|Message|Description | +|-|-|-| +| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | +| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | +| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | +| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | + +## Protocol Talker errors +The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. + +|Error code|Message|Description| +|-|-|-| +| 0x80244000| WU_E_PT_SOAPCLIENT_BASE| WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.| +|0x80244001| WU_E_PT_SOAPCLIENT_INITIALIZE| Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +| 0x80244002| WU_E_PT_SOAPCLIENT_OUTOFMEMORY| Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. | +| 0x80244003| WU_E_PT_SOAPCLIENT_GENERATE| Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request.|  +| 0x80244004| WU_E_PT_SOAPCLIENT_CONNECT| Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. | +| 0x80244005| WU_E_PT_SOAPCLIENT_SEND| Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_* error codes.| +| 0x80244006| WU_E_PT_SOAPCLIENT_SERVER| Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. | +| 0x80244007| WU_E_PT_SOAPCLIENT_SOAPFAULT| Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.| +| 0x80244008| WU_E_PT_SOAPCLIENT_PARSEFAULT| Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault.|  +| 0x80244009| WU_E_PT_SOAPCLIENT_READ| Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server.| +| 0x8024400A| WU_E_PT_SOAPCLIENT_PARSE| Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. | + + + +## Other Protocol Talker errors +The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. + +|Error code|Message|Description| +|-|-|-| +| 0x8024400B| WU_E_PT_SOAP_VERSION| Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope.| +| 0x8024400C| WU_E_PT_SOAP_MUST_UNDERSTAND| Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +| 0x8024400D| WU_E_PT_SOAP_CLIENT| Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. | +| 0x8024400E| WU_E_PT_SOAP_SERVER| Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. | +| 0x8024400F| WU_E_PT_WMI_ERROR| There was an unspecified Windows Management Instrumentation (WMI) error.|  +| 0x80244010| WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS| The number of round trips to the server exceeded the maximum limit. | +| 0x80244011| WU_E_PT_SUS_SERVER_NOT_SET| WUServer policy value is missing in the registry. | +| 0x80244012| WU_E_PT_DOUBLE_INITIALIZATION| Initialization failed because the object was already initialized. | +| 0x80244013| WU_E_PT_INVALID_COMPUTER_NAME| The computer name could not be determined. | +| 0x80244015| WU_E_PT_REFRESH_CACHE_REQUIRED| The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.|  +| 0x80244016| WU_E_PT_HTTP_STATUS_BAD_REQUEST| Same as HTTP status 400 - the server could not process the request due to invalid syntax. | +| 0x80244017| WU_E_PT_HTTP_STATUS_DENIED| Same as HTTP status 401 - the requested resource requires user authentication. | +| 0x80244018| WU_E_PT_HTTP_STATUS_FORBIDDEN| Same as HTTP status 403 - server understood the request but declined to fulfill it.| +| 0x80244019| WU_E_PT_HTTP_STATUS_NOT_FOUND| Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | +| 0x8024401A| WU_E_PT_HTTP_STATUS_BAD_METHOD| Same as HTTP status 405 - the HTTP method is not allowed.  | +| 0x8024401B| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ| Same as HTTP status 407 - proxy authentication is required. | +| 0x8024401C| WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT| Same as HTTP status 408 - the server timed out waiting for the request. | +| 0x8024401D| WU_E_PT_HTTP_STATUS_CONFLICT| Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | +| 0x8024401E| WU_E_PT_HTTP_STATUS_GONE| Same as HTTP status 410 - requested resource is no longer available at the server.| +| 0x8024401F| WU_E_PT_HTTP_STATUS_SERVER_ERROR| Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | +| 0x80244020| WU_E_PT_HTTP_STATUS_NOT_SUPPORTED| Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | +| 0x80244021| WU_E_PT_HTTP_STATUS_BAD_GATEWAY |Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request.| +| 0x80244022| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL| Same as HTTP status 503 - the service is temporarily overloaded.  | +| 0x80244023| WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT| Same as HTTP status 503 - the request was timed out waiting for a gateway. | +| 0x80244024| WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP| Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | +| 0x80244025| WU_E_PT_FILE_LOCATIONS_CHANGED| Operation failed due to a changed file location; refresh internal state and resend.|  +| 0x80244026| WU_E_PT_REGISTRATION_NOT_SUPPORTED| Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | +| 0x80244027| WU_E_PT_NO_AUTH_PLUGINS_REQUESTED| The server returned an empty authentication information list.  | +| 0x80244028| WU_E_PT_NO_AUTH_COOKIES_CREATED| Windows Update Agent was unable to create any valid authentication cookies. | +| 0x80244029| WU_E_PT_INVALID_CONFIG_PROP| A configuration property value was wrong. | +| 0x8024402A| WU_E_PT_CONFIG_PROP_MISSING| A configuration property value was missing. | +| 0x8024402B| WU_E_PT_HTTP_STATUS_NOT_MAPPED| The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes. | +| 0x8024402C| WU_E_PT_WINHTTP_NAME_NOT_RESOLVED| Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | +| 0x8024402F| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS| External cab file processing completed with some errors.| +| 0x80244030| WU_E_PT_ECP_INIT_FAILED| The external cab processor initialization did not complete. | +| 0x80244031| WU_E_PT_ECP_INVALID_FILE_FORMAT| The format of a metadata file was invalid. | +| 0x80244032| WU_E_PT_ECP_INVALID_METADATA| External cab processor found invalid metadata. | +| 0x80244033| WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST| The file digest could not be extracted from an external cab file. | +| 0x80244034| WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE| An external cab file could not be decompressed. | +| 0x80244035| WU_E_PT_ECP_FILE_LOCATION_ERROR| External cab processor was unable to get file locations. | +| 0x80244FFF| WU_E_PT_UNEXPECTED| A communication error not covered by another WU_E_PT_* error code. | +| 0x8024502D| WU_E_PT_SAME_REDIR_ID| Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | +| 0x8024502E| WU_E_PT_NO_MANAGED_RECOVER| A redirector recovery action did not complete because the server is managed. | + +## Download Manager errors + +|Error code|Message|Description| +|-|-|-| +| 0x80246001| WU_E_DM_URLNOTAVAILABLE| A download manager operation could not be completed because the requested file does not have a URL. | +| 0x80246002| WU_E_DM_INCORRECTFILEHASH| A download manager operation could not be completed because the file digest was not recognized. | +| 0x80246003| WU_E_DM_UNKNOWNALGORITHM| A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | +| 0x80246004| WU_E_DM_NEEDDOWNLOADREQUEST| An operation could not be completed because a download request is required from the download handler. | +| 0x80246005| WU_E_DM_NONETWORK| A download manager operation could not be completed because the network connection was unavailable. | +| 0x80246006| WU_E_DM_WRONGBITSVERSION| A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.|  +| 0x80246007| WU_E_DM_NOTDOWNLOADED| The update has not been downloaded. | +| 0x80246008| WU_E_DM_FAILTOCONNECTTOBITS| A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).|  +| 0x80246009|WU_E_DM_BITSTRANSFERERROR| A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +| 0x8024600A| WU_E_DM_DOWNLOADLOCATIONCHANGED| A download must be restarted because the location of the source of the download has changed.|  +| 0x8024600B| WU_E_DM_CONTENTCHANGED| A download must be restarted because the update content changed in a new revision.  | +| 0x80246FFF| WU_E_DM_UNEXPECTED| There was a download manager error not covered by another WU_E_DM_* error code.  | + +## Update Handler errors + +|Error code|Message|Description| +|-|-|-| +| 0x80242000| WU_E_UH_REMOTEUNAVAILABLE|9 A request for a remote update handler could not be completed because no remote process is available. | +| 0x80242001| WU_E_UH_LOCALONLY| A request for a remote update handler could not be completed because the handler is local only. | +| 0x80242002| WU_E_UH_UNKNOWNHANDLER| A request for an update handler could not be completed because the handler could not be recognized. | +| 0x80242003| WU_E_UH_REMOTEALREADYACTIVE| A remote update handler could not be created because one already exists.  | +| 0x80242004| WU_E_UH_DOESNOTSUPPORTACTION| A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).|  +| 0x80242005| WU_E_UH_WRONGHANDLER| An operation did not complete because the wrong handler was specified.  | +| 0x80242006| WU_E_UH_INVALIDMETADATA| A handler operation could not be completed because the update contains invalid metadata. | +| 0x80242007| WU_E_UH_INSTALLERHUNG| An operation could not be completed because the installer exceeded the time limit. | +| 0x80242008| WU_E_UH_OPERATIONCANCELLED| An operation being done by the update handler was cancelled. | +| 0x80242009| WU_E_UH_BADHANDLERXML| An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A| WU_E_UH_CANREQUIREINPUT| A request to the handler to install an update could not be completed because the update requires user input. | +| 0x8024200B| WU_E_UH_INSTALLERFAILURE| The installer failed to install (uninstall) one or more updates.  | +| 0x8024200C| WU_E_UH_FALLBACKTOSELFCONTAINED| The update handler should download self-contained content rather than delta-compressed content for the update. | +| 0x8024200D| WU_E_UH_NEEDANOTHERDOWNLOAD| The update handler did not install the update because it needs to be downloaded again.  | +| 0x8024200E| WU_E_UH_NOTIFYFAILURE| The update handler failed to send notification of the status of the install (uninstall) operation.  | +| 0x8024200F| WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent.  | +| 0x80242010| WU_E_UH_FALLBACKERROR| The update handler failed to fall back to the self-contained content.  | +| 0x80242011| WU_E_UH_TOOMANYDOWNLOADREQUESTS| The update handler has exceeded the maximum number of download requests.  | +| 0x80242012| WU_E_UH_UNEXPECTEDCBSRESPONSE| The update handler has received an unexpected response from CBS.  | +| 0x80242013| WU_E_UH_BADCBSPACKAGEID| The update metadata contains an invalid CBS package identifier.  | +| 0x80242014| WU_E_UH_POSTREBOOTSTILLPENDING| The post-reboot operation for the update is still in progress.  | +| 0x80242015| WU_E_UH_POSTREBOOTRESULTUNKNOWN| The result of the post-reboot operation for the update could not be determined.  | +| 0x80242016| WU_E_UH_POSTREBOOTUNEXPECTEDSTATE| The state of the update after its post-reboot operation has completed is unexpected.  | +| 0x80242017| WU_E_UH_NEW_SERVICING_STACK_REQUIRED| The OS servicing stack must be updated before this update is downloaded or installed.  | +| 0x80242FFF| WU_E_UH_UNEXPECTED| An update handler error not covered by another WU_E_UH_* code.  | + +## Data Store errors + +|Error code|Message|Description | +|-|-|-| +| 0x80248000| WU_E_DS_SHUTDOWN| An operation failed because Windows Update Agent is shutting down.  | +| 0x80248001| WU_E_DS_INUSE| An operation failed because the data store was in use.|  +| 0x80248002| WU_E_DS_INVALID| The current and expected states of the data store do not match.|  +| 0x80248003| WU_E_DS_TABLEMISSING| The data store is missing a table.  | +| 0x80248004| WU_E_DS_TABLEINCORRECT| The data store contains a table with unexpected columns.  | +| 0x80248005| WU_E_DS_INVALIDTABLENAME| A table could not be opened because the table is not in the data store. | +| 0x80248006| WU_E_DS_BADVERSION| The current and expected versions of the data store do not match. | +| 0x80248007| WU_E_DS_NODATA| The information requested is not in the data store.  | +| 0x80248008| WU_E_DS_MISSINGDATA| The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +| 0x80248009| WU_E_DS_MISSINGREF| The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +| 0x8024800A| WU_E_DS_UNKNOWNHANDLER| The update was not processed because its update handler could not be recognized.  | +| 0x8024800B| WU_E_DS_CANTDELETE| The update was not deleted because it is still referenced by one or more services.  | +| 0x8024800C| WU_E_DS_LOCKTIMEOUTEXPIRED| The data store section could not be locked within the allotted time.  | +| 0x8024800D| WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself.  | +| 0x8024800E| WU_E_DS_ROWEXISTS| The row was not added because an existing row has the same primary key.  | +| 0x8024800F| WU_E_DS_STOREFILELOCKED| The data store could not be initialized because it was locked by another process.  | +| 0x80248010| WU_E_DS_CANNOTREGISTER| The data store is not allowed to be registered with COM in the current process.  +| 0x80248011| WU_E_DS_UNABLETOSTART| Could not create a data store object in another process.  +| 0x80248013| WU_E_DS_DUPLICATEUPDATEID |The server sent the same update to the client with two different revision IDs.  +| 0x80248014 |WU_E_DS_UNKNOWNSERVICE| An operation did not complete because the service is not in the data store.  +| 0x80248015 |WU_E_DS_SERVICEEXPIRED |An operation did not complete because the registration of the service has expired.  +| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  +| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH| A table was not closed because it is not associated with the session.  +| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH| A table was not closed because it is not associated with the session.  +| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE| A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  +| 0x8024801A | WU_E_DS_INVALIDOPERATION| A request was declined because the operation is not allowed.  +| 0x8024801B | WU_E_DS_SCHEMAMISMATCH| The schema of the current data store and the schema of a table in a backup XML document do not match.  +| 0x8024801C | WU_E_DS_RESETREQUIRED| The data store requires a session reset; release the session and retry with a new session.  +| 0x8024801D | WU_E_DS_IMPERSONATED| A data store operation did not complete because it was requested with an impersonated identity.  +| 0x80248FFF | WU_E_DS_UNEXPECTED| A data store error not covered by another WU_E_DS_* code.  + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +|Error code|Message|Description +|-|-|-| +| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  +| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  +| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  +| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  +| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  +| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  +| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  +| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  + +## Windows Update error codes + +|Error code|Message|Description +|-|-|-| +| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  +| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  +| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  +| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  +| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  +| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  +| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  +| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  +| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  +| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  +| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  +| 0x8024000C | WU_E_NOOP| No operation was required.  +| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  +| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  +| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  +| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  +| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  +| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  +| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  +| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  +| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  +| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  +| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  +| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  +| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  +| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  +| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  +| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  +| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  +| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  +| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  +| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  +| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  +| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  +| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  +| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  +| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  +| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  +| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  +| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  +| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  +| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  +| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  +| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  +| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  +| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  +| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  +| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  +| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  +| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  +| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  +| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  +| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  +| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  +| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  +| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  +| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  +| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  +| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  + +## Windows Update success codes + +|Error code|Message|Description +|-|-|-| +| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  +| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  +| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  +| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  +| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  +| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  +| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  +| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +|Error code|Message|Description +|-|-|-| +| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  +| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  +| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  +| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  +| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  + +## Windows Update Agent update and setup errors + +|Error code|Message|Description +|-|-|-| +| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  +| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  +| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  +| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  +| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  +| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  +| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  +| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  +| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  +| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  +| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  +| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  +| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  +| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  +| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  +| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  \ No newline at end of file diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md new file mode 100644 index 0000000000..25fd1a5279 --- /dev/null +++ b/windows/deployment/update/windows-update-errors.md @@ -0,0 +1,35 @@ +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + +|Error Code|Message|Description|Mitigation| +|-|-|-|-| +|0x8024402F|WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS|External cab file processing completed with some errors|One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
            The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +|0x80242006|WU_E_UH_INVALIDMETADATA|A handler operation could not be completed because the update contains invalid metadata.|Rename Software Redistribution Folder and attempt to download the updates again:
            Rename the following folders to *.BAK:
            - %systemroot%\system32\catroot2

            To do this, type the following commands at a command prompt. Press ENTER after you type each command.
            - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
            - Ren %systemroot%\SoftwareDistribution\Download *.bak
            Ren %systemroot%\system32\catroot2 *.bak | +|0x80070BC9|ERROR_FAIL_REBOOT_REQUIRED|The requested operation failed. A system reboot is required to roll back changes made.|Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.| +|0x80200053|BG_E_VALIDATION_FAILED|NA|Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

            If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +|0x80072EE2|WININET_E_TIMEOUT|The operation timed out|This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
            http://*.update.microsoft.com
            https://*.update.microsoft.com
            http://download.windowsupdate.com

            Additionally , you can take a network trace and see what is timing out. | +|0x80072EFD
            0x80072EFE 
            0x80D02002|TIME OUT ERRORS|The operation timed out|Make sure there are no firewall rules or proxy to block Microsoft download URLs.
            Take a network monitor trace to understand better. | +|0X8007000D|ERROR_INVALID_DATA|Indicates invalid data downloaded or corruption occurred.|Attempt to re-download the update and initiate installation. | +|0x8024A10A|USO_E_SERVICE_SHUTTING_DOWN|Indicates that the WU Service is shutting down.|This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +|0x80240020|WU_E_NO_INTERACTIVE_USER|Operation did not complete because there is no logged-on interactive user.|Please login to the system to initiate the installation and allow the system to be rebooted. | +|0x80242014|WU_E_UH_POSTREBOOTSTILLPENDING|The post-reboot operation for the update is still in progress.|Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +|0x80246017|WU_E_DM_UNAUTHORIZED_LOCAL_USER|The download failed because the local user was denied authorization to download the content.|Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| +|0x8024000B|WU_E_CALL_CANCELLED|Operation was cancelled.|This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete.| +|0x8024000E|WU_E_XML_INVALID|Windows Update Agent found invalid information in the update's XML data.|Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +|0x8024D009|WU_E_SETUP_SKIP_UPDATE|An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.|You may encounter this error when WSUS is not sending the Self-update to the clients.

            Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue.| +|0x80244007|WU_E_PT_SOAPCLIENT_SOAPFAULT|SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|This issue occurs because Windows cannot renew the cookies for Windows Update.

            Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue.| \ No newline at end of file diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md new file mode 100644 index 0000000000..b202854a46 --- /dev/null +++ b/windows/deployment/update/windows-update-logs.md @@ -0,0 +1,142 @@ +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
            When Updates are downloaded but installation is not triggered.
            When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md new file mode 100644 index 0000000000..a89c60d9ec --- /dev/null +++ b/windows/deployment/update/windows-update-overview.md @@ -0,0 +1,54 @@ +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. \ No newline at end of file diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md new file mode 100644 index 0000000000..eeac6b3852 --- /dev/null +++ b/windows/deployment/update/windows-update-resources.md @@ -0,0 +1,123 @@ +--- +title: Windows Update - Additional resources +description: Additional resources for Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update - additional resources + +>Applies to: Windows 10 + +The following resources provide additional information about using Windows Update. + +## WSUS Troubleshooting + +[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) + +[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) + +[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) + +[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) + + +## How do I reset Windows Update components? + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. + + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. + + +## Reset Windows Update components manually +1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: + ``` + cmd + ``` +2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net stop bits + net stop wuauserv + ``` +3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: + ``` + Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + ``` +4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. + 1. Rename the following folders to *.BAK: + - %systemroot%\SoftwareDistribution\DataStore + - %systemroot%\SoftwareDistribution\Download + - %systemroot%\system32\catroot2 + + To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - Ren %systemroot%\SoftwareDistribution\DataStore *.bak + - Ren %systemroot%\SoftwareDistribution\Download *.bak + - Ren %systemroot%\system32\catroot2 *.bak + 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) +5. Type the following command at a command prompt, and then press ENTER: + ``` + cd /d %windir%\system32 + ``` +6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - regsvr32.exe atl.dll + - regsvr32.exe urlmon.dll + - regsvr32.exe mshtml.dll + - regsvr32.exe shdocvw.dll + - regsvr32.exe browseui.dll + - regsvr32.exe jscript.dll + - regsvr32.exe vbscript.dll + - regsvr32.exe scrrun.dll + - regsvr32.exe msxml.dll + - regsvr32.exe msxml3.dll + - regsvr32.exe msxml6.dll + - regsvr32.exe actxprxy.dll + - regsvr32.exe softpub.dll + - regsvr32.exe wintrust.dll + - regsvr32.exe dssenh.dll + - regsvr32.exe rsaenh.dll + - regsvr32.exe gpkcsp.dll + - regsvr32.exe sccbase.dll + - regsvr32.exe slbcsp.dll + - regsvr32.exe cryptdlg.dll + - regsvr32.exe oleaut32.dll + - regsvr32.exe ole32.dll + - regsvr32.exe shell32.dll + - regsvr32.exe initpki.dll + - regsvr32.exe wuapi.dll + - regsvr32.exe wuaueng.dll + - regsvr32.exe wuaueng1.dll + - regsvr32.exe wucltui.dll + - regsvr32.exe wups.dll + - regsvr32.exe wups2.dll + - regsvr32.exe wuweb.dll + - regsvr32.exe qmgr.dll + - regsvr32.exe qmgrprxy.dll + - regsvr32.exe wucltux.dll + - regsvr32.exe muweb.dll + - regsvr32.exe wuwebv.dll +7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: + ``` + netsh reset winsock + ``` +8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: + ``` + proxycfg.exe -d + ``` +9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net start bits + + net start wuauserv + ``` +10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: + ``` + bitsadmin.exe /reset /allusers + ``` \ No newline at end of file diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md deleted file mode 100644 index b87b77d354..0000000000 --- a/windows/deployment/update/windows-update-sources.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Determine the source of Windows updates -description: Determine the source that Windows Update service is currently using. -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: kaushika-msft -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 04/05/2018 ---- - -# Determine the source of Windows updates - -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  - -1. Start Windows PowerShell as an administrator -2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. -3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table: - -| Output | Interpretation | -|-----------------------------------------------------|-----------------------------------| -| - Name: **Microsoft Update**
            -OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
            - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| -|- Name: **DCat Flighting Prod**
            - OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
            - Indicates that the client will not receive or is not configured to receive these updates. | -| - Name: **Windows Store (DCat Prod)**
            - OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
            - Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: **Windows Server Update Service**
            - OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
            - The client is configured to receive updates from WSUS.| -|- Name: **Windows Update**
            - OffersWindowsUpdates: **True** |- The source is Windows Update.
            - The client is configured to receive updates from Windows Update Online.| - - - -See also: - -[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760) - -[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) - -[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md new file mode 100644 index 0000000000..4c558115d6 --- /dev/null +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -0,0 +1,175 @@ +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: +  + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following. + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't th emost current available, it might be because your device is being managed by a WSUS server, and your'e being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My machine is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: +*.download.windowsupdate.com +*.au.windowsupdate.com +*.tlu.dl.delivery.mp.microsoft.com + +If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead. + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
            Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
            Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
            get-hotfix KB3173424,KB2919355,KB2919442
            If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)) or [Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4039473/windows-update-stuck-at-0-percent-on-windows-10-and-windows-server-201). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
            -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
            - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
            - OffersWindowsUpdates: False|- The update source is the Windows Insider Program.
            - Indicates that the client will not receive or is not configured to receive these updates. | +|- Name: Windows Store (DCat Prod)
            - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
            - Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
            - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
            - The client is configured to receive updates from WSUS. | +|- Name: Windows Update
            - OffersWindowsUpdates: True|- The source is Windows Update.
            - The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) +[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) +[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) + +Other components that reach out to the internet: + +- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) \ No newline at end of file diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 18ed0fbef3..cb0bb9ff2a 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -25,11 +25,11 @@ ms.localizationpriority: medium A frequently observed result code is 0xC1900101. This result code can be thrown at any stage of the upgrade process, with the exception of the downlevel phase. 0xC1900101 is a generic rollback code, and usually indicates that an incompatible driver is present. The incompatible driver can cause blue screens, system hangs, and unexpected reboots. Analysis of supplemental log files is often helpful, such as:
            -- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, -- Event logs: $Windows.~bt\Sources\Rollback\*.evtx +- The minidump file: $Windows.~bt\Sources\Rollback\setupmem.dmp, +- Event logs: $Windows.~bt\Sources\Rollback\*.evtx - The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log -The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. +The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process.
            See the following general troubleshooting procedures associated with a result code of 0xC1900101: @@ -46,7 +46,7 @@ The device install log is particularly helpful if rollback occurs during the sys
            Cause
            Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation -
            This is generally caused by out-of-date drivers. +
            This is generally caused by out-of-date drivers.
            @@ -72,7 +72,7 @@ The device install log is particularly helpful if rollback occurs during the sys
            Cause
            Windows Setup encountered an unspecified error during Wim apply in the WinPE phase. -
            This is generally caused by out-of-date drivers. +
            This is generally caused by out-of-date drivers.
            @@ -82,7 +82,7 @@ The device install log is particularly helpful if rollback occurs during the sys Mitigation Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
            Contact your hardware vendor to obtain updated device drivers. -
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. @@ -100,7 +100,7 @@ The device install log is particularly helpful if rollback occurs during the sys Cause A driver has caused an illegal operation.
            Windows was not able to migrate the driver, resulting in a rollback of the operating system. -
            This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. +
            This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. @@ -137,7 +137,7 @@ Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
            Contact your hardware vendor to obtain updated device drivers. -
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. @@ -178,9 +178,9 @@ Disconnect all peripheral devices that are connected to the system, except for t
            Cause
            A rollback occurred due to a driver configuration issue. -
            Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. +
            Installation failed during the second boot phase while attempting the MIGRATE_DATA operation. -
            This can occur due to incompatible drivers. +
            This can occur due to incompatible drivers.
            @@ -190,11 +190,11 @@ Disconnect all peripheral devices that are connected to the system, except for t
            Mitigation
            -
            Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors. +
            Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
            Review the rollback log and determine the stop code.
            The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder. An example analysis is shown below. This example is not representative of all cases:
            Info SP Crash 0x0000007E detected -
            Info SP Module name : +
            Info SP Module name :
            Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
            Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
            Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728 @@ -362,7 +362,7 @@ Disable or uninstall non-Microsoft antivirus applications, disconnect all unnece
            Cause
            -The installation failed during the second boot phase while attempting the MIGRATE_DATA operation. +The installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
            This issue can occur due to file system, application, or driver issues.
            @@ -394,7 +394,7 @@ The installation failed during the second boot phase while attempting the MIGRAT Cause -The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. +The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. @@ -405,13 +405,13 @@ The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DAT Mitigation -[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. +[Analyze log files](log-files.md#analyze-log-files) in order to determine the files or registry entries that are blocking data migration. -This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. +This error can be due to a problem with user profiles. It can occur due to corrupt registry entries under **HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList** or invalid files in the **\\Users** directory. Note: If a previous upgrade did not complete, invalid profiles might exist in the **Windows.old\\Users** directory. -To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. +To repair this error, ensure that deleted accounts are not still present in the Windows registry and that files under the \\Users directory are valid. Delete the invalid files or user profiles that are causing this error. The specific files and profiles that are causing the error will be recorded in the Windows setup log files. @@ -431,7 +431,7 @@ To repair this error, ensure that deleted accounts are not still present in the Cause -General failure, a device attached to the system is not functioning. +General failure, a device attached to the system is not functioning. @@ -508,13 +508,13 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0x80090011 A device driver error occurred during user data migration. -Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. +Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process.
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 0xC7700112 Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk. -This issue is resolved in the latest version of Upgrade Assistant. +This issue is resolved in the latest version of Upgrade Assistant.
            Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. @@ -528,7 +528,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0x80246007 The update was not downloaded successfully. Attempt other methods of upgrading the operating system.
            -Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). +Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10).
            Attempt to upgrade using .ISO or USB.
            **Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). @@ -565,7 +565,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications. Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information. -
            You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. +
            You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. @@ -584,7 +584,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x80240FFF Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. - You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: + You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
            1. Disable the Upgrades classification.
              2. @@ -624,7 +624,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. Error CodesCauseMitigation 0x80070003- 0x20007 -This is a failure during SafeOS phase driver installation. +This is a failure during SafeOS phase driver installation. [Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver. @@ -661,15 +661,15 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. [Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied. 0x80070004 - 0x50012 -Windows Setup failed to open a file. +Windows Setup failed to open a file. [Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems. -0xC190020e +0xC190020e
              0x80070070 - 0x50011
              0x80070070 - 0x50012
              0x80070070 - 0x60000 These errors indicate the computer does not have enough free space available to install the upgrade. To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade. - +
              Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. @@ -681,77 +681,77 @@ Also see the following sequential list of modern setup (mosetup) error codes wit | Result code | Message | Description | | --- | --- | --- | -| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | -| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | -| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | -| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | -| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | -| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | -| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | -| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | -| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | -| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | -| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | -| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | -| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | -| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | -| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | -| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | -| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | -| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | -| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | -| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | -| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | -| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | -| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | -| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | -| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | -| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | -| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | -| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | -| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | -| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | +| 0XC1900100 | MOSETUP_E_VERSION_MISMATCH | An unexpected version of Setup Platform binaries was encountered. Please verify the package contents. | +| 0XC1900101 | MOSETUP_E_SETUP_PLATFORM | The Setup Platform has encountered an unspecified error. | +| 0XC1900102 | MOSETUP_E_SHUTDOWN_BLOCK | Unable to create or destroy the shutdown block message. | +| 0XC1900103 | MOSETUP_E_COMPAT_TIMEOUT | The compatibility issues were not resolved within the required time limit. | +| 0XC1900104 | MOSETUP_E_PROCESS_TIMEOUT | The installation process did not complete within the required time limit. | +| 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | +| 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | +| 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | +| 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | +| 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | +| 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | +| 0XC1900112 | MOSETUP_E_TARGET_DRIVE_NOT_FOUND | Could not find a target drive letter. | +| 0XC1900113 | MOSETUP_E_EULA_DECLINED | The user has declined the license terms. | +| 0XC190011e | MOSETUP_E_FLIGHTING_BVT | The installation process has been halted for testing purposes. | +| 0XC190011f | MOSETUP_E_PROCESS_CRASHED | The installation process crashed. | +| 0XC1900120 | MOSETUP_E_EULA_TIMEOUT | The user has not accepted Eula within the required time limit. | +| 0XC1900121 | MOSETUP_E_ADVERTISE_TIMEOUT | The user has not accepted Advertisement within the required time limit. | +| 0XC1900122 | MOSETUP_E_DOWNLOADDISKSPACE_TIMEOUT | The download diskspace issues were not resolved within the required time limit. | +| 0XC1900123 | MOSETUP_E_INSTALLDISKSPACE_TIMEOUT | The install diskspace issues were not resolved within the required time limit. | +| 0XC1900124 | MOSETUP_E_COMPAT_SYSREQ_TIMEOUT | The minimum requirements compatibility issues were not resolved within the required time limit. | +| 0XC1900125 | MOSETUP_E_COMPAT_DOWNLOADREQ_TIMEOUT | The compatibility issues for download were not resolved within the required time limit. | +| 0XC1900126 | MOSETUP_E_GATHER_OS_STATE_SIGNATURE | The GatherOsState executable has invalid signature. | +| 0XC1900127 | MOSETUP_E_UNINSTALL_ALLOWED_ABORT | The user has chosen to abort Setup to keep Uninstall option active. | +| 0XC1900128 | MOSETUP_E_MISSING_TASK | The install cannot continue because a required task is missing. | | 0XC1900129 | MOSETUP_E_UPDATEMEDIA_REQUESTED | A more up-to-date version of setup will be launched to continue installation -| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | -| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | -| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | -| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | -| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | -| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | -| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | -| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | -| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | -| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | -| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | -| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | -| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | -| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | -| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | -| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | -| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | -| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | -| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | -| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | -| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | -| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | -| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | -| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | -| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | -| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | -| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | -| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | -| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | -| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | -| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | -| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | -| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | -| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | -| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | -| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | -| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | -| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | -| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | -| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | +| 0XC190012f | MOSETUP_E_FINALIZE_ALREADY_REQUESTED | The install cannot continue because a finalize operation was already requested. | +| 0XC1900130 | MOSETUP_E_INSTALL_HASH_MISSING | The install cannot continue because the instance hash was not found. | +| 0XC1900131 | MOSETUP_E_INSTALL_HASH_MISMATCH | The install cannot continue because the instance hash does not match. | +| 0XC19001df | MOSETUP_E_DISK_FULL | The install cannot continue because the system is out of disk space. | +| 0XC19001e0 | MOSETUP_E_GATHER_OS_STATE_FAILED | The GatherOsState executable has failed to execute. | +| 0XC19001e1 | MOSETUP_E_PROCESS_SUSPENDED | The installation process was suspended. | +| 0XC19001e2 | MOSETUP_E_PREINSTALL_SCRIPT_FAILED | A preinstall script failed to execute or returned an error. | +| 0XC19001e3 | MOSETUP_E_PRECOMMIT_SCRIPT_FAILED | A precommit script failed to execute or returned an error. | +| 0XC19001e4 | MOSETUP_E_FAILURE_SCRIPT_FAILED | A failure script failed to execute or returned an error. | +| 0XC19001e5 | MOSETUP_E_SCRIPT_TIMEOUT | A script exceeded the timeout limit. | +| 0XC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The system does not pass the minimum requirements to install the update. | +| 0XC1900201 | MOSETUP_E_COMPAT_SYSREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to install the update. | +| 0XC1900202 | MOSETUP_E_COMPAT_DOWNLOADREQ_BLOCK | The system does not pass the minimum requirements to download the update. | +| 0XC1900203 | MOSETUP_E_COMPAT_DOWNLOADREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to download the update. | +| 0XC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The system does not pass the requirements for desired migration choice. | +| 0XC1900205 | MOSETUP_E_COMPAT_MIGCHOICE_CANCEL | The user has chosen to cancel because the system does not pass the requirements for desired migration choice. | +| 0XC1900206 | MOSETUP_E_COMPAT_DEVICEREQ_BLOCK | The system does not pass the device scan to install the update. | +| 0XC1900207 | MOSETUP_E_COMPAT_DEVICEREQ_CANCEL | The user has chosen to cancel because the system does not pass the device scan to install the update. | +| 0XC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | The system does not pass the compat scan to install the update. | +| 0XC1900209 | MOSETUP_E_COMPAT_INSTALLREQ_CANCEL | The user has chosen to cancel because the system does not pass the compat scan to install the update. | +| 0XC190020a | MOSETUP_E_COMPAT_RECOVERYREQ_BLOCK | The system does not pass the minimum requirements to recover Windows. | +| 0XC190020b | MOSETUP_E_COMPAT_RECOVERYREQ_CANCEL | The user has chosen to cancel because the system does not pass the minimum requirements to recover Windows. | +| 0XC190020c | MOSETUP_E_DOWNLOADDISKSPACE_BLOCK | The system does not pass the diskspace requirements to download the payload. | +| 0XC190020d | MOSETUP_E_DOWNLOADDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to download. | +| 0XC190020e | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The system does not pass the diskspace requirements to install the payload. | +| 0XC190020f | MOSETUP_E_INSTALLDISKSPACE_CANCEL | The user has chosen to cancel as the device does not have enough disk space to install. | +| 0XC1900210 | MOSETUP_E_COMPAT_SCANONLY | The user has used the setup.exe command line to do scanonly, not to install the OS. | +| 0XC1900211 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_BLOCK | The system does not pass the disk space requirements to download and unpack media. | +| 0XC1900212 | MOSETUP_E_DOWNLOAD_UNPACK_DISKSPACE_MULTIARCH_BLOCK | The system does not pass the disk space requirements to download and unpack multi-architecture media. | +| 0XC1900213 | MOSETUP_E_NO_OFFER_FOUND | There was no offer found that matches the required criteria. | +| 0XC1900214 | MOSETUP_E_UNSUPPORTED_VERSION | This version of the tool is not supported. | +| 0XC1900215 | MOSETUP_E_NO_MATCHING_INSTALL_IMAGE | Could not find an install image for this system. | +| 0XC1900216 | MOSETUP_E_ROLLBACK_PENDING | Found pending OS rollback operation. | +| 0XC1900220 | MOSETUP_E_COMPAT_REPORT_NOT_DISPLAYED | The compatibility report cannot be displayed due to a missing system component. | +| 0XC1900400 | MOSETUP_E_UA_VERSION_MISMATCH | An unexpected version of Update Agent client was encountered. | +| 0XC1900401 | MOSETUP_E_UA_NO_PACKAGES_TO_DOWNLOAD | No packages to be downloaded. | +| 0XC1900402 | MOSETUP_E_UA_UPDATE_CANNOT_BE_MERGED | No packages to be downloaded. | +| 0XC1900403 | MOSETUP_E_UA_CORRUPT_PAYLOAD_FILES | Payload files were corrupt. | +| 0XC1900404 | MOSETUP_E_UA_BOX_NOT_FOUND | The installation executable was not found. | +| 0XC1900405 | MOSETUP_E_UA_BOX_CRASHED | The installation process terminated unexpectedly. | ## Related topics diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 90965a2bd0..65b4e8d268 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 07/18/2018 -ms.localizationpriority: high +ms.date: 08/16/2018 +ms.localizationpriority: medium --- # SetupDiag @@ -125,8 +125,7 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump ## Known issues 1. Some rules can take a long time to process if the log files involved are large. -2. SetupDiag only outputs data in a text format. -3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode. +2. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause. In this case, try gathering the log files and running SetupDiag in offline mode. ## Sample output diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 84185caa92..57d117aeb9 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 03/30/2018 +ms.date: 08/18/2018 ms.localizationpriority: medium --- @@ -47,7 +47,7 @@ The following set of result codes are associated with [Windows Setup](https://do | 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | | 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | -A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procudures](resolution-procedures.md#modern-setup-errors) topic in this article. +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. Other result codes can be matched to the specific type of error encountered. To match a result code to an error: diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index c7e84fc03b..e5eab8199a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -1,20 +1,23 @@ --- title: Get started with Upgrade Readiness (Windows 10) description: Explains how to get started with Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 06/12/2018 +ms.date: 09/26/2018 ms.localizationpriority: medium --- # Get started with Upgrade Readiness -This topic explains how to obtain and configure Upgrade Readiness for your organization. +>[!IMPORTANT] +>**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). + +This topic explains how to obtain and configure Upgrade Readiness for your organization. You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. @@ -31,36 +34,42 @@ When you are ready to begin using Upgrade Readiness, perform the following steps 3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). 4. [Use Upgrade Readiness to manage Windows Upgrades](#use-upgrade-readiness-to-manage-windows-upgrades) once your devices are enrolled. -## Data collection and privacy +## Data collection and privacy To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. -## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics +## Add the Upgrade Readiness solution to your Azure subscription -Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: ->[!IMPORTANT] ->Upgrade Readiness is a free solution for Azure subscribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. The Upgrade Readiness service will ingest a full snapshot of your data into your OMS workspace on a daily basis. Each snapshot includes all of your devices that have been active within the past 30 days regardless of your OMS retention period. +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Upgrade Readiness is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. -If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. +2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. + ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace. - -If you are not using OMS or Azure Log Analytics: - -1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. -4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. - - > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. - -5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. + ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) +3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. + ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) + - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. +4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. ## Enroll devices in Windows Analytics -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + +Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 6e85f14d18..b1d5d0463a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -1,7 +1,7 @@ --- title: Upgrade Readiness requirements (Windows 10) description: Provides requirements for Upgrade Readiness. -keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, ms.prod: w10 author: jaimeo ms.author: @@ -13,7 +13,7 @@ ms.localizationpriority: medium This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. -## Supported upgrade paths +## Supported upgrade paths ### Windows 7 and Windows 8.1 @@ -27,20 +27,20 @@ If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Window Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. -See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. +See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. ### Windows 10 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. ## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. +If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index badacb456b..97bc60f3d0 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.prod: w10 author: jaimeo ms.author: jaimeo -ms.date: 08/30/2017 +ms.date: 07/31/2018 --- # Use Upgrade Readiness to manage Windows upgrades @@ -22,7 +22,7 @@ When you are ready to begin the upgrade process, a workflow is provided to guide Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. ->**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are running a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). The following information and workflow is provided: @@ -41,11 +41,11 @@ The target version setting is used to evaluate the number of computers that are ![Upgrade overview showing target version](../images/ur-target-version.png) -As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. +The default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, and Windows 10 version 1703. +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, Windows 10 version 1607, Windows 10 version 1703, Windows 10 version 1709 and Windows 10 version 1803. To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index f0f9e52ba2..450da4c243 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -20,9 +20,9 @@ ms.date: 07/06/2018 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. -For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](http://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). +For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). -The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. ![not supported](../images/x_blk.png) (X) = not supported
              ![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
              @@ -64,7 +64,7 @@ X = unsupported
              > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) > - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. >
              -> - Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. +> - Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). @@ -72,7 +72,7 @@ X = unsupported
              - To upgrade mobile editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithLicense** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). ## Upgrade using a provisioning package -Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). +Use Windows Configuration Designer to create a provisioning package to upgrade a desktop edition or mobile edition of Windows 10. To get started, [install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). - To create a provisioning package for upgrading desktop editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithProductKey** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. @@ -116,7 +116,7 @@ If you do not have a product key, you can upgrade your edition of Windows 10 th 2. Click **Go to Store**. 3. Follow the on-screen instructions. - + **Note**
              If you are a Windows 10 Home N or Windows 10 Home KN user and have trouble finding your applicable upgrade in the Microsoft Store, click [here](ms-windows-store://windowsupgrade/). ## License expiration diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 4ca5f1bd95..166c96a39c 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -142,7 +142,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional + Pro D ✔ ✔ @@ -153,7 +153,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional Student + Pro Student D ✔ ✔ @@ -164,7 +164,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional WMC + Pro WMC D ✔ ✔ @@ -233,7 +233,7 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional + Pro D ✔ ✔ diff --git a/windows/deployment/usmt/usmt-overview.md b/windows/deployment/usmt/usmt-overview.md index d07f18d62b..64dca2cedb 100644 --- a/windows/deployment/usmt/usmt-overview.md +++ b/windows/deployment/usmt/usmt-overview.md @@ -36,7 +36,7 @@ USMT provides the following benefits to businesses that are deploying Windows op - Increases employee satisfaction with the migration experience. ## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](https://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. There are some scenarios in which the use of USMT is not recommended. These include: diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index daa83b02e6..6166d21bcd 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -90,11 +90,11 @@ For more information about previous releases of the USMT tools, see [User State ## Windows PE -- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](http://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). +- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx). ## Credentials -- **Run as administrator** +- **Run as administrator** When manually running the **ScanState** and **LoadState** tools on Windows 7, Windows 8 or Windows 10 you must run them from an elevated command prompt to ensure that all specified users are migrated. If you do not run USMT from an elevated prompt, only the user profile that is logged on will be included in the migration. To open an elevated command prompt: diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 6cc67221bb..63031ebeaa 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -29,10 +29,10 @@ Deployment instructions are provided for the following scenarios: ## Activation -### Scenario 1 +### Scenario 1 - The VM is running Windows 10, version 1803 or later. - The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). - + When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 @@ -41,7 +41,7 @@ Deployment instructions are provided for the following scenarios: [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in iwth a local account or using an Azure Active Directory account. ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). @@ -63,7 +63,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https: 7. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). 8. Open Windows Configuration Designer and click **Provison desktop services**. 9. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 10. - + 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. @@ -141,5 +141,5 @@ To create custom RDP settings for Azure: [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md)
              [Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
              [Licensing the Windows Desktop for VDI Environments](http://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) +
              [Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md index 14bf4f8a02..1b8d6436f4 100644 --- a/windows/deployment/volume-activation/monitor-activation-client.md +++ b/windows/deployment/volume-activation/monitor-activation-client.md @@ -1,7 +1,7 @@ --- title: Monitor activation (Windows 10) ms.assetid: 264a3e86-c880-4be4-8828-bf4c839dfa26 -description: +description: keywords: vamt, volume activation, activation, windows activation ms.prod: w10 ms.mktglfcycl: deploy @@ -29,7 +29,7 @@ ms.date: 07/27/2017 You can monitor the success of the activation process for a computer running Windows 8.1 in several ways. The most popular methods include: - Using the Volume Licensing Service Center website to track use of MAK keys. -- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](http://technet.microsoft.com/library/ff793433.aspx).) +- Using the **Slmgr /dlv** command on a client computer or on the KMS host. (For a full list of options, see [Slmgr.vbs Options](https://technet.microsoft.com/library/ff793433.aspx).) - Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it is available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.) - Most licensing actions and events are recorded in the Event log. - Microsoft System Center Operations Manager and the KMS Management Pack can provide insight and information to users of System Center Operations Manager. diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index a937437e02..d1cdff4f2f 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -80,7 +80,7 @@ Token-based Activation option is available for Windows 10 Enterprise LTSB editio ### Multiple activation key -A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also +A Multiple Activation Key (MAK) is commonly used in small- or mid-sized organizations that have a volume licensing agreement, but they do not meet the requirements to operate a KMS or they prefer a simpler approach. A MAK also allows permanent activation of computers that are isolated from the KMS or are part of an isolated network that does not have enough computers to use the KMS. To use a MAK, the computers to be activated must have a MAK installed. The MAK is used for one-time activation with the Microsoft online hosted activation services, by telephone, or by using VAMT proxy activation. @@ -195,7 +195,7 @@ When you create installation media or images for client computers that will be a Installation media from Microsoft for Enterprise editions of the Windows operating system may already contain the GVLK. One GVLK is available for each type of installation. Note that the GLVK will not activate the software against Microsoft activation servers, only against a KMS or Active Directory-based activation object. In other words, the GVLK does not work unless a valid KMS host key can be found. GVLKs are the only product keys that do not need to be kept confidential. -Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](http://technet.microsoft.com/library/jj612867.aspx). +Typically, you will not need to manually enter a GVLK unless a computer has been activated with a MAK or a retail key and it is being converted to a KMS activation or to Active Directory-based activation. If you need to locate the GVLK for a particular client edition, see [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx). ### Multiple activation keys diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 6ceeb3ef51..7d3667d5c6 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -38,9 +38,9 @@ When you purchase Windows 10 Enterprise E3 via a partner, you get the followin How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? -- [Microsoft Volume Licensing](http://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. +- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. -- [Software Assurance](http://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: +- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. @@ -82,7 +82,7 @@ Windows 10 Enterprise edition has a number of features that are unavailable in

            2. **Improved protection against persistent threats**.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

            3. **Improved manageability**.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

          -

          For more information, see [Protect derived domain credentials with Credential Guard](http://technet.microsoft.com/itpro/windows/keep-secure/credential-guard).

          +

          For more information, see [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard).

          \* Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

          @@ -154,15 +154,15 @@ You can implement Credential Guard on Windows 10 Enterprise devices by turning - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). - - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](http://www.microsoft.com/download/details.aspx?id=53337). + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). You can automate these manual steps by using a management tool such as System Center Configuration Manager. For more information about implementing Credential Guard, see the following resources: -- [Protect derived domain credentials with Credential Guard](http://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) -- [PC OEM requirements for Device Guard and Credential Guard](http://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) -- [Device Guard and Credential Guard hardware readiness tool](http://www.microsoft.com/download/details.aspx?id=53337) +- [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) +- [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337) \* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* @@ -187,7 +187,7 @@ Now that the devices have Windows 10 Enterprise, you can implement Device Guard For more information about implementing Device Guard, see: - [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) -- [Device Guard deployment guide](http://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) +- [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) ### AppLocker management @@ -228,7 +228,7 @@ For more information about deploying UE-V, see the following resources: - [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) - [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) -- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) +- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) ### Managed User Experience @@ -238,12 +238,12 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f | Feature | Description | |------------------|-----------------| -| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](http://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | -| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](http://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | -| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](http://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | -| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](http://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | -| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](http://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | -| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](http://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | +| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
          For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
          For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
          For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
          For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
          For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
          For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | ## Related topics diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 8fc0be6586..5c76526147 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -1,5 +1,5 @@ --- -title: Windows 10 volume license media +title: Windows 10 volume license media description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. keywords: deploy, upgrade, update, software, media ms.prod: w10 @@ -17,13 +17,13 @@ author: greg-lindsay - Windows 10 -With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](http://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. +With each release of Windows 10, volume license media is made available on the [Volume Licensing Service Center](https://www.microsoft.com/vlsc) (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. This topic provides a description of volume license media, and describes some of the changes that have been implemented with the current release of Windows 10. ## Windows 10 media To download Windows 10 installation media from the VLSC, use the product search filter to find “Windows 10.”  A list of products will be displayed. The page then allows you to use your search results to download products, view keys, and view product and key descriptions. -When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). +When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). >If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/en-us/windows/release-info.aspx). @@ -57,8 +57,8 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic ### Language packs -- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  -- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. +- **Windows 10 versions 1507 and 1511**: you can select **Windows 10 Enterprise Language Pack**, click **Download** and then select **English** and **64-bit** to see these downloads.  +- **Windows 10 1607 and later**: you must select **Multilanguage** from the drop-down list of languages. See the following example for Windows 10, version 1709: @@ -66,7 +66,7 @@ See the following example for Windows 10, version 1709: ### Features on demand -[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. +[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above. Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image. diff --git a/windows/deployment/windows-10-missing-fonts.md b/windows/deployment/windows-10-missing-fonts.md index 873e4cfd56..46a39d7a66 100644 --- a/windows/deployment/windows-10-missing-fonts.md +++ b/windows/deployment/windows-10-missing-fonts.md @@ -35,7 +35,7 @@ If you want to use these fonts, you can enable the optional feature to add these ## Installing language-associated features via language settings: -If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. +If you want to use the fonts from the optional feature and you know that you will want to view Web pages, edit documents, or use apps in the language associated with that feature, add that language into your user profile. You do this the Settings app. For example, here are the steps to install the fonts associated with the Hebrew language: @@ -93,7 +93,7 @@ Here is a comprehensive list of the font families in each of the optional featur ## Related Topics -[Download the list of all available language FODs](http://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) +[Download the list of all available language FODs](https://download.microsoft.com/download/0/A/A/0AA4342D-3933-4216-A90D-3BA8392FB1D1/Windows%2010%201703%20FOD%20to%20LP%20Mapping%20Table.xlsx) [Features On Demand V2 (Capabilities)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities#span-idrelatedtopicsspanrelated-topics) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 859188033c..0cfd6991e5 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -26,13 +26,13 @@ The PoC deployment guides are intended to provide a demonstration of Windows 10 Approximately 3 hours are required to configure the PoC environment. You will need a Hyper-V capable computer running Windows 8.1 or later with at least 16GB of RAM. Detailed [requirements](#hardware-and-software-requirements) are provided below. You will also need to have a [Microsoft account](https://www.microsoft.com/account) to use for downloading evaluation software. -Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. +Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. ->Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +>Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. ->A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. +>A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. -Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. +Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. ## In this guide @@ -40,7 +40,7 @@ This guide contains instructions for three general procedures: Install Hyper-V, After completing the instructions in this guide, you will have a PoC environment that enables you to test Windows 10 deployment procedures by following instructions in companion guides that are written to use the PoC environment. Links are provided to download trial versions of Windows Server 2012, Windows 10 Enterprise, and all deployment tools necessary to complete the lab. -Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed. +Topics and procedures in this guide are summarized in the following table. An estimate of the time required to complete each procedure is also provided. Time required to complete procedures will vary depending on the resources available to the Hyper-V host and assigned to VMs, such as processor speed, memory allocation, disk speed, and network speed.
          @@ -65,7 +65,7 @@ Topics and procedures in this guide are summarized in the following table. An es ## Hardware and software requirements -One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. +One computer that meets the hardware and software specifications below is required to complete the guide; A second computer is recommended to validate the upgrade process. - **Computer 1**: the computer you will use to run Hyper-V and host virtual machines. This computer should have 16 GB or more of installed RAM and a multi-core processor. - **Computer 2**: a client computer from your corporate network. It is shadow-copied to create a VM that can be added to the PoC environment, enabling you to test a mirror image of a computer on your network. If you do not have a computer to use for this simulation, you can download an evaluation VHD and use it to represent this computer. Subsequent guides use this computer to simulate Windows 10 replace and refresh scenarios, so the VM is required even if you cannot create this VM using computer 2. @@ -141,7 +141,7 @@ The lab architecture is summarized in the following diagram: ![PoC](images/poc.png) -- Computer 1 is configured to host four VMs on a private, PoC network. +- Computer 1 is configured to host four VMs on a private, PoC network. - Two VMs are running Windows Server 2012 R2 with required network services and tools installed. - Two VMs are client systems: One VM is intended to mirror a host on your corporate network (computer 2) and one VM is running Windows 10 Enterprise to demonstrate the hardware replacement scenario. @@ -164,10 +164,10 @@ The lab architecture is summarized in the following diagram: ### Verify support and install Hyper-V -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. 1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - + 
               C:\>systeminfo
 
@@ -176,13 +176,13 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
                                Virtualization Enabled In Firmware: Yes
                                Second Level Address Translation: Yes
                                Data Execution Prevention Available: Yes
-
          - - In this example, the computer supports SLAT and Hyper-V. - + + + In this example, the computer supports SLAT and Hyper-V. + If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](http://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: 
               C:\>coreinfo -v
@@ -197,22 +197,22 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
     HYPERVISOR      -       Hypervisor is present
     VMX             *       Supports Intel hardware-assisted virtualization
     EPT             *       Supports Intel extended page tables (SLAT)
-
          + Note: A 64-bit operating system is required to run Hyper-V. 2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: 
          Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
          - + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: 
          Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
          - + When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. - + >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - + ![hyper-v feature](images/hyper-v-feature.png) ![hyper-v](images/svr_mgr2.png) @@ -223,7 +223,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account. -1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. +1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory. **Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately. @@ -235,14 +235,14 @@ When you have completed installation of Hyper-V on the host computer, begin conf 2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. 3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**. -4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. +4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host. - >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. + >During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**. -5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. +5. Rename the ISO file that you downloaded to **w10-enterprise.iso**. Again, this is done so that the filename is simple to type and recognize. After completing registration you will be able to download the 3.63 GB Windows 10 Enterprise evaluation ISO. After completing these steps, you will have three files in the **C:\VHD** directory: **2012R2-poc-1.vhd**, **2012R2-poc-2.vhd**, **w10-enterprise.iso**. - + The following displays the procedures described in this section, both before and after downloading files: 
          @@ -267,7 +267,7 @@ If you do not have a PC available to convert to VM, perform the following steps
 
          
 
            
 
          1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
-
          2. Under **Virtual machine**, choose **IE11 on Win7**. 
+
          3. Under **Virtual machine**, choose **IE11 on Win7**.
 
          4. Under **Select platform** choose **HyperV (Windows)**.
 
          5. Click **Download .zip**. The download is 3.31 GB.
 
          6. Extract the zip file. Three directories are created.
@@ -279,7 +279,7 @@ If you do not have a PC available to convert to VM, perform the following steps
 
 If you have a PC available to convert to VM (computer 2):
 
-1. Sign in on computer 2 using an account with Administrator privileges.  
+1. Sign in on computer 2 using an account with Administrator privileges.
 
 >Important: the account used in this step must have local administrator privileges. You can use a local computer account, or a domain account with administrative rights if domain policy allows the use of cached credentials. After converting the computer to a VM, you must be able to sign in on this VM with administrator rights while the VM is disconnected from the corporate network.
 
@@ -315,7 +315,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
 
 
 
-If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM. 
+If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to a generation 1 VM. Otherwise, it can be converted to a generation 2 VM.
 
 - To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
 - To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
@@ -434,8 +434,8 @@ Notes:
            
 
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. 
-3. Select the checkboxes next to the **C:\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation). 
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
+3. Select the checkboxes next to the **C:\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
 
     ![disk2vhd](images/disk2vhd.png)
@@ -464,7 +464,7 @@ Notes:
            
 
     This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
 
-3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. 
+3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
 4. Select the checkboxes next to the **C:\** and the **S:\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
 
     **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
@@ -491,7 +491,7 @@ Notes:
            
 
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
-2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface. 
+2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
 3. Select the checkbox next to the **C:\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
 
@@ -547,7 +547,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 1. Open an elevated Windows PowerShell window and type the following command to create two virtual switches named "poc-internal" and "poc-external":
 
     >If the Hyper-V host already has an external virtual switch bound to a physical NIC, do not attempt to add a second external virtual switch. Attempting to add a second external switch will result in an error indicating that the NIC is **already bound to the Microsoft Virtual Switch protocol.** In this case, choose one of the following options:
            
-       A) Remove the existing external virtual switch, then add the poc-external switch
             
+       A) Remove the existing external virtual switch, then add the poc-external switch
            
        B) Rename the existing external switch to "poc-external"
            
        C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
            
     If you choose B) or C), then do not run the second command below.
@@ -556,9 +556,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
     New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
          - + **Note**: The second command above will temporarily interrupt network connectivity on the Hyper-V host. - + >Since an external virtual switch is associated to a physical network adapter on the Hyper-V host, this adapter must be specified when adding the virtual switch. The previous commands automate this by filtering for active non-virtual ethernet adapters using the Get-NetAdapter cmdlet ($_.Status -eq "Up" -and !$_.Virtual). If your Hyper-V host is dual-homed with multiple active ethernet adapters, this automation will not work, and the second command above will fail. In this case, you must edit the command used to add the "poc-external" virtual switch by inserting the appropriate NetAdapterName. The NetAdapterName value corresponds to the name of the network interface you wish to use. For example, if the network interface you use on the Hyper-V host to connect to the Internet is named "Ethernet 2" then type the following command to create an external virtual switch: New-VMSwitch -Name poc-external -NetAdapterName "Ethernet 2" -Notes "PoC External" 2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host: @@ -576,9 +576,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 2775.5 - In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. + In this example, VMs can use a maximum of 2700 MB of RAM each, to run four VMs simultaneously. -4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. +4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later. >**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step. 
          @@ -591,8 +591,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Set-VMMemory -VMName "SRV1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 80
     Enable-VMIntegrationService -Name "Guest Service Interface" -VMName SRV1
          - - **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. + + **Note**: The RAM values assigned to VMs in this step are not permanent, and can be easily increased or decreased later if needed to address performance issues. 5. Using the same elevated Windows PowerShell prompt that was used in the previous step, type one of the following sets of commands, depending on the type of VM that was prepared in the [Determine VM generation](#determine-vm-generation) section, either generation 1, generation 2, or generation 1 with GPT. @@ -640,7 +640,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to vmconnect localhost PC1 - The VM will automatically boot into Windows Setup. In the PC1 window: + The VM will automatically boot into Windows Setup. In the PC1 window: 1. Click **Next**. 2. Click **Repair your computer**. @@ -668,7 +668,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to exit - 7. Type the following commands to restore the OS image and boot files: + 7. Type the following commands to restore the OS image and boot files: 
               dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
@@ -685,7 +685,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Set-VMDvdDrive -VMName PC1 -Path $null
          -### Configure VMs +### Configure VMs 1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands: @@ -694,8 +694,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to vmconnect localhost DC1 -2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. -3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. +2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**. +3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account. 4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM. 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway: @@ -812,11 +812,11 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to ![PoC](images/installing-drivers.png) - >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. + >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease. 16. When the new network adapter driver has completed installation, you will receive an alert to set a network location for the contoso.com network. Select **Work network** and then click **Close**. When you receive an alert that a restart is required, click **Restart Later**. -17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. +17. Open an elevated Windows PowerShell prompt on PC1 and verify that the client VM has received a DHCP lease and can communicate with the consoto.com domain controller. To open Windows PowerShell on Windows 7, click **Start**, and search for "**power**." Right-click **Windows PowerShell** and then click **Pin to Taskbar** so that it is simpler to use Windows Powershell during this lab. Click **Windows PowerShell** on the taskbar, and then type **ipconfig** at the prompt to see the client's current IP address. Also type **ping dc1.contoso.com** and **nltest /dsgetdc:contoso.com** to verify that it can reach the domain controller. See the following examples of a successful network connection: @@ -853,7 +853,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to >If PC1 is running Windows 7, enhanced session mode might not be available, which means that you cannot copy and paste commands from the Hyper-V host to a Windows PowerShell prompt on PC1. However, it is possible to use integration services to copy a file from the Hyper-V host to a VM. The next procedure demonstrates this. If the Copy-VMFile command fails, then type the commands below at an elevated Windows PowerShell prompt on PC1 instead of saving them to a script to run remotely. If PC1 is running Windows 8 or a later operating system, you can use enhanced session mode to copy and paste these commands instead of typing them. -18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: +18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane: 
               (Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
@@ -864,8 +864,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Restart-Computer
          - >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. - + >If you do not see the script pane, click **View** and verify **Show Script Pane Top** is enabled. Click **File** and then click **New**. + See the following example: ![ISE](images/ISE.png) @@ -879,20 +879,20 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. - + If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file. 21. On PC1, type the following commands at an elevated Windows PowerShell prompt: 
          -    Get-Content c:\pc1.ps1 | powershell.exe -noprofile - 
+    Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
          >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer. 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section. >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing. -23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. +23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands: 
          @@ -948,7 +948,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     In this example, the poc-internal network interface at 192.168.0.2 is associated with the "Ethernet" interface and the Internet-facing poc-external interface is associated with the "Ethernet 2" interface. If your interfaces are different, you must adjust the commands provided in the next step appropriately to configure routing services. Also note that if the "Ethernet 2" interface has an IP address in the 192.168.0.100-105 range then it likely is getting a DHCP lease from DC1 instead of your corporate network. If this is the case, you can try removing and re-adding the second network interface from the SRV1 VM through its Hyper-V settings.
 
     >[!TIP]
-    >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name. 
+    >Sometimes a computer will have hidden, disconnected interfaces that prevent you from naming a network adapter. When you attempt to rename an adapter, you will receive an error that the adapter name already exists. These disconnected devices can be viewed in device manager by clicking **View** and then clicking **Show hidden devices**. The disconnected device can then be uninstalled, enabling you to reuse the adapter name.
 
 
 31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
@@ -956,7 +956,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     
               Install-RemoteAccess -VpnType Vpn
     cmd /c netsh routing ip nat install
-    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL 
+    cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
     cmd /c netsh routing ip nat add interface name="Ethernet" mode=PRIVATE
     cmd /c netsh routing ip nat add interface name="Internal" mode=PRIVATE
     
          
@@ -973,8 +973,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     ping www.microsoft.com
          - If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. - + If you see "Ping request could not find host www.microsoft.com" on PC1 and DC1, but not on SRV1, then you will need to configure a server-level DNS forwarder on SRV1. To do this, open an elevated Windows PowerShell prompt on SRV1 and type the following command. + **Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name: 
          @@ -998,7 +998,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
         Minimum = 1ms, Maximum = 3ms, Average = 2ms
          -35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. +35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information. 36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1: 
          @@ -1032,7 +1032,7 @@ Use the following procedures to verify that the PoC environment is configured pr
     **Resolve-DnsName** displays public IP address results for www.microsoft.com.
          
     **Get-DhcpServerInDC** displays 192.168.0.1, dc1.contoso.com.
          
     **Get-DhcpServerv4Statistics** displays 1 scope with 2 addresses in use (these belong to PC1 and the Hyper-V host).
          
-    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2. 
+    **ipconfig** displays a primary DNS suffix and suffix search list of contoso.com, IP address of 192.168.0.1, subnet mask of 255.255.255.0, default gateway of 192.168.0.2, and DNS server addresses of 192.168.0.1 and 192.168.0.2.
 
 2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
 
@@ -1080,7 +1080,7 @@ Use the following procedures to verify that the PoC environment is configured pr
 Hyper-V hostThe computer where Hyper-V is installed.
 Hyper-V ManagerThe user-interface console used to view and configure Hyper-V.
 MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format.
-Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. 
+Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process.
 Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes.
 Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host.
 Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host.
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 1be1e7f1ff..992d9f7c5a 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 Pro in S mode
+title: Switch to Windows 10 Pro/Enterprise from S mode
 description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
 keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
 ms.mktglfcycl: deploy
@@ -7,47 +7,17 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 04/30/2018
+ms.date: 08/30/2018
 author: Mikeblodge
 ---
 
-# Windows 10 Pro/Enterprise in S mode
+# Switch to Windows 10 Pro/Enterprise from S mode
 
-S mode is an enhanced security mode of Windows 10. Windows 10 Pro and Enterprise in S mode powers affordable, cloud-ready devices that are simple, secure, and efficient. Users can get started quickly, thanks to self-service deployment and a familiar Windows experience. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task work. If your device is running Windows 10, version 1709, or Windows 10, version 1803, you can switch from Windows 10 in S mode to Windows 10 Pro.
-
-## Benefits of Windows 10 Pro in S mode:
-
-- **Microsoft-verified security** - It reduces risk of malware and exploitations because only Microsoft-verified apps can be installed including Windows Defender Antivirus.
-- **Performance that lasts** - Provides all-day battery life to keep workers on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
-- **Streamlined for speed** - Offers faster log-in times with Windows Hello. Plus, workers get all the exclusive Windows innovations including Cortana and Windows Ink. 
-
-|  |Home  |S mode  |Pro/Pro Education  |Enterprise/Education |
-|---------|:---:|:---:|:---:|:---:|
-|Start Menu/Hello/Cortana/
          Windows Ink/Microsoft Edge | X | X | X | X |
-|Store apps (including Windows 
          desktop bridge apps) | X | X | X | X |
-|Windows Update | X | X | X | X |
-|Device Encryption | X | X | X | X |
-|BitLocker | | X | X | X |
-|Windows Update for Business |  | X | X | X |
-|Microsoft Store for Education | | X | X | X |
-|Mobile Device Management
           and Azure AD join | | X | X | X |
-|Group Policy management and 
          Active Directory Domain Services | | | X | X |
-|Desktop (Windows 32) Apps | X | | X | X |
-|Change App Defaults
          Search/Browser/Photos/etc. | X | | X | X |
-|Credential Guard | | | | X |
-|Device Guard | | | | X |
-
-## Keep Line of Business apps functioning with Desktop Bridge
-Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels. 
-
-[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
 
 > [!IMPORTANT]
 > While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
 
-### Windows 10 in S mode is safe, secure, and fast.
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-
 ## How to switch
 If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
 
@@ -56,6 +26,15 @@ If you’re running Windows 10, version 1709 or version 1803, you can switch to
 3. In the offer, click **Buy**, **Get**, OR **Learn more.**
 You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
 
+## Keep Line of Business apps functioning with Desktop Bridge
+Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels. 
+
+[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+
+## Repackage win32 apps into the MSIX format
+The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
+
+[Explore MSIX app Packaging Tool](https://docs.microsoft.com/en-us/windows/application-management/msix-app-packaging-tool)
 
 ## Related topics
 
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index 4d4c929919..05a2b022ab 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -13,68 +13,68 @@ ms.date: 07/27/2017
 # Windows ADK for Windows 10 scenarios for IT Pros
 
 
-The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](http://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
 
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](http://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
 
 Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
 
 ### Create a Windows image using command-line tools
 
-[DISM](http://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
 
 Here are some things you can do with DISM:
 
--   [Mount an offline image](http://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
--   [Add drivers to an offline image](http://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
--   [Enable or disable Windows features](http://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
--   [Add or remove packages](http://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
--   [Add language packs](http://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
--   [Add Universal Windows apps](http://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
--   [Upgrade the Windows edition](http://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+-   [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
+-   [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
+-   [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
+-   [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
+-   [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
+-   [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
+-   [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
 
-[Sysprep](http://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
 
 Here are some things you can do with Sysprep:
 
--   [Generalize a Windows installation](http://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
--   [Customize the default user profile](http://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
--   [Use answer files](http://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+-   [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
+-   [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
+-   [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
 
-[Windows PE (WinPE)](http://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
 
 Here are ways you can create a WinPE image:
 
--   [Create a bootable USB drive](http://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
--   [Create a Boot CD, DVD, ISO, or VHD](http://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+-   [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
+-   [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
 
-[Windows Recovery Environment (Windows RE)](http://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
 
 Here are some things you can do with Windows RE:
 
--   [Customize Windows RE](http://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
--   [Push-button reset](http://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+-   [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
+-   [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
 
-[Windows System Image Manager (Windows SIM)](http://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
 
 Here are some things you can do with Windows SIM:
 
--   [Create answer file](http://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
--   [Add a driver path to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
--   [Add a package to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
--   [Add a custom command to an answer file](http://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+-   [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
+-   [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
+-   [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
+-   [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
 
-For a list of settings you can change, see [Unattended Windows Setup Reference](http://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
 
 ### Create a Windows image using Windows ICD
 
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](http://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
 
 Here are some things you can do with Windows ICD:
 
--   [Build and apply a provisioning package](http://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
--   [Export a provisioning package](http://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
--   [Build and deploy an image for Windows 10 for desktop editions](http://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
+-   [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
+-   [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+-   [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
 
 ### IT Pro Windows deployment tools
 
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 13ef2ce85b..ac183ef6d1 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -17,7 +17,6 @@
 ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
 ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
 ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-### [Administering Autopilot via Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
 ## Getting started
 ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
 ## [Troubleshooting](troubleshooting.md)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index f01143dd4c..d494ef7054 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -4,7 +4,7 @@ description: How to add devices to Windows Autopilot
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
@@ -44,7 +44,10 @@ To use this script, you can download it from the PowerShell Gallery and run it o
 
 *Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
 
-Note that you must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+
+>[!NOTE]
+>With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe).
 
 ## Collecting the hardware ID from existing devices using System Center Configuration Manager
 
diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md
index c5856a1af6..320afb60dd 100644
--- a/windows/deployment/windows-autopilot/configure-autopilot.md
+++ b/windows/deployment/windows-autopilot/configure-autopilot.md
@@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index a63c814e8c..2f7e82b15e 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018
diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md
index fc61dba235..4868e24cd2 100644
--- a/windows/deployment/windows-autopilot/profiles.md
+++ b/windows/deployment/windows-autopilot/profiles.md
@@ -4,7 +4,7 @@ description: How to configure Windows Autopilot deployment
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md
index b75fced878..0f85771ec9 100644
--- a/windows/deployment/windows-autopilot/rip-and-replace.md
+++ b/windows/deployment/windows-autopilot/rip-and-replace.md
@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index 278068cc1c..deba1e8e5e 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 6a9b183060..2ea0af92da 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md
index 9d2d62ae45..91d9bbf472 100644
--- a/windows/deployment/windows-autopilot/user-driven-aad.md
+++ b/windows/deployment/windows-autopilot/user-driven-aad.md
@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index 3f65705d3f..091783afa4 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: low
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index 761a0c5fe2..bb9b722bb6 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -4,7 +4,7 @@ description: Canonical Autopilot scenario
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md
index 794e515940..810bdf70be 100644
--- a/windows/deployment/windows-autopilot/windows-10-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-10-autopilot.md
@@ -1,7 +1,7 @@
 ---
 title: Overview of Windows Autopilot
 description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices.
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
 ms.author: coreyp
-ms.date: 05/09/2018
+ms.date: 08/22/2018
 ---
 
 # Overview of Windows Autopilot
@@ -24,13 +24,13 @@ This solution enables an IT department to achieve the above with little to no in
 The following video shows the process of setting up Autopilot:
 
 
          
- 
+
 
 ## Benefits of Windows Autopilot
 
 Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach.
 
-From the users' perspective, it only takes a few simple operations to make their device ready to use. 
+From the users' perspective, it only takes a few simple operations to make their device ready to use.
 
 From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated.
 
@@ -38,7 +38,7 @@ From the IT pros' perspective, the only interaction required from the end user,
 
 ### Cloud-Driven
 
-The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. 
+The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side.
 
 #### The Windows Autopilot Deployment Program experience
 
@@ -74,7 +74,7 @@ MDM enrollment ensures policies are applied, apps are installed and setting are
 
 #### Device registration and OOBE customization
 
-To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. 
+To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf.
 
 If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID.
 
@@ -89,7 +89,6 @@ For guidance on how to register devices, configure and apply deployment profiles
 * [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
 * [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
 * [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
-* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)
 
 ##### Configure company branding for OOBE
 
@@ -116,7 +115,7 @@ To manage devices behind firewalls and proxy servers, the following URLs need to
 * https://account.live.com
 * https://signup.live.com
 * https://licensing.mp.microsoft.com
-* https://licensing.md.mp.microsoft.com 
+* https://licensing.md.mp.microsoft.com
 * ctldl.windowsupdate.com
 * download.windowsupdate.com
 
@@ -132,5 +131,5 @@ If you are planning to configure devices with traditional on-premises or cloud-b
 
 ### Teacher-Driven
 
-If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](http://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
+If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details.
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
index ffc0f40009..919b0f5efa 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
@@ -4,7 +4,7 @@ description: This topic goes over Windows Autopilot and how it helps setup OOBE
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
index cb4b220902..8cd71d80c3 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
@@ -18,22 +18,19 @@ ms.date: 06/01/2018
 
 Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory; it also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
 
--   Windows 10 version 1703 or higher must be used. The Professional, Professional for Education, Business, Enterprise, and Education editions are supported.
-
+-   Windows 10 version 1703 or higher must be used. Supported editions are the following:
+    -   Pro
+    -   Pro Education
+    -   Pro for Workstations
+    -   Enterprise
+    -   Education
 -   One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality:
-
     -   Microsoft 365 Business subscriptions
-    
     -   Microsoft 365 F1 subscriptions
-
     -   Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
-
     -   Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features
-
     -   Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service)
 
 Additionally, the following are also recommended but not required:
-
 -   Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services)
-
 -   [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
index 408201cc01..b8259e9016 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
index fe614b16a0..7efd53c9f0 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 6093540d82..4417198067 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -7,7 +7,7 @@ ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype:
-ms.localizationpriority: high
+ms.localizationpriority: medium
 author: coreyp-at-msft
 ms.author: coreyp
 ms.date: 06/01/2018
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index 2618056f2d..b832512df1 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -4,7 +4,7 @@ description: Listing of Autopilot scenarios
 keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
 author: coreyp-at-msft
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 9a147ba933..6a6cc2230e 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,5 +1,4 @@
 # [Windows 10 and Windows 10 Mobile](index.md)
-## [Get started](/windows/whats-new/whats-new-windows-10-version-1803)
 ## [What's new](/windows/whats-new)
 ## [Deployment](/windows/deployment)
 ## [Configuration](/windows/configuration)
diff --git a/windows/hub/index.md b/windows/hub/index.md
index adbc774252..531d071af4 100644
--- a/windows/hub/index.md
+++ b/windows/hub/index.md
@@ -8,7 +8,7 @@ author: greg-lindsay
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 04/30/2018
+ms.date: 10/02/2018
 ---
 
 # Windows 10 and Windows 10 Mobile
@@ -18,15 +18,16 @@ Find the latest how to and support content that IT pros need to evaluate, plan,
 
  
 
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
+
+> [!video https://www.youtube.com/embed/hAva4B-wsVA]
 
 
-## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803).
+## Check out [what's new in Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809).
 
          
 
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 05709993b8..a229e2df1a 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -5,7 +5,8 @@
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
 ## Basic level Windows diagnostic data events and fields
-### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
+### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
 ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 ### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
 ## Enhanced level Windows diagnostic data events and fields
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 2d9a36b358..371890febb 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,15 +1,15 @@
 ---
 description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-keywords: privacy, diagnostic data
+keywords: privacy, telemetry
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: high
-author: eross-msft
-ms.author: lizross
-ms.date: 03/13/2018
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
 ---
 
 
@@ -19,223 +19,22 @@ ms.date: 03/13/2018
 
 - Windows 10, version 1703
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level also helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
-Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
 
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
->[!Note]
->Updated November 2017 to document new and modified events. We’ve added some new events and also added new fields to existing events to prepare for upgrades to the next release of Windows.
 
-## Common data extensions
-
-### Common Data Extensions.App
-
-The following fields are available:
-
-- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId**  The userID as known by the application.
-- **env**  The environment from which the event was logged.
-- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-
-
-### Common Data Extensions.CS
-
-The following fields are available:
-
-- **sig**  A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
-The following fields are available:
-
-- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op**  Represents the ETW Op Code.
-- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
-- **flags**  Represents the bitmap that captures various Windows specific flags.
-- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets**  A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq**  Upload buffer sequence number in the format \:\
-- **mon**  Combined monitor and event sequence numbers in the format \:\
-
-
-### Common Data Extensions.Device
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **name**  Represents the uniquely qualified name for the event.
-- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
-- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seqNum**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **iKey**  Represents an ID for applications or other logical groupings of events.
-- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **os**  Represents the operating system name.
-- **osVer**  Represents the OS version, and its format is OS dependent.
-- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **appVer**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
-
-
-### Common Data Extensions.OS
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale**  Represents the locale of the operating system.
-- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-
-
-### Common Data Extensions.User
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
- 
-
-The following fields are available:
-
-- **nbf**  Not before time
-- **expId**  Expiration time
-- **sbx**  XBOX sandbox identifier
-- **dty**  XBOX device type
-- **did**  XBOX device ID
-- **xid**  A list of base10-encoded XBOX User IDs.
-- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType**  Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken**  Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName**  Represents the name of the file requesting elevation from low IL.
-- **elevationReason**  Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName**  Represents the name of the file requesting elevation from low IL.
-- **signatureState**  Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName**  Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine**  Represents the full command line arguments being used to elevate.
-- **Hash.Length**  Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash**  Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId**  Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags**  Represents the details about the elevation prompt for CEIP data.
-- **timeStamp**  Represents the time stamp on the file requesting elevation.
-- **fileVersionMS**  Represents the major version of the file requesting elevation.
-- **fileVersionLS**  Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType**  Indicates the object type that the event applies to.
-- **Action**  The change that was invoked on a device inventory object.
-- **inventoryId**  Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adverising ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
 
 
 ## Appraiser events
@@ -246,93 +45,46 @@ This event lists the types of objects and how many of each exist on the client d
 
 The following fields are available:
 
-- **DatasourceApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device. on this device.
-- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
 - **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
-- **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
-- **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
-- **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
-- **InventorySystemBios**  The total InventorySystemBios objects that are present on this device.
-- **SystemProcessorCompareExchange**  The total SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf**  The total SystemProcessorLahfSahf objects that are present on this device.
-- **SystemMemory**  The total SystemMemory objects that are present on this device.
-- **SystemProcessorPrefetchW**  The total SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2**  The total SystemProcessorSse2 objects that are present on this device.
-- **SystemProcessorNx**  The total SystemProcessorNx objects that are present on this device.
-- **SystemWlan**  The total SystemWlan objects that are present on this device.
-- **SystemWim**  The total SystemWim objects that are present on this device
-- **SystemTouch**  The total SystemTouch objects that are present on this device.
-- **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
-- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
-
-
-### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
-
-This event lists the types of objects and the hashed values of all the identifiers for each one. This allows for a more in-depth way to ensure that the records present on the server match what is present on the client.
-
-The following fields are available:
-
-- **DatasourceApplicationFile_RS3**	The total DatasourceApplicationFile objects targeting the next release of Windows on this device.
-- **DatasourceDevicePnp_RS3**	The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3**	The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3**	The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3**	The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3**	The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3**	The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3**	The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3**	The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3**	The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3**	The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3**	The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3**	The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile**  The SHA256 hash of InventoryApplicationFile objects that are present on this device.
-- **InventoryMediaCenter**  The SHA256 hash of InventoryMediaCenter objects that are present on this device.
-- **InventoryLanguagePack**  The SHA256 hash of InventoryLanguagePack objects that are present on this device.
-- **InventoryUplevelDriverPackage**  The SHA256 hash of InventoryUplevelDriverPackage objects that are present on this device.
-- **InventorySystemBios**  The SHA256 hash of InventorySystemBios objects that are present on this device.
-- **SystemProcessorCompareExchange**  The SHA256 hash of SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf**  The SHA256 hash of SystemProcessorLahfSahf objects that are present on this device.
-- **SystemMemory**  The SHA256 hash of SystemMemory objects that are present on this device.
-- **SystemProcessorPrefetchW**  The SHA256 hash of SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2**  The SHA256 hash of SystemProcessorSse2 objects that are present on this device.
-- **SystemProcessorNx**  The SHA256 hash of SystemProcessorNx objects that are present on this device.
-- **SystemWlan**  The SHA256 hash of SystemWlan objects that are present on this device.
-- **SystemWim**  The SHA256 hash of SystemWim objects that are present on this device.
-- **SystemTouch**  The SHA256 hash of SystemTouch objects that are present on this device.
-- **SystemWindowsActivationStatus**  The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
-- **Wmdrm_RS3**	The total Wmdrm objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **InventoryLanguagePack**  The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows
+- **InventorySystemBios**  The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
+- **PCFP**  The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
+- **SystemProcessorCompareExchange**  The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
+- **SystemProcessorNx**  The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **SystemProcessorSse2**  The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **SystemWim**  The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
+- **SystemWindowsActivationStatus**  The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
+- **SystemWlan**  The count of InventoryApplicationFile objects present on this machine.
+- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
 
-This event sends compatibility information about a file to help keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file that is generating the events.
-- **AvDisplayName**  If it is an anti-virus app, this is its display name.
+- **AvDisplayName**  If the app is an anti-virus app, this is its display name.
 - **CompatModelIndex**  The compatibility prediction for this file.
-- **HasCitData**  Is the file present in CIT data?
-- **HasUpgradeExe**  Does the anti-virus app have an upgrade.exe file?
+- **HasCitData**  Indicates whether the file is present in CIT data.
+- **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
 - **IsAv**  Is the file an anti-virus reporting EXE?
-- **ResolveAttempted**  This will always be an empty string when sending diagnostic data.
+- **ResolveAttempted**  This will always be an empty string when sending telemetry.
 - **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
@@ -340,6 +92,8 @@ The following fields are available:
 
 This event indicates that the DatasourceApplicationFile object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -349,6 +103,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -356,16 +112,18 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
 
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
 
 The following fields are available:
 
+- **ActiveNetworkConnection**  Indicates whether the device is an active network device.
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **ActiveNetworkConnection**  Is the device an active network device?
-- **IsBootCritical**  Is the device boot critical?
+- **IsBootCritical**  Indicates whether the device boot is critical.
 - **SdbEntries**  An array of fields indicating the SDB entries that apply to this device.
-- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateID**  The Windows Update ID of the applicable uplevel driver.
+- **WuDriverCoverage**  Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
+- **WuDriverUpdateID**  The Update ID of the applicable uplevel driver from Windows Update.
+- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
 - **WuPopulatedFromID**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
 
 
@@ -373,6 +131,8 @@ The following fields are available:
 
 This event indicates that the DatasourceDevicePnp object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -382,6 +142,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -389,18 +151,19 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
 
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event sends compatibility database data about driver packages to help keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this driver package.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
 
 This event indicates that the DatasourceDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -410,6 +173,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -422,13 +187,14 @@ This event sends blocking data about any compatibility blocking entries hit on t
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this file.
 
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
 
 This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -438,6 +204,8 @@ The following fields are available:
 
 This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -450,13 +218,14 @@ This event sends compatibility database information about non-blocking compatibi
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this file.
 
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
 
 This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -466,6 +235,8 @@ The following fields are available:
 
 This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -478,13 +249,14 @@ This event sends compatibility database information about entries requiring rein
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this file.
 
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
 
 This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -494,6 +266,8 @@ The following fields are available:
 
 This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -513,6 +287,8 @@ The following fields are available:
 
 This event indicates that the DatasourceSystemBios object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -522,6 +298,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -533,9 +311,9 @@ This event sends compatibility decision data about a file to help keep Windows u
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
 - **BlockAlreadyInbox**  The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication**  Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication**  Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
 - **DisplayGenericMessage**  Will be a generic message be shown for this file?
 - **HardBlock**  This file is blocked in the SDB.
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
@@ -556,7 +334,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
 
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -567,6 +347,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -574,16 +356,16 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
 - **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
+- **BlockingDevice**  Is this PNP device blocking upgrade?
 - **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
 - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
-- **BlockingDevice**  Is this PNP device blocking upgrade?
 - **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
 - **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
 - **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
@@ -593,13 +375,14 @@ The following fields are available:
 - **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
 - **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
 - **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
-- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
 
 This event indicates that the DecisionDevicePnp object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -609,6 +392,8 @@ The following fields are available:
 
 This event indicates that the DecisionDevicePnp object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -616,7 +401,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
 
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
 
 The following fields are available:
 
@@ -632,6 +417,8 @@ The following fields are available:
 
 This event indicates that the DecisionDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -641,6 +428,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -648,7 +437,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
 
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -665,6 +454,8 @@ The following fields are available:
 
 This event indicates that the DecisionMatchingInfoBlock object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -674,6 +465,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -694,6 +487,8 @@ The following fields are available:
 
 This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -703,6 +498,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -710,7 +507,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
 
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
 
 The following fields are available:
 
@@ -725,6 +522,8 @@ The following fields are available:
 
 This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -734,6 +533,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -741,15 +542,15 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
 
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
 - **BlockingApplication**  Is there any application issues that interfere with upgrade due to Windows Media Center?
 - **MediaCenterActivelyUsed**  If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
-- **MediaCenterInUse**  Is Windows Media Center actively being used?
 - **MediaCenterIndicators**  Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse**  Is Windows Media Center actively being used?
 - **MediaCenterPaidOrActivelyUsed**  Is Windows Media Center actively being used or is it running on a supported edition?
 - **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
 
@@ -758,6 +559,8 @@ The following fields are available:
 
 This event indicates that the DecisionMediaCenter object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -767,6 +570,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -774,7 +579,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
 
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
 
 The following fields are available:
 
@@ -787,6 +592,8 @@ The following fields are available:
 
 This event indicates that the DecisionSystemBios object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -796,6 +603,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -803,12 +612,12 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
 
-The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
 
 The following fields are available:
 
-- **Time**  The client time of the event.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
 
 
 ### Microsoft.Windows.Appraiser.General.GatedRegChange
@@ -817,31 +626,28 @@ This event sends data about the results of running a set of quick-blocking instr
 
 The following fields are available:
 
-- **Time**  The client time of the event.
+- **NewData**  The data in the registry value after the scan completed.
+- **OldData**  The previous data in the registry value before the scan ran.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
 - **RegKey**  The registry key name for which a result is being sent.
 - **RegValue**  The registry value for which a result is being sent.
-- **OldData**  The previous data in the registry value before the scan ran.
-- **NewData**  The data in the registry value after the scan completed.
+- **Time**  The client time of the event.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
 
-This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
 
 The following fields are available:
 
-- **AvDisplayName** If the app is an anti-virus app, this is its display name.
-- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
 - **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
 - **CompanyName**  The company name of the vendor who developed this file.
 - **FileId**  A hash that uniquely identifies a file.
 - **FileVersion**  The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
-- **IsAv** Is the file an anti-virus reporting EXE?
 - **LinkDate**  The date and time that this file was linked on.
 - **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
 - **Name**  The name of the file that was inventoried.
@@ -850,29 +656,13 @@ The following fields are available:
 - **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
 - **Size**  The size of the file (in hexadecimal bytes).
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-
-This event represents the drivers that an application installs.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory component 
-- **Programids** The unique program identifier the driver is associated with.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. 
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory component.
-
 
 ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
 
 This event indicates that the InventoryApplicationFile object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -880,7 +670,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
 
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -889,19 +681,21 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
 
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **HasLanguagePack**  Does this device have 2 or more language packs?
-- **LanguagePackCount**  How many language packs are installed?
+- **HasLanguagePack**  Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount**  The number of language packs are installed.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
 
 This event indicates that the InventoryLanguagePack object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -911,6 +705,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -936,6 +732,8 @@ The following fields are available:
 
 This event indicates that the InventoryMediaCenter object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -945,6 +743,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -965,7 +765,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
 
-This event indicates that the InventorySystemBios object is no longer present. 
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -976,6 +778,8 @@ The following fields are available:
 
 This event indicates that a new set of InventorySystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -985,29 +789,33 @@ The following fields are available:
 
 This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 - **BootCritical**  Is the driver package marked as boot critical?
 - **Build**  The build value from the driver package.
 - **CatalogFile**  The name of the catalog file within the driver package.
-- **ClassGuid**  The device class GUID from the driver package.
 - **Class**  The device class from the driver package.
+- **ClassGuid**  The device class unique ID from the driver package.
 - **Date**  The date from the driver package.
-- **SignatureStatus**  Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
 - **Inbox**  Is the driver package of a driver that is included with Windows?
+- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider**  The provider of the driver package.
+- **PublishedName**  The name of the INF file after it was renamed.
+- **Revision**  The revision of the driver package.
+- **SignatureStatus**  Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
 - **VersionMajor**  The major version of the driver package.
 - **VersionMinor**  The minor version of the driver package.
-- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
-- **Provider**  The provider of the driver package.
-- **PublishedName**  The name of the INF file, post-rename.
-- **Revision**  The revision of the driver package.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
 
 This event indicates that the InventoryUplevelDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1017,60 +825,25 @@ The following fields are available:
 
 This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter
-
-This event indicates if Appraiser was able to connect successfully to Windows Update to get driver availability information.
-
-The following fields are available:
-
-- **Time**  The client time of the event.
-- **PCFP**  A unique hardware identifier that is calculated by hashing hardware identifiers.
-- **IsOnlineRun**  Was the device able to connect to Windows Update to get driver availability information?
-
-
-### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource
-
-This event indicates if Appraiser was able to connect to Windows Update to gather driver coverage information.
-
-The following fields are available:
-
-- **Time**  The client time of the event.
-- **PCFP**  A unique hardware identifier that is calculated by hashing hardware identifiers.
-- **IsOnlineRun**  Was the device able to connect to Windows Update to get driver availability information?
-- **TargetVersion**  The abbreviated name for the OS version against which Windows Update was queried.
-
-
 ### Microsoft.Windows.Appraiser.General.RunContext
 
-This event indicates what should be expected in the data payload. 
+This event indicates what should be expected in the data payload.
 
 The following fields are available:
 
 - **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
-- **Time**  The client time of the event.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-
-
-### Microsoft.Windows.Appraiser.General.SetupAdlStatus
-
-This event indicates if Appraiser used data files from the setup image or more up-to-date data files downloaded from a Microsoft server.
-
-The following fields are available:
-
 - **Time**  The client time of the event.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **Result**  The last result of the operation to determine if there is a data file to download.
-- **OneSettingsInitialized**  Was the query to OneSettings, where the information is stored on if there is a data file to download, initialized?
-- **Url**  The URL of the data file to download. This will be an empty string if there is no data file to download.
-- **UsingAlternateData**  Is the client using alternate data file or using the data file in the setup image?
 
 
 ### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
@@ -1093,6 +866,8 @@ The following fields are available:
 
 This event that the SystemMemory object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1102,6 +877,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemMemoryAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1120,7 +897,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
 
-This event indicates that the SystemProcessorCompareExchange object is no longer present. 
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1131,6 +910,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1149,7 +930,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
 
-This event indicates that the SystemProcessorLahfSahf object is no longer present. 
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1160,6 +943,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1181,6 +966,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorNx object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1190,6 +977,8 @@ The following fields are available:
 
 This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1197,7 +986,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1210,6 +999,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorPrefetchW object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1219,6 +1010,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1226,7 +1019,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
 
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1239,6 +1032,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorSse2 object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1248,6 +1043,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorSse2Add events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1255,7 +1052,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemTouchAdd
 
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1266,7 +1063,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemTouchRemove
 
-This event indicates that the SystemTouch object is no longer present. 
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1277,6 +1076,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemTouchAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1284,7 +1085,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWimAdd
 
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1295,7 +1096,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWimRemove
 
-This event indicates that the SystemWim object is no longer present. 
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1306,6 +1109,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWimAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1313,7 +1118,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
 
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1326,6 +1131,8 @@ The following fields are available:
 
 This event indicates that the SystemWindowsActivationStatus object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1335,6 +1142,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1357,7 +1166,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanRemove
 
-This event indicates that the SystemWlan object is no longer present. 
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1368,6 +1179,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWlanAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1375,58 +1188,62 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
-- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
-- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
-- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
-- **Time**  The client time of the event.
-- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
 - **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current diagnostic data run.
+- **AuxFinal**  Obsolete, always set to false.
+- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **EnterpriseRun**  Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **AuxFinal**  Obsolete, always set to false
-- **StoreHandleIsNotNull**  Obsolete, always set to false
-- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
+- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
 - **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
 - **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **TelementrySent**  Indicates if diagnostic data was successfully sent.
+- **RunResult**  The hresult of the Appraiser telemetry run.
+- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull**  Obsolete, always set to false
+- **TelementrySent**  Indicates if telemetry was successfully sent.
+- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time**  The client time of the event.
+- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
 - **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
-- **RunResult**  The hresult of the Appraiser diagnostic data run.
 
 
 ### Microsoft.Windows.Appraiser.General.WmdrmAdd
 
 This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Same as NeedsDismissAction.
+- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
 - **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
 - **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
 - **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
-- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
-- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
-- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased
-- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
-- **BlockingApplication**  Same as NeedsDismissAction
 
 
 ### Microsoft.Windows.Appraiser.General.WmdrmRemove
 
 This event indicates that the Wmdrm object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1436,6 +1253,8 @@ The following fields are available:
 
 This event indicates that a new set of WmdrmAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1449,8 +1268,8 @@ This event sends version data about the Apps running on this device, to help kee
 
 The following fields are available:
 
-- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
 - **CensusVersion**  The version of Census that generated the current data for this device.
+- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
 
 
 ### Census.Battery
@@ -1462,8 +1281,8 @@ The following fields are available:
 - **InternalBatteryCapablities**  Represents information about what the battery is capable of doing.
 - **InternalBatteryCapacityCurrent**  Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear.
 - **InternalBatteryCapacityDesign**  Represents the theoretical capacity of the battery when new, in mWh.
-- **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
 - **InternalBatteryNumberOfCharges**  Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
 
 
 ### Census.Camera
@@ -1482,23 +1301,22 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
-- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
-- **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
-- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
-- **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
-- **IsDomainJoined**  Indicates whether a machine is joined to a domain.
-- **HashedDomain**  The hashed representation of the user domain used for login.
-- **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
-- **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
-- **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
-- **IsDERequirementMet**  Represents if the device can do device encryption.
-- **IsEDPEnabled**  Represents if Enterprise data protected on the device.
+- **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
-- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **HashedDomain**  The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet**  Represents if the device can do device encryption.
+- **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined**  Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled**  Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
+- **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment.
+- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
 
 
 ### Census.Firmware
@@ -1515,58 +1333,54 @@ The following fields are available:
 
 ### Census.Flighting
 
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
 
 The following fields are available:
 
-- **FlightIds**  A list of the different Windows Insider builds on this device.
-- **MSA_Accounts**  Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
-- **IsFlightsDisabled**  Represents if the device is participating in the Windows Insider program.
-- **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
-- **DeviceSampleRate**  The diagnostic data sample rate assigned to the device.
+- **DeviceSampleRate**  The telemetry sample rate assigned to the device.
 - **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
+- **FlightIds**  A list of the different Windows Insider builds on this device.
+- **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled**  Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts**  Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
 - **SSRK**  Retrieves the mobile targeting settings.
 
 
 ### Census.Hardware
 
-This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
 
 The following fields are available:
 
+- **ActiveMicCount**  The number of active microphones attached to the device.
 - **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
 - **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
 - **DeviceColor**  Indicates a color of the device.
+- **DeviceForm**  Indicates the form as per the device classification.
 - **DeviceName**  The device name that is set by the user.
+- **DigitizerSupport**  Is a digitizer supported?
+- **DUID**  The device unique ID.
+- **InventoryId**  The device ID used for compatibility testing.
 - **OEMDigitalMarkerFileName**  The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
 - **OEMManufacturerName**  The device manufacturer name.  The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
-- **OEMModelNumber**  The device model number.
+- **OEMModelBaseBoard**  The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion**  Differentiates between developer and retail devices.
 - **OEMModelName**  The device model name.
+- **OEMModelNumber**  The device model number.
 - **OEMModelSKU**  The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily**  The system family set on the device by an OEM.
+- **OEMModelSystemVersion**  The system model version set on the device by the OEM.
 - **OEMOptionalIdentifier**  A Microsoft assigned value that represents a specific OEM subsidiary.
 - **OEMSerialNumber**  The serial number of the device that is set by the manufacturer.
 - **PhoneManufacturer**  The friendly name of the phone manufacturer.
-- **SoCName**  The firmware manufacturer of the device.
-- **DUID**  The device unique ID.
-- **InventoryId**  The device ID used for compatibility testing.
-- **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
 - **PowerPlatformRole**  The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
-- **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **SoCName**  The firmware manufacturer of the device.
 - **StudyID**  Used to identify retail and non-retail device.
-- **TelemetryLevel**  The diagnostic data level the user has opted into, such as Basic or Enhanced.
-- **TelemetrySettingAuthority**  Determines who set the diagnostic data level, such as GP, MDM, or the user.
-- **DeviceForm**  Indicates the form as per the device classification.
-- **DigitizerSupport**  Is a digitizer supported?
-- **OEMModelBaseBoard**  The baseboard model used by the OEM.
-- **OEMModelSystemFamily**  The system family set on the device by an OEM.
-- **OEMModelBaseBoardVersion**  Differentiates between developer and retail devices.
-- **ActiveMicCount**  The number of active microphones attached to the device.
-- **OEMModelSystemVersion**  The system model version set on the device by the OEM.
-- **D3DMaxFeatureLevel** The supported Direct3D version.
-- **Gyroscope** Indicates whether the device has a gyroscope.
-- **Magnetometer** Indicates whether the device has a magnetometer.
-- **NFCProximity** Indicates whether the device supports NFC.
-- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
+- **TelemetryLevel**  The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority**  Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
+
 
 ### Census.Memory
 
@@ -1584,21 +1398,21 @@ This event sends data about the mobile and cellular network used by the device (
 
 The following fields are available:
 
+- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MobileOperatorBilling**  Represents the telephone company that provides services for mobile phone users.
 - **MobileOperatorCommercialized**  Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
-- **NetworkCost**  Represents the network cost associated with a connection.
-- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **SPN0**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
 - **MobileOperatorNetwork0**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
-- **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **SPN1**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
 - **MobileOperatorNetwork1**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
-- **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MNC1**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
 - **NetworkAdapterGUID**  The GUID of the primary network adapter.
+- **NetworkCost**  Represents the network cost associated with a connection.
+- **SPN0**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
 
 
 ### Census.OS
@@ -1607,40 +1421,39 @@ This event sends data about the operating system such as the version, locale, up
 
 The following fields are available:
 
+- **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
+- **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
 - **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage**  The first language installed on the user machine.
+- **IsDeviceRetailDemo**  Retrieves if the device is running in demo mode.
+- **IsEduData**  Returns Boolean if the education data policy is enabled.
 - **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
 - **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
-- **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **LanguagePacks**  The list of language packages installed on the device.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition**  Retrieves the version of the current OS.
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus**  Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId**  Returns boolean for enterprise subscription feature for selected PRO machines.
 - **OSTimeZoneBiasInMins**  Retrieves the time zone set on machine.
 - **OSUILocale**  Retrieves the locale of the UI that is currently used by the OS.
-- **RACw7Id**  Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
-- **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
-- **Signature**  Retrieves if it is a signature machine sold by Microsoft store.
-- **IsDeviceRetailDemo**  Retrieves if the device is running in demo mode.
-- **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
-- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
-- **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
-- **ProductKeyID2**  Retrieves the License key if the machine is updated with a new license key.
-- **ServiceMachineIP**  Retrieves the IP address of the KMS host used for anti-piracy.
-- **ServiceProductKeyID**  Retrieves the License key of the KMS
-- **LanguagePacks**  The list of language packages installed on the device.
-- **InstallLanguage**  The first language installed on the user machine.
-- **IsEduData**  Returns Boolean if the education data policy is enabled.
-- **SharedPCMode**  Returns Boolean for education devices used as shared cart
-- **SLICVersion**  Returns OS type/version from SLIC table.
-- **SLICStatus**  Whether a SLIC table exists on the device.
-- **OSEdition**  Retrieves the version of the current OS.
-- **ProductActivationTime**  Returns the OS Activation time for tracking piracy issues.
 - **ProductActivationResult**  Returns Boolean if the OS Activation was successful.
-- **OSSubscriptionTypeId**  Returns boolean for enterprise subscription feature for selected PRO machines.
-- **OSSubscriptionStatus**  Represents the existing status for enterprise subscription feature for PRO machines.
+- **ProductActivationTime**  Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2**  Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id**  Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP**  Retrieves the IP address of the KMS host used for anti-piracy.
 - **ServiceMachinePort**  Retrieves the port of the KMS host used for anti-piracy.
-- **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
-- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy.
-- **AssignedAccessStatus** The kiosk configuration mode.
+- **ServiceProductKeyID**  Retrieves the License key of the KMS
+- **SharedPCMode**  Returns Boolean for education devices used as shared cart
+- **Signature**  Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus**  Whether a SLIC table exists on the device.
+- **SLICVersion**  Returns OS type/version from SLIC table.
 
 
 ### Census.Processor
@@ -1649,19 +1462,14 @@ This event sends data about the processor (architecture, speed, number of cores,
 
 The following fields are available:
 
-- **KvaShadow** Microcode info of the processor.
-- **MMSettingOverride** Microcode setting of the processor.
-- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
 - **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
 - **ProcessorCores**  Retrieves the number of cores in the processor.
 - **ProcessorIdentifier**  The processor identifier of a manufacturer.
 - **ProcessorManufacturer**  Retrieves the name of the processor's manufacturer.
 - **ProcessorModel**  Retrieves the name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
-- **ProcessorUpdateRevision** The microcode version.
 - **SocketCount**  Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. 
 
 
 ### Census.Speech
@@ -1670,15 +1478,15 @@ This event is used to gather basic speech settings on the device.
 
 The following fields are available:
 
-- **AboveLockEnabled**	Cortana setting that represents if Cortana can be invoked when the device is locked.
-- **GPAllowInputPersonalization**	Indicates if a Group Policy setting has enabled speech functionalities.
-- **HolographicSpeechInputDisabled**	Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
-- **HolographicSpeechInputDisabledRemote**	Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled**	Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
-- **MDMAllowInputPersonalization**	Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged**	Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
-- **SpeakerIdEnabled**	Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
-- **SpeechServicesEnabled**	Windows setting that represents whether a user is opted-in for speech services on the device.
+- **AboveLockEnabled**  Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
 
 
 ### Census.Storage
@@ -1688,8 +1496,8 @@ This event sends data about the total capacity of the system volume and primary
 The following fields are available:
 
 - **PrimaryDiskTotalCapacity**  Retrieves the amount of disk space on the primary disk of the device in MB.
-- **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
 - **PrimaryDiskType**  Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
 
 
 ### Census.Userdefault
@@ -1698,8 +1506,8 @@ This event sends data about the current user's default preferences for browser a
 
 The following fields are available:
 
-- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
 
 
 ### Census.UserDisplay
@@ -1716,8 +1524,8 @@ The following fields are available:
 - **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
 - **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
 - **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
-- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
 - **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
 - **VRAMDedicated**  Retrieves the video RAM in MB.
 - **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
 - **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
@@ -1730,10 +1538,10 @@ This event sends data about the default app language, input, and display languag
 The following fields are available:
 
 - **DefaultAppLanguage**  The current user Default App Language.
-- **HomeLocation**  The current user location, which is populated using GetUserGeoId() function.
 - **DisplayLanguage**  The current user preferred Windows Display Language.
-- **SpeechInputLanguages**  The Speech Input languages installed on the device.
+- **HomeLocation**  The current user location, which is populated using GetUserGeoId() function.
 - **KeyboardInputLanguages**  The Keyboard input languages installed on the device.
+- **SpeechInputLanguages**  The Speech Input languages installed on the device.
 
 
 ### Census.VM
@@ -1742,13 +1550,11 @@ This event sends data indicating whether virtualization is enabled on the device
 
 The following fields are available:
 
-- **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
-- **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
 - **IOMMUPresent**  Represents if an input/output memory management unit (IOMMU) is present.
 - **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
-- **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
+- **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
 
 
 ### Census.WU
@@ -1757,29 +1563,23 @@ This event sends data about the Windows update server and other App store polici
 
 The following fields are available:
 
-- **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
-- **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
-- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
-- **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
-- **AppStoreAutoUpdate**  Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
-- **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
-- **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
-- **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
-- **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades
-- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates
-- **WUPauseState**  Retrieves WU setting to determine if updates are paused
-- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
-- **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
-- **OSRollbackCount**  The number of times feature updates have rolled back on the device.
-- **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
 - **AppraiserGatedStatus**  Indicates whether a device has been gated for upgrading.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
-- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
-- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
-- **OSAssessmentForSecurityUpdate** Is the device  on the latest security update?
-- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
-- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **AppStoreAutoUpdate**  Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSRollbackCount**  The number of times feature updates have rolled back on the device.
+- **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
+- **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
 
 
 ### Census.Xbox
@@ -1788,66 +1588,211 @@ This event sends data about the Xbox Console, such as Serial Number and DeviceId
 
 The following fields are available:
 
-- **XboxLiveDeviceId**  Retrieves the unique device id of the console.
-- **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
-- **XboxLiveSandboxId**  Retrieves the developer sandbox id if the device is internal to MS.
 - **XboxConsolePreferredLanguage**  Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId**  Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId**  Retrieves the developer sandbox ID if the device is internal to Microsoft.
 
-### Census.Security
 
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env**  The environment from which the event was logged.
+- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **userId**  The userID as known by the application.
+- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **localId**  The device ID as known by the client.
+- **osVer**  The operating system version.
+- **type**  The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig**  A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
+- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer**  Represents the version number of the application. Used to understand errors by version and usage by version across an app.
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data**  Represents the optional unique diagnostic data for a particular event schema.
+- **epoch**  ID used to help distinguish events in the sequence by indicating the current boot session.
+- **ext_app**  Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container**  Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs**  Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device**  Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os**  Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_user**  Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc**  Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl**  Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey**  Represents an ID for applications or other logical groupings of events.
+- **name**  Represents the uniquely qualified name for the event.
+- **os**  The operating system name.
+- **osVer**  The operating system version.
+- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
+- **seqNum**  Used to track the absolute order of uploaded events.
+- **tags**  A header for semi-managed extensions.
+- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale**  Represents the locale of the operating system.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId**  This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq**  Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **flags**  Represents the bitmap that captures various Windows specific flags.
+- **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op**  Represents the ETW Op Code.
+- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **sqmId**  The Windows SQM ID.
+- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **tickets**  An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims**  Any additional claims whose short claim name hasn't been added to this structure.
+- **did**  XBOX device ID
+- **dty**  XBOX device type
+- **dvr**  The version of the operating system on the device.
+- **eid**  A unique ID that represents the developer entity.
+- **exp**  Expiration time
+- **ip**  The IP address of the client device.
+- **nbf**  Not before time
+- **pid**  A comma separated list of PUIDs listed as base10 numbers.
+- **sbx**  XBOX sandbox identifier
+- **sid**  The service instance ID.
+- **sty**  The service type.
+- **tid**  The XBOX Live title ID.
+- **tvr**  The XBOX Live title version.
+- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid**  A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action**  The change that was invoked on a device inventory object.
+- **inventoryId**  Device ID used for Compatibility testing
+- **objectInstanceId**  Object identity which is unique within the device scope.
+- **objectType**  Indicates the object type that the event applies to.
+- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
 
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
 
 ## Diagnostic data events
 
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
 
 The following fields are available:
 
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
 - **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
 - **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
+- **CanCollectOsTelemetry**  True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
 - **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
 - **CanPerformScripting**  True if UTC is allowed to perform scripting.
 - **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
 - **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
+- **PreviousPermissions**  Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core telemetry to allowing core telemetry.
 
 
 ### TelClientSynthetic.AuthorizationInfo_Startup
 
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
 
 The following fields are available:
 
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
+- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
 - **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry**  True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
 - **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
 - **CanPerformScripting**  True if UTC is allowed to perform scripting.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data client was last started.
+- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions**  Bitmask representing the previously configured permissions since the telemetry client was last started.
+- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core telemetry to allowing core telemetry.
 
 
 ### TelClientSynthetic.ConnectivityHeartBeat_0
 
-This event sends data about the connectivity status of the Connected User Experiences and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
 
 The following fields are available:
 
@@ -1855,10 +1800,10 @@ The following fields are available:
 - **CensusStartTime**  Returns timestamp corresponding to last successful census run.
 - **CensusTaskEnabled**  Returns Boolean value for the census task (Enable/Disable) on client machine.
 - **LastConnectivityLossTime**  Retrieves the last time the device lost free network.
+- **LastConntectivityLossTime**  Retrieves the last time the device lost free network.
 - **NetworkState**  Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
 - **NoNetworkTime**  Retrieves the time spent with no network (since the last time) in seconds.
 - **RestrictedNetworkTime**  Retrieves the time spent on a metered (cost restricted) network in seconds.
-- **LastConntectivityLossTime**  Retrieves the last time the device lost free network.
 
 
 ### TelClientSynthetic.HeartBeat_5
@@ -1867,51 +1812,41 @@ This event sends data about the health and quality of the diagnostic data from t
 
 The following fields are available:
 
-- **PreviousHeartBeatTime**  The time of last heartbeat event. This allows chaining of events.
-- **EtwDroppedCount**  The number of events dropped by the ETW layer of the diagnostic data client.
-- **ConsumerDroppedCount**  The number of events dropped by the consumer layer of the diagnostic data client.
-- **DecodingDroppedCount**  The number of events dropped because of decoding failures.
-- **ThrottledDroppedCount**  The number of events dropped due to throttling of noisy providers.
-- **DbDroppedCount**  The number of events that were dropped because the database was full.
-- **EventSubStoreResetCounter**  The number of times the event database was reset.
-- **EventSubStoreResetSizeSum**  The total size of the event database across all resets reports in this instance.
-- **CriticalOverflowEntersCounter**  The number of times a critical overflow mode was entered into the event database.
-- **EnteringCriticalOverflowDroppedCounter**  The number of events that was dropped because a critical overflow mode was initiated.
-- **UploaderDroppedCount**  The number of events dropped by the uploader layer of the diagnostic data client.
-- **InvalidHttpCodeCount**  The number of invalid HTTP codes received from Vortex.
-- **LastInvalidHttpCode**  The last invalid HTTP code received from Vortex.
-- **MaxInUseScenarioCounter**  The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
-- **LastEventSizeOffender**  The name of the last event that exceeded the maximum event size.
-- **SettingsHttpAttempts**  The number of attempts to contact the OneSettings service.
-- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
-- **VortexHttpAttempts**  The number of attempts to contact the Vortex service.
-- **EventsUploaded**  The number of events that have been uploaded.
-- **DbCriticalDroppedCount**  The total number of dropped critical events in the event database.
-- **VortexHttpFailures4xx**  The number of 400-499 error codes received from Vortex.
-- **VortexHttpFailures5xx**  The number of 500-599 error codes received from Vortex.
-- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
-- **HeartBeatSequenceNumber**  A monotonically increasing heartbeat counter.
-- **EtwDroppedBufferCount**  The number of buffers dropped in the CUET ETW session.
-- **FullTriggerBufferDroppedCount**  The number of events that were dropped because the trigger buffer was full.
-- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
-- **CriticalDataDbDroppedCount**  The number of critical data sampled events that were dropped at the database layer.
-- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
 - **AgentConnectionErrorsCount**  The number of non-timeout errors associated with the host/agent channel.
-- **LastAgentConnectionError**  The last non-timeout error that happened in the host/agent channel.
-- **Flags**  Flags that indicate device state, such as network, battery, and opt-in state.
-- **CensusTaskEnabled**  Indicates whether Census is enabled.
 - **CensusExitCode**  The last exit code of the Census task.
 - **CensusStartTime**  The time of the last Census run.
-
-
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
-
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
-
-The following fields are available:
-
-- **PostUpgradeSettings**  The privacy settings after a feature update.
-- **PreUpgradeSettings**  The privacy settings before a feature update.
+- **CensusTaskEnabled**  Indicates whether Census is enabled.
+- **ConsumerDroppedCount**  The number of events dropped by the consumer layer of the telemetry client.
+- **CriticalDataDbDroppedCount**  The number of critical data sampled events that were dropped at the database layer.
+- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter**  The number of times a critical overflow mode was entered into the event database.
+- **DbCriticalDroppedCount**  The total number of dropped critical events in the event database.
+- **DbDroppedCount**  The number of events that were dropped because the database was full.
+- **DecodingDroppedCount**  The number of events dropped because of decoding failures.
+- **EnteringCriticalOverflowDroppedCounter**  The number of events that was dropped because a critical overflow mode was initiated.
+- **EtwDroppedBufferCount**  The number of buffers dropped in the CUET ETW session.
+- **EtwDroppedCount**  The number of events dropped by the ETW layer of the telemetry client.
+- **EventSubStoreResetCounter**  The number of times the event database was reset.
+- **EventSubStoreResetSizeSum**  The total size of the event database across all resets reports in this instance.
+- **EventsUploaded**  The number of events that have been uploaded.
+- **Flags**  Flags that indicate device state, such as network, battery, and opt-in state.
+- **FullTriggerBufferDroppedCount**  The number of events that were dropped because the trigger buffer was full.
+- **HeartBeatSequenceNumber**  A monotonically increasing heartbeat counter.
+- **InvalidHttpCodeCount**  The number of invalid HTTP codes received from Vortex.
+- **LastAgentConnectionError**  The last non-timeout error that happened in the host/agent channel.
+- **LastEventSizeOffender**  The name of the last event that exceeded the maximum event size.
+- **LastInvalidHttpCode**  The last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter**  The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **PreviousHeartBeatTime**  The time of last heartbeat event. This allows chaining of events.
+- **SettingsHttpAttempts**  The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount**  The number of events dropped due to throttling of noisy providers.
+- **UploaderDroppedCount**  The number of events dropped by the uploader layer of the telemetry client.
+- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
+- **VortexHttpAttempts**  The number of attempts to contact the Vortex service.
+- **VortexHttpFailures4xx**  The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  The number of 500-599 error codes received from Vortex.
 
 
 ## DxgKernelTelemetry events
@@ -1922,72 +1857,80 @@ This event sends basic GPU and display driver information to keep Windows and di
 
 The following fields are available:
 
-- **version**  The event version.
-- **bootId**  The system boot ID.
 - **aiSeqId**  The event sequence ID.
-- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
-- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
-- **InterfaceId**  The GPU interface ID.
-- **GPUVendorID**  The GPU vendor ID.
-- **GPUDeviceID**  The GPU device ID.
-- **SubVendorID**  The GPU sub vendor ID.
-- **SubSystemID**  The subsystem ID.
-- **GPURevisionID**  The GPU revision ID.
-- **DriverVersion**  The display driver version.
+- **bootId**  The system boot ID.
+- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid**  The display adapter LUID.
 - **DriverDate**  The date of the display driver.
 - **DriverRank**  The rank of the display driver.
-- **IsMiracastSupported**  Does the GPU support Miracast?
-- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **DriverVersion**  The display driver version.
+- **GPUDeviceID**  The GPU device ID.
+- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID**  The GPU revision ID.
+- **GPUVendorID**  The GPU vendor ID.
+- **InterfaceId**  The GPU interface ID.
+- **IsDisplayDevice**  Does the GPU have displaying capabilities?
 - **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
 - **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
-- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
 - **IsLDA**  Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported**  Does the GPU support Miracast?
 - **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
 - **IsPostAdapter**  Is this GPU the POST GPU in the device?
-- **IsSoftwareDevice**  Is this a software implementation of the GPU?
 - **IsRenderDevice**  Does the GPU have rendering capabilities?
-- **IsDisplayDevice**  Does the GPU have displaying capabilities?
-- **WDDMVersion**  The Windows Display Driver Model version.
-- **DisplayAdapterLuid**  The display adapter LUID.
-- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
-- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
-- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
-- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
-- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
-- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **IsSoftwareDevice**  Is this a software implementation of the GPU?
+- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
 - **NumVidPnSources**  The number of supported display output sources.
 - **NumVidPnTargets**  The number of supported display output targets.
+- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID**  The subsystem ID.
+- **SubVendorID**  The GPU sub vendor ID.
+- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version**  The event version.
+- **WDDMVersion**  The Windows Display Driver Model version.
 
 
 ## Fault Reporting events
 
 ### Microsoft.Windows.FaultReporting.AppCrashEvent
 
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
 
 The following fields are available:
 
-- **ProcessId**  The ID of the process that has crashed.
-- **ProcessCreateTime**  The time of creation of the process that has crashed.
+- **AppName**  The name of the app that has crashed.
+- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp**  The date/time stamp of the app.
+- **AppVersion**  The version of the app that has crashed.
 - **ExceptionCode**  The exception code returned by the process that has crashed.
 - **ExceptionOffset**  The address where the exception had occurred.
-- **AppName**  The name of the app that has crashed.
-- **AppVersion**  The version of the app that has crashed.
-- **AppTimeStamp**  The date/time stamp of the app.
+- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
 - **ModName**  Exception module name (e.g. bar.dll).
-- **ModVersion**  The version of the module that has crashed.
 - **ModTimeStamp**  The date/time stamp of the module.
+- **ModVersion**  The version of the module that has crashed.
 - **PackageFullName**  Store application identity.
 - **PackageRelativeAppId**  Store application identity.
 - **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has crashed.
+- **ProcessId**  The ID of the process that has crashed.
 - **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
-- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. 
-- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
 - **TargetAppId**  The kernel reported AppId of the application being reported.
 - **TargetAppVer**  The specific version of the application being reported
 - **TargetAsId**  The sequence number for the hanging process.
 
 
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
+
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
+
+
+
 ## Hang Reporting events
 
 ### Microsoft.Windows.HangReporting.AppHangEvent
@@ -1997,52 +1940,110 @@ This event sends data about hangs for both native and managed applications, to h
 The following fields are available:
 
 - **AppName**  The name of the app that has hung.
-- **TypeCode**  Bitmap describing the hang type.
-- **ProcessId**  The ID of the process that has hung.
-- **UTCReplace_TargetAppId**  The kernel reported AppId of the application being reported.
-- **ProcessCreateTime**  The time of creation of the process that has hung.
-- **UTCReplace_TargetAppVer**  The specific version of the application being reported.
-- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion**  The version of the app that has hung.
+- **PackageFullName**  Store application identity.
 - **PackageRelativeAppId**  Store application identity.
 - **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
-- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
-- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
-- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
-- **PackageFullName**  Store application identity.
-- **AppVersion**  The version of the app that has hung.
+- **ProcessCreateTime**  The time of creation of the process that has hung.
+- **ProcessId**  The ID of the process that has hung.
 - **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
 - **TargetAppId**  The kernel reported AppId of the application being reported.
 - **TargetAppVer**  The specific version of the application being reported.
 - **TargetAsId**  The sequence number for the hanging process.
+- **TypeCode**  Bitmap describing the hang type.
+- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
 
 
 ## Inventory events
 
+### ChecksumDictionary
+
+The list of values sent by each object type.
+
+The following fields are available:
+
+- **Key**  The object type being described.
+- **Value**  The number of objects of this type that were sent.
+
+
+### COMPID
+
+This event provides a device's internal application compatible ID, a vendor-defined identification that Windows uses to match a device to an INF file. A device can have a list of compatible IDs associated with it.
+
+The following fields are available:
+
+- **Order**  The index of the array of compatible IDs for the device.
+- **Value**  The array of compatible IDs for the device.
+
+
+### HWID
+
+This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a device to an INF file. In most cases, a device has associated with it a list of hardware IDs.
+
+The following fields are available:
+
+- **Order**  The index of the array of internal hardware IDs for the device.
+- **Value**  The array of internal hardware IDs for the device.
+
+
+### InstallDateArpLastModified
+
+This event indicates the date the add/remove program (ARP) entry was last modified by an update.
+
+The following fields are available:
+
+- **Order**  The index of the ordered array.
+- **Value**  The value contained in the ordered array.
+
+
+### InstallDateFromLinkFile
+
+This event provides the application installation date from the linked file.
+
+The following fields are available:
+
+- **Order**  The index of the ordered array.
+- **Value**  The value contained in the ordered array.
+
+
+### InstallDateMsi
+
+The install date from the Microsoft installer (MSI) database.
+
+The following fields are available:
+
+- **Order**  The index of the ordered array.
+- **Value**  The value contained in the ordered array.
+
+
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
 
 This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
 
 The following fields are available:
 
-- **Device**  A count of device objects in cache
-- **DeviceCensus**  A count of devicecensus objects in cache
-- **DriverPackageExtended**  A count of driverpackageextended objects in cache
-- **File**  A count of file objects in cache
-- **Generic**  A count of generic objects in cache
-- **HwItem**  A count of hwitem objects in cache
-- **InventoryApplication**  A count of application objects in cache
-- **InventoryApplicationFile**  A count of application file objects in cache
-- **InventoryDeviceContainer**  A count of device container objects in cache
-- **InventoryDeviceMediaClass**  A count of device media objects in cache
-- **InventoryDevicePnp**  A count of devicepnp objects in cache
-- **InventoryDriverBinary**  A count of driver binary objects in cache
-- **InventoryDriverPackage**  A count of device objects in cache
-- **Metadata**  A count of metadata objects in cache
-- **Orphan**  A count of orphan file objects in cache
-- **Programs**  A count of program objects in cache
-- **FileSigningInfo**  A count of file signing info objects in cache.
-- **InventoryDeviceInterface**  A count of inventory device interface objects in cache.
+- **Device**  A count of device objects in cache.
+- **DeviceCensus**  A count of devicecensus objects in cache.
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache.
+- **File**  A count of file objects in cache.
+- **FileSigningInfo**  A count of file signing objects in cache.
+- **Generic**  A count of generic objects in cache.
+- **HwItem**  A count of hwitem objects in cache.
+- **InventoryApplication**  A count of application objects in cache.
+- **InventoryApplicationFile**  A count of application file objects in cache.
+- **InventoryDeviceContainer**  A count of device container objects in cache.
+- **InventoryDeviceInterface**  A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass**  A count of device media objects in cache.
+- **InventoryDevicePnp**  A count of device Plug and Play objects in cache.
+- **InventoryDriverBinary**  A count of driver binary objects in cache.
+- **InventoryDriverPackage**  A count of device objects in cache.
+- **Metadata**  A count of metadata objects in cache.
+- **Orphan**  A count of orphan file objects in cache.
+- **Programs**  A count of program objects in cache.
 
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
@@ -2052,62 +2053,48 @@ This event sends inventory component versions for the Device Inventory data.
 The following fields are available:
 
 - **aeinv**  The version of the App inventory component.
+- **aeinv.dll**  The version of the App inventory component.
 - **devinv**  The file version of the Device inventory component.
+- **devinv.dll**  The file version of the Device inventory component.
 
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
 
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events
-- 
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-
-This event sends basic metadata about the USB hubs on the device
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events
-- **TotalUserConnectablePorts**  Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports
-- 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
 
 This event sends basic metadata about an application on the system to help keep Windows up to date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **ProgramInstanceId**  A hash of the file IDs in an app.
-- **Name**  The name of the application. Location pulled from depends on 'Source' field.
-- **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
-- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
-- **Version**  The version number of the program.
-- **Language**  The language code of the program.
-- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
-- **MsiProductCode**  A GUID that describe the MSI Product.
-- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
 - **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
-- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
-- **RootDirPath**  The path to the root directory where the program was installed.
-- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics)
-- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
-- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
-- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array.
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **objectInstanceId**  ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it).
-- **PackageFullName**  The package full name for a Store application.
+- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00 See [InstallDateArpLastModified](#installdatearplastmodified).
+- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array. See [InstallDateFromLinkFile](#installdatefromlinkfile).
+- **InstallDateMsi**  The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. See [InstallDateMsi](#installdatemsi).
 - **InventoryVersion**  The version of the inventory file generating the events.
+- **Language**  The language code of the program.
+- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode**  A GUID that describe the MSI Product.
+- **Name**  The name of the application.
+- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
+- **PackageFullName**  The package full name for a Store application.
+- **ProgramInstanceId**  A hash of the file IDs in an app.
+- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath**  The path to the root directory where the program was installed.
+- **Source**  How the program was installed (for example, ARP, MSI, Appx).
 - **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version**  The version number of the program.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
 
 This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2115,43 +2102,45 @@ The following fields are available:
 
 This event indicates that a new set of InventoryApplicationAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
 
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **ModelName**  The model name.
-- **ModelId**  A model GUID.
-- **PrimaryCategory**  The primary category for the device container.
 - **Categories**  A comma separated list of functional categories in which the container belongs.
-- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
-- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
-- **IsPaired**  Does the device container require pairing?
-- **IsNetworked**  Is this a networked device?
-- **IsMachineContainer**  Is the container the root device itself?
-- **FriendlyName**  The name of the device container.
 - **DiscoveryMethod**  The discovery method for the device container.
-- **ModelNumber**  The model number for the device container.
-- **Manufacturer**  The manufacturer name for the device container.
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **objectInstanceId**  ContainerId
+- **FriendlyName**  The name of the device container.
 - **InventoryVersion**  The version of the inventory file generating the events.
+- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer**  Is the container the root device itself?
+- **IsNetworked**  Is this a networked device?
+- **IsPaired**  Does the device container require pairing?
+- **Manufacturer**  The manufacturer name for the device container.
+- **ModelId**  A unique model ID.
+- **ModelName**  The model name.
+- **ModelNumber**  The model number for the device container.
+- **PrimaryCategory**  The primary category for the device container.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
 
 This event indicates that the InventoryDeviceContainer object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2159,9 +2148,10 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2169,9 +2159,10 @@ The following fields are available:
 
 This event retrieves information about what sensor interfaces are available on the device.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events.
 - **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
 - **ActivityDetection**  Indicates if an Activity Detection sensor is found.
 - **AmbientLight**  Indicates if an Ambient Light sensor is found.
@@ -2182,6 +2173,7 @@ The following fields are available:
 - **GravityVector**  Indicates if a Gravity Detector sensor is found.
 - **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
 - **Humidity**  Indicates if a Humidity sensor is found.
+- **InventoryVersion**  The version of the inventory file generating the events.
 - **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
 - **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
 - **Orientation**  Indicates if an Orientation sensor is found.
@@ -2190,13 +2182,14 @@ The following fields are available:
 - **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
 - **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
 - **Temperature**  Indicates if a Temperature sensor is found.
-- **EnergyMeter** Indicates if an Energy sensor is found.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
 
 This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2204,23 +2197,25 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
 
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **InventoryVersion**  The version of the inventory file generating the events.
 - **Audio_CaptureDriver**  The Audio device capture driver endpoint.
 - **Audio_RenderDriver**  The Audio device render driver endpoint.
+- **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
 
 This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2228,56 +2223,58 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
 
-This event sends basic metadata about a PNP device and its associated driver to help keep Windows up-to-date.
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **HWID**  A JSON array that provides the value and order of the HWID tree for the device.
-- **COMPID**  A JSON array the provides the value and order of the compatible ID tree for the device.
-- **InstallState**  The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
-- **Enumerator**  The bus that enumerated the device.
+- **Class**  The device setup class of the driver loaded for the device
+- **ClassGuid**  The device class GUID from the driver package
+- **COMPID**  A JSON array the provides the value and order of the compatible ID tree for the device. See [COMPID](#compid).
 - **ContainerId**  A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **DeviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present.
-- **ParentId**  Device instance id of the parent of the device.
-- **STACKID**  A JSON array that provides the value and order of the STACKID tree for the device.
-- **Description**  The device description.
-- **MatchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance.
-- **Class**  The device setup class of the driver loaded for the device.
-- **ClassGuid**  The device setup class guid of the driver loaded for the device.
-- **Manufacturer**  The device manufacturer.
-- **Model**  The device model.
-- **Inf**  The INF file name.
-- **DriverVerVersion**  The version of the driver loaded for the device.
-- **DriverVerDate**  The date of the driver loaded for the device.
-- **Provider**  The device provider.
-- **DriverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **Service**  The device service name.
-- **LowerClassFilters**  Lower filter class drivers IDs installed for the device.
-- **LowerFilters**  Lower filter drivers IDs installed for the device.
-- **UpperClassFilters**  Upper filter class drivers IDs installed for the device.
-- **UpperFilters**  Upper filter drivers IDs installed for the device.
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
+- **Description**  The device description
+- **DeviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
 - **DriverId**  A unique identifier for the installed device.
 - **DriverName**  The name of the driver image file.
+- **DriverVerDate**  The date of the driver loaded for the device
+- **DriverVerVersion**  The version of the driver loaded for the device
+- **Enumerator**  The bus that enumerated the device
+- **HWID**  A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid).
+- **Inf**  The INF file name.
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  The version of the inventory file generating the events.
+- **LowerClassFilters**  Lower filter class drivers IDs installed for the device.
+- **LowerFilters**  Lower filter drivers IDs installed for the device
+- **Manufacturer**  The device manufacturer
+- **MatchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance
+- **Model**  The device model
+- **ParentId**  Device instance id of the parent of the device
 - **ProblemCode**  The current error code for the device.
+- **Provider**  The device provider
+- **Service**  The device service name
+- **STACKID**  A JSON array that provides the value and order of the STACKID tree for the device. See [STACKID](#stackid).
+- **UpperClassFilters**  Upper filter class drivers IDs installed for the device
+- **UpperFilters**  Upper filter drivers IDs installed for the device
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
 
 This event indicates that the InventoryDevicePnpRemove object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2285,45 +2282,48 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
 
-This event sends basic metadata about driver files running on the system to help keep Windows up-to-date.
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **DriverName**  The file name of the driver.
-- **Inf**  The name of the INF file.
-- **DriverPackageStrongName**  The strong name of the driver package.
-- **DriverCompany**  The company name that developed the driver.
 - **DriverCheckSum**  The checksum of the driver file.
+- **DriverCompany**  The company name that developed the driver.
+- **DriverInBox**  Is the driver included with the operating system?
+- **DriverIsKernelMode**  Is it a kernel mode driver?
+- **DriverName**  The file name of the driver.
+- **DriverPackageStrongName**  The strong name of the driver package
+- **DriverSigned**  The strong name of the driver package
 - **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
 - **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
-- **DriverInBox**  Is the driver included with the operating system?
-- **DriverSigned**  Is the driver signed?
-- **DriverIsKernelMode**  Is it a kernel mode driver?
 - **DriverVersion**  The version of the driver file.
 - **ImageSize**  The size of the driver file.
+- **Inf**  The name of the INF file.
+- **InventoryVersion**  The version of the inventory file generating the events.
 - **Product**  The product name that is included in the driver file.
 - **ProductVersion**  The product version that is included in the driver file.
-- **WdfVersion**  The Windows Driver Framework version.
 - **Service**  The name of the service that is installed for the device.
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **InventoryVersion**  The version of the inventory file generating the events.
+- **WdfVersion**  The Windows Driver Framework version.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
 
 This event indicates that the InventoryDriverBinary object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2331,38 +2331,40 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
 
-This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **Inf**  The INF name of the driver package.
-- **ClassGuid**  The class GUID for the device driver.
 - **Class**  The class name for the device driver.
-- **Directory**  The path to the driver package.
+- **ClassGuid**  The class GUID for the device driver.
 - **Date**  The driver package date.
-- **Version**  The version of the driver package.
+- **Directory**  The path to the driver package.
+- **Inf**  The INF name of the driver package.
+- **InventoryVersion**  The version of the inventory file generating the events.
 - **Provider**  The provider for the driver package.
 - **SubmissionId**  The HLK submission ID for the driver package.
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **DriverInBox** Is the driver included with the operating system?
+- **Version**  The version of the driver package.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
 
 This event indicates that the InventoryDriverPackageRemove object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2370,9 +2372,10 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 - **InventoryVersion**  The version of the inventory file generating the events.
 
 
@@ -2382,187 +2385,83 @@ This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd e
 
 The following fields are available:
 
-- **ChecksumDictionary**  A count of each operating system indicator.
+- **ChecksumDictionary**  A count of each operating system indicator. See [ChecksumDictionary](#checksumdictionary).
 - **PCFP**  Equivalent to the InventoryId field that is found in other core events.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
-
-This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
-
-The following fields are available:
-
-- **Design**  Count of files with design issues found
-- **Design_x64**  Count of files with 64 bit design issues found
-- **DuplicateVBA**  Count of files with duplicate VBA code
-- **HasVBA**  Count of files with VBA code
-- **Inaccessible**  Count of files that were inaccessible for scanning
-- **Issues**  Count of files with issues detected
-- **Issues_x64**  Count of files with 64-bit issues detected
-- **IssuesNone**  Count of files with no issues detected
-- **IssuesNone_x64**  Count of files with no 64-bit issues detected
-- **Locked**  Count of files that were locked, preventing scanning
-- **NoVBA**  Count of files with no VBA inside
-- **Protected**  Count of files that were password protected, preventing scanning
-- **RemLimited**  Count of files that require limited remediation changes
-- **RemLimited_x64**  Count of files that require limited remediation changes for 64-bit issues
-- **RemSignificant**  Count of files that require significant remediation changes
-- **RemSignificant_x64**  Count of files that require significant remediation changes for 64-bit issues
-- **Score**  Overall compatibility score calculated for scanned content
-- **Score_x64**  Overall 64-bit compatibility score calculated for scanned content
-- **Total**  Total number of files scanned
-- **Validation**  Count of files that require additional manual validation
-- **Validation_x64**  Count of files that require additional manual validation for 64-bit issues
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-
-This event provides the basic metadata about the frameworks an application may depend on
-
-The following fields are available:
-
-- **FileId**  A hash that uniquely identifies a file
-- **Frameworks**  The list of frameworks this file depends on
-- **InventoryVersion**  The version of the inventory file generating the events
-- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it
-
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
-- **IndicatorValue**  The indicator value
+- **IndicatorValue**  The indicator value.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
 
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating that the item has been removed. There are no additional unique fields in this event.
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
 
-The following fields are available:
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
 
 This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
 
-The following fields are available:
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-- **PartB_Ms.Device.DeviceInventoryChange**  See the Common Data Fields section.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
 
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+### STACKID
+
+This event provides the internal compatible ID for the stack.
 
 The following fields are available:
 
-- **Count**  Count of total Microsoft Office VBA rule violations
+- **Order**  The index of the ordered array.
+- **Value**  The value contained in the ordered array.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
-This event provides data on the installed Office Add-ins.
+## Kernel events
 
-- **AddInCLSID** The CLSID key office the Office addin.
-- **AddInId** The ID of the Office addin.
-- **BinFileTimestamp** The timestamp of the Office addin.
-- **BinFileVersion** The version of the Office addin.
-- **Description** The description of the Office addin.
-- **FileId** The file ID of the Office addin.
-- **FriendlyName** The friendly name of the Office addin.
-- **FullPath** The full path to the Office addin.
-- **LoadBehavior** A Uint32 that describes the load behavior.
-- **LoadTime** The load time for the Office addin.
-- **OfficeApplication** The OIffice application for this addin.
-- **OfficeArchitecture** The architecture of the addin.
-- **OfficeVersion** The Office version for this addin.
-- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
-- **Provider** The provider name for this addin.
+### IO
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
 
-This event indicates that a new sync is being generated for this object type.
+The following fields are available:
 
-There are no fields in this event.
+- **BytesRead**  The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten**  The total number of bytes written to or written by the OS upon system startup.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
 
-This event provides data on the installed Office identifiers.
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
 
-- **OAudienceData** The Office Audience descriptor.
-- **OAudienceId** The Office Audience ID.
-- **OMID** The Office machine ID.
-- **OPlatform** The Office architecture.
-- **OVersion** The Office version
-- **OTenantId** The Office 365 Tenant GUID.
-- **OWowMID** The Office machine ID.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process.
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+The following fields are available:
 
-This event indicates that a new sync is being generated for this object type.
+- **BootApplicationId**  This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount**  The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence**  The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy**  Identifies the applicable Boot Status Policy.
+- **BootType**  Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp**  Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied**  Flag indicating that a reason for system reset was provided by firmware.
+- **IO**  Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded**  Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded**  Flag indicating whether the last shutdown was successful.
+- **MenuPolicy**  Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled**  Indicates whether recovery is enabled.
+- **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-
-This event provides data on the installed Office-related Internet Explorer features.
-
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-
-This event describes the Office products that are installed.
-
-- **OC2rApps** The Office Click-to-Run apps.
-- **OC2rSkus** The Office Click-to-Run products.
-- **OMsiApps** The Office MSI apps.
-- **OProductCodes** The Office MSI product code.
 
 ## OneDrive events
 
@@ -2573,10 +2472,10 @@ This event includes basic data about install and uninstall OneDrive API operatio
 The following fields are available:
 
 - **APIName**  The name of the API.
-- **ScenarioName**  The name of the scenario.
 - **Duration**  How long the operation took.
-- **isSuccess**  Was the operation successful?
+- **IsSuccess**  Was the operation successful?
 - **ResultCode**  The result code.
+- **ScenarioName**  The name of the scenario.
 
 
 ### Microsoft.OneDrive.Sync.Setup.EndExperience
@@ -2586,9 +2485,9 @@ This event includes a success or failure summary of the installation.
 The following fields are available:
 
 - **APIName**  The name of the API.
+- **HResult**  Indicates the result code of the event
+- **IsSuccess**  Was the operation successful?
 - **ScenarioName**  The name of the scenario.
-- **Hresult**  The HResult of the operation.
-- **isSuccess**  Was the operation successful?
 
 
 ### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
@@ -2597,14 +2496,14 @@ This event is related to the OS version when the OS is upgraded with OneDrive in
 
 The following fields are available:
 
-- **HResult**  The HResult of the operation.
-- **SourceOSVersion**  The source version of the operating system.
-- **SourceOSBuildNumber**  The source build number of the operating system.
-- **SourceOSBuildBranch**  The source branch of the operating system.
-- **CurrentOSVersion**  The current version of the operating system.
-- **CurrentOSBuildNumber**  The current build number of the operating system.
-- **CurrentOSBuildBranch**  The current branch of the operating system.
 - **CurrentOneDriveVersion**  The current version of OneDrive.
+- **CurrentOSBuildBranch**  The current branch of the operating system.
+- **CurrentOSBuildNumber**  The current build number of the operating system.
+- **CurrentOSVersion**  The current version of the operating system.
+- **HResult**  The HResult of the operation.
+- **SourceOSBuildBranch**  The source branch of the operating system.
+- **SourceOSBuildNumber**  The source build number of the operating system.
+- **SourceOSVersion**  The source version of the operating system.
 
 
 ### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
@@ -2614,10 +2513,10 @@ This event is related to registering or unregistering the OneDrive update task.
 The following fields are available:
 
 - **APIName**  The name of the API.
+- **IsSuccess**  Was the operation successful?
+- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
 - **ScenarioName**  The name of the scenario.
 - **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
-- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
-- **isSuccess**  Was the operation successful?
 
 
 ### Microsoft.OneDrive.Sync.Setup.SetupCommonData
@@ -2627,19 +2526,15 @@ This event contains basic OneDrive configuration data that helps to diagnose fai
 The following fields are available:
 
 - **AppVersion**  The version of the app.
-- **OfficeVersion**  The version of Office that is installed.
-- **BuildArch**  Is the architecture x86 or x64?
-- **Market**  Which market is this in?
-- **OneDriveDeviceId**  The OneDrive device ID.
+- **BuildArchitecture**  Is the architecture x86 or x64?
+- **Environment**  Is the device on the production or int service?
 - **MachineGuid**  The CEIP machine ID.
-- **IsMSFTInternal**  Is this an internal Microsoft device?
+- **Market**  Which market is this in?
+- **MSFTInternal**  Is this an internal Microsoft device?
+- **OfficeVersionString**  The version of Office that is installed.
 - **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
 - **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **Environment**  Is the device on the production or int service?
-- **OfficeVersionString**  The version of Office that is installed.
-- **BuildArchitecture**  Is the architecture x86 or x64?
 - **UserGuid**  The CEIP user ID.
-- **MSFTInternal**  Is this an internal Microsoft device?
 
 
 ### Microsoft.OneDrive.Sync.Updater.CommonData
@@ -2649,21 +2544,21 @@ This event contains basic OneDrive configuration data that helps to diagnose fai
 The following fields are available:
 
 - **AppVersion**  The version of the app.
-- **OfficeVersion**  The version of Office that is installed.
 - **BuildArch**  Is the architecture x86 or x64?
-- **Market**  Which market is this in?
-- **OneDriveDeviceId**  The OneDrive device ID.
-- **MachineGuid**  The CEIP machine ID.
+- **Environment**  Is the device on the production or int service?
 - **IsMSFTInternal**  Is this an internal Microsoft device?
+- **MachineGuid**  The CEIP machine ID.
+- **Market**  Which market is this in?
+- **OfficeVersion**  The version of Office that is installed.
+- **OneDriveDeviceId**  The OneDrive device ID.
 - **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
 - **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **Environment**  Is the device on the production or int service?
 - **UserGuid**  A unique global user identifier.
 
 
 ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
 
-This event determines the installation state of dependent OneDrive components.
+This event includes basic data about the installation state of dependent OneDrive components.
 
 The following fields are available:
 
@@ -2673,7 +2568,7 @@ The following fields are available:
 
 ### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
 
-This event determines the status of the OneDrive integration with Microsoft Office.
+This event indicates the status of the OneDrive integration with Microsoft Office.
 
 The following fields are available:
 
@@ -2714,9 +2609,9 @@ This event determines the outcome of the operation.
 
 The following fields are available:
 
-- **UpdaterVersion**  The version of the updater.
-- **IsLoggingEnabled**  Is logging enabled?
 - **hr**  The HResult of the operation.
+- **IsLoggingEnabled**  Is logging enabled?
+- **UpdaterVersion**  The version of the updater.
 
 
 ### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
@@ -2747,24 +2642,910 @@ The following fields are available:
 - **winInetError**  The HResult of the operation.
 
 
+## Remediation events
+
+### Microsoft.Windows.Remediation.Applicable
+
+This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
+
+The following fields are available:
+
+- **ActionName**  The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult**  Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition**  Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult**  Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled**  Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed**  Indicates the Appraiser task did not function and requires intervention.
+- **CV**  Correlation vector
+- **DateTimeDifference**  The difference between local and reference clock times.
+- **DateTimeSyncEnabled**  Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH**  The number of days since the most recent SIH executed.
+- **DaysToNextSIH**  The number of days until the next scheduled SIH execution.
+- **DetectedCondition**  Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed**  Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by the remediation system.
+- **HResult**  The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
+- **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult**  The HRESULT for detection or perform action phases of the plugin.
+- **LastRun**  The date of the most recent SIH run.
+- **NextRun**  Date of the next scheduled SIH run.
+- **PackageVersion**  The version of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Reload**  True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus**  Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount**  The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled**  Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists**  Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount**  Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime**  The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize**  Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled**  TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult**  The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork**  TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled**  Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists**  Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount**  Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode**  The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState**  The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn**  TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin**  TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged**  TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS**  TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm**  TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust**  TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine**  Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy**  True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan**  True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup**  True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT**  True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask**  True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask**  True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask**  True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask**  True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled**  Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled**  Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled**  Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled**  Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled**  Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled**  Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled**  Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled**  Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled**  Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled**  Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled**  Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled**  Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled**  Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled**  Indicates whether WUAUSERV service is enabled.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed**  Indicates RunAppraiser failed to run correctly.
+- **RunTask**  TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer**  The URL for the NTP time server used by device.
+- **TimeServiceStartType**  The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined**  True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType**  Type of sync behavior for Date & Time service on device.
+
+
+### Microsoft.Windows.Remediation.Completed
+
+This event enables completion tracking of a process that remediates issues preventing security and quality updates.
+
+The following fields are available:
+
+- **ActionName**  Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed**  TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed**  TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed**  TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed**  TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing**  TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId**  TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed**  TRUE if the Appraiser Task XML failed to complete successfully.
+- **CrossedDiskSpaceThreshold**  Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV**  The Correlation Vector.
+- **DateTimeDifference**  The difference between the local and reference clocks.
+- **DaysSinceOsInstallation**  The number of days since the installation of the Operating System.
+- **DiskMbCleaned**  The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup**  The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered**  TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter**  Client-side counter that indicates ordering of events sent by the active user.
+- **HandlerCleanupFreeDiskInMegabytes**  The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **HResult**  The result of the event execution.
+- **LatestState**  The final state of the plug-in component.
+- **PackageVersion**  The package version for the current Remediation.
+- **PageFileCount**  The number of Windows Page files.
+- **PageFileCurrentSize**  The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation**  The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize**  The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName**  The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup**  TRUE if the plug-in ran disk cleanup.
+- **RemediationConfigurationTroubleshooterExecuted**  True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix**  TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix**  TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes**  The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB**  The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB**  The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes**  The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB**  The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded**  TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists**  TRUE if there is a OneSettings Doorstop value.
+- **RemediationDoorstopRegkeyError**  TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded**  TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber**  The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded**  TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded**  TRUE if the user token was successfully duplicated.
+- **RemediationImpersonateUserSucceeded**  TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess**  TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded**  TRUE if the user token was successfully queried.
+- **RemediationRanHibernation**  TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded**  TRUE if reversion to the system context succeeded.
+- **RemediationUpdateServiceHealthRemediationResult**  The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult**  The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList**  A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound**  The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed**  The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace**  The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter**  The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace**  The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize**  The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin**  The nae of the Service Health plug-in.
+- **StartComponentCleanupTask**  TRUE if the Component Cleanup task started successfully.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes**  The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes**  The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes**  The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **usoScanDaysSinceLastScan**  The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent**  TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent**  TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent**  TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered**  TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
+- **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes**  The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes**  The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB**  The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes**  The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes**  The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes**  The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+
+
+### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
+
+This event indicates that an unexpected error occurred during an update and provides information to help address the issue.
+
+The following fields are available:
+
+- **CV**  The Correlation vector.
+- **ErrorMessage**  A description of any errors encountered while the plug-in was running.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **Hresult**  The result of the event execution.
+- **PackageVersion**  The version number of the current remediation package.
+- **SessionGuid**  GUID associated with a given execution of sediment pack.
+
+
+### Microsoft.Windows.Remediation.Error
+
+This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue.
+
+The following fields are available:
+
+- **HResult**  The result of the event execution.
+- **Message**  A message containing information about the error that occurred.
+- **PackageVersion**  The version number of the current remediation package.
+
+
+### Microsoft.Windows.Remediation.FallbackError
+
+This event indicates an error when Self Update results in a Fallback and provides information to help address the issue.
+
+The following fields are available:
+
+- **s0**  Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult).
+- **wilResult**  The result of the Windows Installer Logging. See [wilResult](#wilresult).
+
+
+### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
+
+This event occurs when the Notify User task executes and provides information about the cause of the notification.
+
+The following fields are available:
+
+- **CV**  The Correlation vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **RemediationNotifyUserFixIssuesCallResult**  The result of calling the USO (Update Session Orchestrator) sequence steps.
+- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr**  The error code from the USO (Update Session Orchestrator) download call.
+- **RemediationNotifyUserFixIssuesUsoInitializedHr**  The error code from the USO (Update Session Orchestrator) initialize call.
+- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr**  The error code from the USO (Update Session Orchestrator) proxy blanket call.
+- **RemediationNotifyUserFixIssuesUsoSetSessionHr**  The error code from the USO (Update Session Orchestrator) session call.
+
+
+### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
+
+This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **hResult**  The result of the event execution.
+- **PackageVersion**  The version number of the current remediation package.
+
+
+### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
+
+This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **RemediationShellUnexpectedExceptionId**  The ID of the remediation plug-in that caused the exception.
+
+
+### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
+
+This event tracks the health of key update (Remediation) services and whether they are enabled.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **hResult**  The result of the event execution.
+- **PackageVersion**  The version number of the current remediation package.
+- **serviceName**  The name associated with the operation.
+
+
+### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
+
+This event returns information about the upgrade upon success to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **AppraiserPlugin**  TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
+- **ClearAUOptionsPlugin**  TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted.
+- **CV**  The Correlation Vector.
+- **DatetimeSyncPlugin**  TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
+- **DiskCleanupPlugin**  TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **NoisyHammerPlugin**  TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
+- **PackageVersion**  The version number of the current remediation package.
+- **RebootRequiredPlugin**  TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
+- **RemediationNotifyUserFixIssuesPlugin**  TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully
+- **RemediationPostUpgradeDiskSpace**  The amount of disk space available after the upgrade.
+- **RemediationPostUpgradeHibernationSize**  The size of the Hibernation file after the upgrade.
+- **ServiceHealthPlugin**  A list of services updated by the plug-in.
+- **SIHHealthPlugin**  TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
+- **StackDataResetPlugin**  TRUE / FALSE depending on whether the update stack completed successfully.
+- **TaskHealthPlugin**  A list of tasks updated by the plug-in.
+- **UpdateApplicabilityFixerPlugin**  TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully.
+- **WindowsUpdateEndpointPlugin**  TRUE / FALSE depending on whether the Windows Update Endpoint was successful.
+
+
+### Microsoft.Windows.Remediation.Started
+
+This event reports whether a plug-in started, to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **PluginName**  The name of the plug-in specified for each generic plug-in event.
+- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
+
+
+### Microsoft.Windows.Remediation.wilResult
+
+This event provides Self Update information to help keep Windows up to date.
+
+The following fields are available:
+
+- **callContext**  A list of diagnostic activities containing this error.
+- **currentContextId**  An identifier for the newest diagnostic activity containing this error.
+- **currentContextMessage**  A message associated with the most recent diagnostic activity containing this error (if any).
+- **currentContextName**  Name of the most recent diagnostic activity containing this error.
+- **failureCount**  Number of failures seen within the binary where the error occurred.
+- **failureId**  The identifier assigned to this failure.
+- **failureType**  Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
+- **fileName**  The source code file name where the error occurred.
+- **function**  The name of the function where the error occurred.
+- **hresult**  The failure error code.
+- **lineNumber**  The Line Number within the source code file where the error occurred.
+- **message**  A message associated with the failure (if any).
+- **module**  The name of the binary module in which the error occurred.
+- **originatingContextId**  The identifier for the oldest diagnostic activity containing this error.
+- **originatingContextMessage**  A message associated with the oldest diagnostic activity containing this error (if any).
+- **originatingContextName**  The name of the oldest diagnostic activity containing this error.
+- **threadId**  The identifier of the thread the error occurred on.
+
+
+## Sediment events
+
+### Microsoft.Windows.Sediment.Info.AppraiserData
+
+This event provides data on the current Appraiser status of the device to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **ErrorCode**  The value of the Return Code for the registry query.
+- **GStatus**  The pre-upgrade GStatus value.
+- **PayloadVersion**  The version information for the remediation component.
+- **RegKeyName**  The name of the registry subkey where data was found for this event.
+- **Time**  The system time at which the event began.
+- **UpgEx**  The pre-upgrade UpgEx value.
+
+
+### Microsoft.Windows.Sediment.Info.BinaryInfo
+
+This event provides information about the binary returned by the Operating System Remediation System Service (OSRSS) to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **BinaryPath**  The sanitized name of the system binary from which the data was gathered.
+- **ErrorCode**  The value of the return code for querying the version from the binary.
+- **FileVerBuild**  The binary’s build number.
+- **FileVerMajor**  The binary’s major version number.
+- **FileVerMinor**  The binary’s minor version number.
+- **FileVerRev**  The binary’s revision number.
+- **PayloadVersion**  The version information for the remediation component.
+- **Time**  The system time at which the event began.
+
+
+### Microsoft.Windows.Sediment.Info.DownloadServiceError
+
+This event provides information when the Download Service returns an error. The information provided helps keep Windows up to date.
+
+The following fields are available:
+
+- **Architecture**  The platform architecture used to identify the correct download payload.
+- **BuildNumber**  The starting build number used to identify the correct download payload.
+- **Edition**  The Operating System Edition used to identify the correct download payload.
+- **Error**  The description of the error encountered.
+- **LanguageCode**  The system User Interface Language used to identify the correct download payload.
+- **Stack**  Details about the error encountered.
+- **WorkingDirectory**  The folder location (path) downloader was attempting to say the payload to.
+
+
+### Microsoft.Windows.Sediment.Info.DownloadServiceProgress
+
+This event indicates the progress of the downloader in 1% increments.
+
+The following fields are available:
+
+- **Percentage**  The amount successfully downloaded, measured as a percentage of the whole.
+
+
+### Microsoft.Windows.Sediment.Info.Error
+
+This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
+
+The following fields are available:
+
+- **FailureType**  The type of error encountered.
+- **FileName**  The code file in which the error occurred.
+- **HResult**  The failure error code.
+- **LineNumber**  The line number in the code file at which the error occurred.
+- **ReleaseVer**  The version information for the component in which the error occurred.
+- **Time**  The system time at which the error occurred.
+
+
+### Microsoft.Windows.Sediment.Info.PhaseChange
+
+The event indicates progress made by the updater. This information assists in keeping Windows up to date.
+
+The following fields are available:
+
+- **NewPhase**  The phase of progress made.
+- **ReleaseVer**  The version information for the component in which the change occurred.
+- **Time**  The system time at which the phase chance occurred.
+
+
+### Microsoft.Windows.Sediment.Info.ServiceInfo
+
+This event provide information about the system service for which data is being gathered by the Operating System Remediation System Service (OSRSS) to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **ErrorCode**  The value returned by the error for querying the service information.
+- **PayloadVersion**  The version information for the remediation component.
+- **ServiceName**  The name of the system service for which data was gathered.
+- **ServiceStatus**  The status of the specified service.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.Info.Uptime
+
+This event provides information about how long the device has been operating. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **Days**  The number of days the device has been on.
+- **Hours**  The number of hours the device has been on.
+- **Minutes**  The number of minutes the device has been on.
+- **PayloadVersion**  The version information for the remediation component.
+- **Seconds**  The number of seconds the machine has been on.
+- **Ticks**  The number of system clock “ticks” the device has been on.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
+
+This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CustomVer**  The registry value for targeting.
+- **IsMetered**  TRUE if the machine is on a metered network.
+- **LastVer**  The version of the last successful run.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
+
+This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **AttemptNumber**  The count indicating which download attempt is starting.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
+
+This event indicates the Operating System Remediation System Service (OSRSS)  successfully download data from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType**  The type of error encountered.
+- **FileName**  The code file in which the error occurred.
+- **HResult**  The failure error code.
+- **LineNumber**  The line number in the code file at which the error occurred.
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The URL from which the validated EXE was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
+
+This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The URL from which the successfully extracted content was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.NewUrlFound
+
+This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The new URL from which content will be downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ProcessCreated
+
+This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor**  The Major version information of the component.
+- **ServiceVersionMinor**  The Minor version information of the component.
+- **Time**  The system time at which the event occurred.
+- **Url**  The new URL from which content will be executed.
+
+
+### Microsoft.Windows.Sediment.OSRSS.UrlState
+
+This event indicates the state the Operating System Remediation System Service (OSRSS)  is in while attempting a download from the URL.
+
+The following fields are available:
+
+- **Id**  A number identifying the URL
+- **ServiceVersionMajor**  Version info for the component
+- **ServiceVersionMinor**  Version info for the component
+- **StateData**  State-specific data, such as which attempt number for the download
+- **StateNumber**  A number identifying which state the URL is in (found, downloading, extracted, etc.)
+- **Time**  System timestamp the event was fired
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
+
+This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
+
+This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with new binaries as part of its self-update process. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType**  The type of error encountered.
+- **FileName**  The code file in which the error occurred.
+- **HResult**  The failure error code.
+- **InstallerVersion**  The version information of the Installer component.
+- **LineNumber**  The line number in the code file at which the error occurred.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer Component. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
+
+This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to install an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UninstallerCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully uninstalled the installed version as part of a self-update. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UninstallerLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully started the Uninstaller as part of a self-update. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-update operation. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-updater after downloading it. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion**  The version information of the Installer component.
+- **Time**  The system time at which the event occurred.
+
+
+### Microsoft.Windows.SedimentLauncher.Applicable
+
+Indicates whether a given plugin is applicable.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **DetectedCondition**  Boolean true if detect condition is true and perform action will be run.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings**  True if self update enabled in Settings.
+- **IsSelfUpdateNeeded**  True if self update needed by device.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.Completed
+
+Indicates whether a given plugin has completed its work.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **FailedReasons**  Concatenated list of failure reasons.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedLauncherExecutionResult**  HRESULT for one execution of the Sediment Launcher.
+
+
+### Microsoft.Windows.SedimentLauncher.Error
+
+This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **HResult**  The result for the Detection or Perform Action phases of the plug-in.
+- **Message**  A message containing information about the error that occurred (if any).
+- **PackageVersion**  The version number of the current remediation package.
+
+
+### Microsoft.Windows.SedimentLauncher.FallbackError
+
+This event indicates that an error occurred during execution of the plug-in fallback.
+
+The following fields are available:
+
+- **s0**  Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
+
+
+### Microsoft.Windows.SedimentLauncher.Information
+
+This event provides general information returned from the plug-in.
+
+The following fields are available:
+
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Information message returned from a plugin containing only information internal to the plugins execution.
+- **PackageVersion**  Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentLauncher.Started
+
+This event indicates that a given plug-in has started.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentLauncher.wilResult
+
+This event provides the result from the Windows internal library.
+
+The following fields are available:
+
+- **callContext**  List of telemetry activities containing this error.
+- **currentContextId**  Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName**  Name of the newest telemetry activity containing this error.
+- **failureCount**  Number of failures seen within the binary where the error occurred.
+- **failureId**  Identifier assigned to this failure.
+- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName**  Source code file name where the error occurred.
+- **function**  Name of the function where the error occurred.
+- **hresult**  Failure error code.
+- **lineNumber**  Line number within the source code file where the error occurred.
+- **message**  Custom message associated with the failure (if any).
+- **module**  Name of the binary where the error occurred.
+- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName**  Name of the oldest telemetry activity containing this error.
+- **threadId**  Identifier of the thread the error occurred on.
+
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event indicates whether a given plug-in is applicable.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **DetectedCondition**  Determine whether action needs to run based on device properties.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings**  Indicates if self update is enabled in One Settings.
+- **IsSelfUpdateNeeded**  Indicates if self update is needed.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event indicates whether a given plug-in has completed its work.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **FailedReasons**  List of reasons when the plugin action failed.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedimentServiceCheckTaskFunctional**  True/False if scheduled task check succeeded.
+- **SedimentServiceCurrentBytes**  Number of current private bytes of memory consumed by sedsvc.exe.
+- **SedimentServiceKillService**  True/False if service is marked for kill (Shell.KillService).
+- **SedimentServiceMaximumBytes**  Maximum bytes allowed for the service.
+- **SedimentServiceRetrievedKillService**  True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call).
+- **SedimentServiceStopping**  True/False indicating whether the service is stopping.
+- **SedimentServiceTaskFunctional**  True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
+- **SedimentServiceTotalIterations**  Number of 5 second iterations service will wait before running again.
+
+
+### Microsoft.Windows.SedimentService.Error
+
+This event indicates whether an error condition occurred in the plug-in.
+
+The following fields are available:
+
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Custom message associated with the failure (if any).
+- **PackageVersion**  Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.FallbackError
+
+This event indicates whether an error occurred for a fallback in the plug-in.
+
+The following fields are available:
+
+- **s0**  Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
+
+
+### Microsoft.Windows.SedimentService.Information
+
+This event provides general information returned from the plug-in.
+
+The following fields are available:
+
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Custom message associated with the failure (if any).
+- **PackageVersion**  Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.wilResult
+
+This event provides the result from the Windows internal library.
+
+The following fields are available:
+
+- **callContext**  List of telemetry activities containing this error.
+- **currentContextId**  Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName**  Name of the newest telemetry activity containing this error.
+- **failureCount**  Number of failures seen within the binary where the error occurred.
+- **failureId**  Identifier assigned to this failure.
+- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName**  Source code file name where the error occurred.
+- **function**  Name of the function where the error occurred.
+- **hresult**  Failure error code.
+- **lineNumber**  Line number within the source code file where the error occurred.
+- **message**  Custom message associated with the failure (if any).
+- **module**  Name of the binary where the error occurred.
+- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName**  Name of the oldest telemetry activity containing this error.
+- **threadId**  Identifier of the thread the error occurred on.
+
+
 ## Setup events
 
 ### SetupPlatformTel.SetupPlatformTelActivityEvent
 
-This event sends a unique ID that can be used to bind Setup Platform events together, to help keep Windows up to date.
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
 
 The following fields are available:
 
-- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-- **Value**  Retrieves the value associated with the corresponding event name. For example: For time-related events, this will include the system time.
 - **ActivityId**  Provides a unique Id to correlate events that occur between a activity start event, and a stop event
 - **ActivityName**  Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **value**  Value associated with the corresponding event name. For example, time-related events will include the system time
+- **Value**  Value associated with the corresponding event name. For example, time-related events will include the system time
 
 
 ### SetupPlatformTel.SetupPlatformTelActivityStarted
 
-This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. 
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
 
 The following fields are available:
 
@@ -2784,8 +3565,8 @@ This service retrieves events generated by SetupPlatform, the engine that drives
 The following fields are available:
 
 - **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
 - **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
 
 
 ## Shared PC events
@@ -2796,9 +3577,9 @@ Activity for deletion of a user account for devices set up for Shared PC mode as
 
 The following fields are available:
 
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
-- **userSid**  The security identifier of the account.
 - **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
+- **userSid**  The security identifier of the account.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
 
 
 ### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -2807,9 +3588,59 @@ Activity for run of the Transient Account Manager that determines if any user ac
 
 The following fields are available:
 
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
-- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
 - **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The function where the failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The call context stack where failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
 
 
 ## Software update events
@@ -2820,81 +3651,80 @@ This event sends tracking data about the software distribution client check for
 
 The following fields are available:
 
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **DeviceModel**  What is the device model.
+- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults**  Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **ClientVersion**  The version number of the software distribution client.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
-- **SyncType**  Describes the type of scan the event was
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
-- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
-- **ScanDurationInSeconds**  The number of seconds a scan took
-- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **ServiceUrl**  The environment URL a device is configured to scan with
-- **Online**  Indicates if this was an online scan.
-- **AllowCachedResults**  Indicates if the scan allowed using cached results.
-- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
-- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
-- **MSIError**  The last error that was encountered during a scan for updates.
-- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
-- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
-- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
-- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
-- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
-- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
 - **BranchReadinessLevel**  The servicing branch configured on the device.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion**  The version number of the software distribution client.
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
 - **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
-- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
-- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
+- **DeviceModel**  What is the device model.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
 - **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
 - **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
-- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **SearchFilter**  Contains information indicating filters applied while checking for content applicable to the device. For example, to filter out all content which may require a reboot.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
 - **PausedUpdates**  A list of UpdateIds which that currently being paused.
-- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
 - **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
-- **DriverSyncPassPerformed**  Were drivers scanned this time?
+- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
 ### SoftwareUpdateClientTelemetry.Commit
@@ -2903,28 +3733,28 @@ This event sends data on whether the Update Service has been called to execute a
 
 The following fields are available:
 
-- **EventScenario**  State of call
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **DeviceModel**  What is the device model.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client.
+- **DeviceModel**  What is the device model.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  State of call
+- **EventType**  Possible values are "Child", "Bundle", or "Driver".
+- **FlightId**  The specific id of the flight the device is getting
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber**  Unique revision number of Update
+- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
 - **SystemBIOSMajorRelease**  Major version of the BIOS.
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **ClientVersion**  The version number of the software distribution client.
-- **WUDeviceID**  UniqueDeviceID
-- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
-- **EventType**  Possible values are "Child", "Bundle", or "Driver".
 - **UpdateId**  Unique Update ID
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **RevisionNumber**  Unique revision number of Update
-- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle
-- **FlightId**  The specific id of the flight the device is getting
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **WUDeviceID**  UniqueDeviceID
 
 
 ### SoftwareUpdateClientTelemetry.Download
@@ -2933,82 +3763,105 @@ This event sends tracking data about the software distribution client download o
 
 The following fields are available:
 
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **DeviceModel**  What is the device model.
+- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **ClientVersion**  The version number of the software distribution client.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientManagedByWSUSServer**  Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ClientVersion**  The version number of the software distribution client.
 - **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DeviceOEM**  What OEM does this device belong to.
+- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+- **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **Edition**  Indicates the edition of Windows being used.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
 - **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **HostName**  The hostname URL the content is downloading from.
 - **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
+- **IsAOACDevice**  Is it Always On, Always Connected?
+- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
 - **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
 - **NetworkRestrictionStatus**  More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
-- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **HostName**  The hostname URL the content is downloading from.
-- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
-- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
-- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
-- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
-- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
-- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **EventType**  Possible values are Child, Bundle, or Driver.
-- **UpdateId**  An identifier associated with the specific piece of content.
-- **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
-- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
-- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
-- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
-- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **UsedDO**  Whether the download used the delivery optimization service.
-- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
-- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
-- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
-- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
-- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
 - **PackageFullName**  The package name of the content.
-- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **WUSetting**  Indicates the users' current updating settings.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
+- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
 - **PlatformRole**  The PowerPlatformRole as defined on MSDN
-- **IsAOACDevice**  Is it Always On, Always Connected?
-- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **Edition**  Indicates the edition of Windows being used.
-- **DeviceOEM**  What OEM does this device belong to.
-- **ClientManagedByWSUSServer**  Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
 - **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
-- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
+- **UpdateId**  An identifier associated with the specific piece of content.
+- **UpdateID**  An identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO**  Whether the download used the delivery optimization service.
+- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting**  Indicates the users' current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
+
+The following fields are available:
+
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId**  A hash that uniquely identifies a file
+- **FileName**  Name of the downloaded file
+- **FlightId**  The unique identifier for each flight
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RevisionNumber**  Unique revision number of Update
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId**  Unique Update ID
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
 ### SoftwareUpdateClientTelemetry.Install
@@ -3017,78 +3870,79 @@ This event sends tracking data about the software distribution client installati
 
 The following fields are available:
 
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **DeviceModel**  What is the device model.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **ClientVersion**  The version number of the software distribution client.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
-- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
-- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
-- **EventType**  Possible values are Child, Bundle, or Driver.
-- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **IsFirmware**  Is this update a firmware update?
-- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
-- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
-- **DriverPingBack**  Contains information about the previous driver and system state.
-- **ExtendedErrorCode**  The extended error code.
-- **CSIErrorType**  The stage of CBS installation where it failed.
-- **MsiAction**  The stage of MSI installation where it failed.
-- **MsiProductCode**  The unique identifier of the MSI installer.
-- **TransactionCode**  The ID which represents a given MSI installation
-- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
-- **UpdateId**  Unique update ID
-- **RevisionNumber**  The revision number of this specific piece of content.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
-- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
-- **FlightId**  The specific ID of the Windows Insider build the device is getting.
-- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
-- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
-- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
-- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
-- **PackageFullName**  The package name of the content being installed.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle?
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Was the download a full download or a partial download?
 - **ClientManagedByWSUSServer**  Is the client managed by Windows Server Update Services (WSUS)?
+- **ClientVersion**  The version number of the software distribution client.
+- **CSIErrorType**  The stage of CBS installation where it failed.
+- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
+- **DeviceModel**  What is the device model.
 - **DeviceOEM**  What OEM does this device belong to.
 - **DownloadPriority**  The priority of the download activity.
 - **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+- **DriverPingBack**  Contains information about the previous driver and system state.
 - **Edition**  Indicates the edition of Windows being used.
+- **EventInstanceID**  A globally unique identifier for event instance.
 - **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **IsAOACDevice**  Is it Always On, Always Connected? (Mobile device usage model)
-- **PlatformRole**  The PowerPlatformRole as defined on MSDN.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
-- **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
-- **WUSetting**  Indicates the user's current updating settings.
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **QualityUpdatePause**  Are quality OS updates paused on the device?
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode**  The extended error code.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
 - **FeatureUpdatePause**  Are feature OS updates paused on the device?
+- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IsAOACDevice**  Is it Always On, Always Connected? (Mobile device usage model)
+- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
+- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
+- **IsFirmware**  Is this update a firmware update?
+- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
+- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
+- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
 - **MergedUpdate**  Was the OS update and a BSP update merged for installation?
+- **MsiAction**  The stage of MSI installation where it failed.
+- **MsiProductCode**  The unique identifier of the MSI installer.
+- **PackageFullName**  The package name of the content being installed.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **PlatformRole**  The PowerPlatformRole as defined on MSDN.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause**  Are quality OS updates paused on the device?
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
+- **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **RevisionNumber**  The revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode**  The ID which represents a given MSI installation
+- **UpdateId**  Unique update ID
+- **UpdateID**  An identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting**  Indicates the user's current updating settings.
 
 
 ### SoftwareUpdateClientTelemetry.SLSDiscovery
@@ -3098,13 +3952,13 @@ This event sends data about the ability of Windows to discover the location of a
 The following fields are available:
 
 - **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **SusClientId**  The unique device ID controlled by the software distribution client
-- **WUAVersion**  The version number of the software distribution client
-- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **UrlPath**  Path to the SLS cab that was downloaded
 - **HResult**  Indicates the result code of the event (success, cancellation, failure code HResult)
 - **IsBackground**  Indicates whether the SLS discovery event took place in the foreground or background
 - **NextExpirationTime**  Indicates when the SLS cab expires
+- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
+- **SusClientId**  The unique device ID controlled by the software distribution client
+- **UrlPath**  Path to the SLS cab that was downloaded
+- **WUAVersion**  The version number of the software distribution client
 
 
 ### SoftwareUpdateClientTelemetry.UpdateDetected
@@ -3113,44 +3967,13 @@ This event sends data about an AppX app that has been updated from the Microsoft
 
 The following fields are available:
 
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **WUDeviceID**  The unique device ID controlled by the software distribution client
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **EventInstanceID**  A globally unique identifier for event instance
-- **DeviceModel**  The device's model as defined in system bios
-- **BiosName**  The name of the device's system bios
-- **BIOSVendor**  The vendor of the device's system bios
-- **BiosVersion**  The version of the device's system bios
-- **BiosReleaseDate**  The release date of the device's system bios
-- **SystemBIOSMajorRelease**  The major release version of the device's system bios
-- **SystemBIOSMinorRelease**  The minor release version of the device's system bios
-- **BiosFamily**  The device's family as defined in system bios
-- **BiosSKUNumber**  The device's SKU as defined in system bios
-- **ClientVersion**  The version number of the software distribution client
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided
-- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **StatusCode**  Indicates the result code of the event (success, cancellation, failure code HResult)
-- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode wasn't specific enough
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion
-- **SyncType**  Describes the type of scan the event was
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
-- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
-- **ScanDurationInSeconds**  The number of seconds a scan took
-- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID**  The unique device ID controlled by the software distribution client.
 
 
 ### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
@@ -3159,28 +3982,111 @@ This event identifies whether updates have been tampered with and protects again
 
 The following fields are available:
 
+- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
 - **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
-- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **StatusCode**  The status code of the event.
 - **ExtendedStatusCode**  The secondary status code of the event.
-- **RevisionId**  The revision ID for a specific piece of content.
-- **UpdateId**  The update ID for a specific piece of content.
-- **RevisionNumber**  The revision number for a specific piece of content.
-- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
 - **LeafCertId**  Integral ID from the FragmentSigning data for certificate that failed.
-- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
 - **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
-- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
-- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
-- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token. 
 - **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
 - **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **RevisionId**  The revision ID for a specific piece of content.
+- **RevisionNumber**  The revision number for a specific piece of content.
+- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
 - **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
 - **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode**  The status code of the event.
+- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
+- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId**  The update ID for a specific piece of content.
+- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
+
+
+## Update Assistant events
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
+
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+
+The following fields are available:
+
+- **ApplicabilityBlockedReason**  Blocked due to an applicability issue.
+- **BlockWuUpgrades**  The upgrade assistant is currently blocked.
+- **clientID**  An identification of the current release of Update Assistant.
+- **CloverTrail**  This device is Clovertrail.
+- **DeviceIsMdmManaged**  This device is MDM managed.
+- **IsNetworkAvailable**  If the device network is not available.
+- **IsNetworkMetered**  If network is metered.
+- **IsSccmManaged**  This device is SCCM managed.
+- **NewlyInstalledOs**  OS is newly installed quiet period.
+- **PausedByPolicy**  Updates are paused by policy.
+- **RecoveredFromRS3**  Previously recovered from RS3.
+- **RS1UninstallActive**  Blocked due to an active RS1 uninstall.
+- **RS3RollBacks**  Exceeded number of allowable RS3 rollbacks.
+- **triggerTaskSource**  Describe which task launches this instance.
+- **WsusManaged**  This device is WSUS managed.
+- **ZeroExhaust**  This device is zero exhaust.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
+
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **denyReason**  All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
+
+Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of the Update Assistant Orchestrator failure.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
+
+Event indicating One Settings was not queried by update assistant.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of One Settings query failure.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
+
+This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+
+The following fields are available:
+
+- **autoStartRunCount**  The auto start run count of Update Assistant.
+- **clientID**  The ID of the current release of Update Assistant.
+- **launchMode**  Indicates the type of launch performed.
+- **launchTypeReason**  A bitmask of all the reasons for type of launch.
+- **triggerTaskSource**  Indicates which task launches this instance.
+- **UALaunchRunCount**  Total number of times Update Assistant launched.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
+
+The event sends basic info on whether the Windows 10 update notification has previously launched.
+
+The following fields are available:
+
+- **clientID**  ID of the current release of Update Assistant.
+- **restoreReason**  All the reasons for the restore.
+- **triggerTaskSource**  Indicates which task launches this instance.
 
 
 ## Update events
@@ -3191,25 +4097,25 @@ This event sends data during the download request phase of updating Windows.
 
 The following fields are available:
 
+- **DeletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
 - **ErrorCode**  The error code returned for the current download request phase.
-- **PackageCountTotal**  Total number of packages needed.
-- **PackageCountRequired**  Number of required packages requested.
-- **PackageCountOptional**  Number of optional packages requested.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **Result**  Result of the download request phase of update.
-- **PackageSizeCanonical**  Size of canonical packages in bytes
-- **PackageSizeDiff**  Size of diff packages in bytes
-- **PackageSizeExpress**  Size of express packages in bytes
 - **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PackageCountOptional**  Number of optional packages requested.
+- **PackageCountRequired**  Number of required packages requested.
+- **PackageCountTotal**  Total number of packages needed.
 - **PackageCountTotalCanonical**  Total number of canonical packages.
 - **PackageCountTotalDiff**  Total number of diff packages.
 - **PackageCountTotalExpress**  Total number of express packages.
+- **PackageSizeCanonical**  Size of canonical packages in bytes
+- **PackageSizeDiff**  Size of diff packages in bytes
+- **PackageSizeExpress**  Size of express packages in bytes
 - **RangeRequestState**  Represents the state of the download range request.
-- **DeletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Result of the download request phase of update.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **UpdateId**  Unique ID for each update.
 
 
 ### Update360Telemetry.UpdateAgent_Initialize
@@ -3219,15 +4125,15 @@ This event sends data during the initialize phase of updating Windows.
 The following fields are available:
 
 - **ErrorCode**  The error code returned for the current initialize phase.
-- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **UpdateId**  Unique ID for each update.
 - **FlightId**  Unique ID for each flight.
 - **FlightMetadata**  Contains the FlightId and the build being flighted.
 - **ObjectId**  Unique value for each Update Agent mode.
-- **SessionId**  Unique value for each Update Agent mode attempt .
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
 - **RelatedCV**  Correlation vector value generated from the latest USO scan.
 - **Result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each Update Agent mode attempt .
+- **UpdateId**  Unique ID for each update.
 
 
 ### Update360Telemetry.UpdateAgent_Install
@@ -3237,12 +4143,12 @@ This event sends data during the install phase of updating Windows.
 The following fields are available:
 
 - **ErrorCode**  The error code returned for the current install phase.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV**  Correlation vector value generated from the latest scan.
-- **Result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled 
 - **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest scan.
+- **Result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
 - **UpdateId**  Unique ID for each update.
 
 
@@ -3252,12 +4158,12 @@ This event sends data for the start of each mode during the process of updating
 
 The following fields are available:
 
+- **FlightId**  Unique ID for each flight.
 - **Mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
 - **ObjectId**  Unique value for each Update Agent mode.
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
 - **RelatedCV**  The correlation vector value generated from the latest scan.
-- **FlightId**  Unique ID for each flight.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
 - **UpdateId**  Unique ID for each update.
 
 
@@ -3267,101 +4173,101 @@ This event sends data during the launching of the setup box when updating Window
 
 The following fields are available:
 
-- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
-- **ObjectId**  Unique value for each Update Agent mode.
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV**  Correlation vector value generated from the latest scan.
 - **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **RelatedCV**  Correlation vector value generated from the latest scan.
 - **SandboxSize**  The size of the sandbox folder on the device.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **UpdateId**  Unique ID for each update.
 
 
 ## Upgrade events
 
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
 - **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the downlevel OS.
+- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
-- **TestId**  A string that uniquely identifies a group of events.
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
-- **HostOSBuildNumber**  The build number of the downlevel OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Extended**  More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  An ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
 
 
 ### Setup360Telemetry.Finalize
 
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.OsUninstall
 
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId**  Windows Update client ID.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  Windows Update client ID.
 
 
 ### Setup360Telemetry.PostRebootInstall
 
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
 - **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
 
 
 ### Setup360Telemetry.PreDownloadQuiet
@@ -3371,81 +4277,81 @@ This event sends data indicating that the device has invoked the predownload qui
 The following fields are available:
 
 - **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.PreDownloadUX
 
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous operating system.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId**  Windows Update client ID.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
-- **HostOSBuildNumber**  The build number of the previous operating system.
-- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
+- **WuId**  Windows Update client ID.
 
 
 ### Setup360Telemetry.PreInstallQuiet
 
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.PreInstallUX
 
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date.  Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId**  Windows Update client ID.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
 
 
 ### Setup360Telemetry.Setup360
@@ -3454,13 +4360,19 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
 
 The following fields are available:
 
+- **ClientId**  Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FieldName**  Retrieves the data point.
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
 - **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
 - **ReportId**  Retrieves the report ID.
-- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
 - **ScenarioId**  Retrieves the deployment scenario.
-- **FieldName**  Retrieves the data point.
 - **Value**  Retrieves the value associated with the corresponding FieldName.
-- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
 
 
 ### Setup360Telemetry.UnexpectedEvent
@@ -3470,18 +4382,18 @@ This event sends data indicating that the device has invoked the unexpected even
 The following fields are available:
 
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId**  A string to uniquely identify a group of events.
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
 ## Windows Error Reporting events
@@ -3492,19 +4404,25 @@ This event sends binary data from the collected dump file wheneveer a bug check
 
 The following fields are available:
 
-- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **BootId**  Uint32 identifying the boot number for this device.
 - **BugCheckCode**  Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
 - **BugCheckParameter1**  Uint64 parameter providing additional information.
-- **BootId**  Uint32 identifying the boot number for this device.
 - **BugCheckParameter2**  Uint64 parameter providing additional information.
-- **BugCheckParameter4**  Uint64 parameter providing additional information.
 - **BugCheckParameter3**  Uint64 parameter providing additional information.
-- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
-- **DumpFileSize**  Size of the dump file
+- **BugCheckParameter4**  Uint64 parameter providing additional information.
 - **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
+- **DumpFileSize**  Size of the dump file
+- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
+- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Store events
+
+### Microsoft.Windows.Store.Partner.ReportApplication
+
+Report application event for Windows Store client.
 
 
-## Microsoft Store events
 
 ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
 
@@ -3512,24 +4430,24 @@ This event is sent when an installation or update is canceled by a user or the s
 
 The following fields are available:
 
-- **PFN**  The product family name of the product being installed.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The Item Bundle ID.
+- **CategoryId**  The Item Category ID.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed before this operation.
-- **IsUpdate**  Flag indicating if this is an update.
-- **AttemptNumber**  Number of retry attempts before it was canceled.
-- **CategoryId**  The Item Category ID.
-- **ProductId**  The identity of the package or packages being installed.
+- **IsBundle**  Is this a bundle?
 - **IsInteractive**  Was this requested by a user?
-- **IsRemediation**  Was this a remediation install?
-- **BundleId**  The Item Bundle ID.
 - **IsMandatory**  Was this a mandatory update?
+- **IsRemediation**  Was this a remediation install?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Flag indicating if this is an update.
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The product family name of the product being installed.
+- **ProductId**  The identity of the package or packages being installed.
 - **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
 - **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
-- **IsRestore**  Is this automatically restoring a previously acquired product?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **WUContentId**  Licensing identity of this package.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
@@ -3550,40 +4468,40 @@ This event is sent when an app update or installation is canceled while in inter
 
 The following fields are available:
 
-- **IsInteractive**  Was this requested by a user?
+- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
 - **AttemptNumber**  Total number of installation attempts.
 - **BundleId**  The identity of the Windows Insider build that is associated with this product.
-- **PreviousHResult**  The previous HResult code.
-- **ClientAppId**  The identity of the app that initiated this operation.
 - **CategoryId**  The identity of the package or packages being installed.
-- **PFN**  The name of all packages to be downloaded and installed.
-- **ProductId**  The name of the package or packages requested for installation.
-- **IsUpdate**  Is this a product update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **PreviousInstallState**  Previous installation state before it was canceled.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
 - **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this an automatic restore of a previously acquired product?
+- **IsUpdate**  Is this a product update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of all packages to be downloaded and installed.
+- **PreviousHResult**  The previous HResult code.
+- **PreviousInstallState**  Previous installation state before it was canceled.
+- **ProductId**  The name of the package or packages requested for installation.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
 - **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
 - **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
-- **IsRestore**  Is this an automatic restore of a previously acquired product?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
 
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
+- **CatalogId**  The Store Product ID of the app being installed.
+- **HResult**  HResult code of the action being performed.
 - **IsBundle**  Is this a bundle?
+- **PackageFamilyName**  The name of the package being installed.
 - **ProductId**  The Store Product ID of the product being installed.
 - **SkuId**  Specific edition of the item being installed.
-- **CatalogId**  The Store Product ID of the app being installed.
-- **PackageFamilyName**  The name of the package being installed.
-- **HResult**  HResult code of the action being performed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
@@ -3592,57 +4510,57 @@ This event is sent after the license is acquired when a product is being install
 
 The following fields are available:
 
-- **PFN**  Product Family Name of the product being installed.
-- **HResult**  HResult code to show the result of the operation (success/failure).
-- **ProductId**  The Store Product ID for the product being installed.
-- **IsInteractive**  Did the user initiate the installation?
+- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber**  The total number of attempts to acquire this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
-- **IsRemediation**  Is this repairing a previous installation?
-- **UpdateId**  The update ID (if this is an update)
-- **AttemptNumber**  The total number of attempts to acquire this product.
-- **IsUpdate**  Is this an update?
-- **IsMandatory**  Is this a mandatory update?
-- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
-- **UserAttemptNumber**  The number of attempts by the user to acquire this product
-- **IsRestore**  Is this happening after a device restore?
+- **HResult**  HResult code to show the result of the operation (success/failure).
 - **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
+- **IsInteractive**  Did the user initiate the installation?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this happening after a device restore?
+- **IsUpdate**  Is this an update?
 - **ParentBundledId**  The product's parent bundle ID.
-- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
+- **UpdateId**  The update ID (if this is an update)
+- **UserAttemptNumber**  The number of attempts by the user to acquire this product
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
 
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **PFN**  The Product Family Name of the app being download.
-- **IsRemediation**  Is this repairing a previous installation?
-- **DownloadSize**  The total size of the download.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **CategoryId**  The identity of the package or packages being installed.
-- **IsUpdate**  Is this an update?
-- **HResult**  The result code of the last action performed.
-- **IsInteractive**  Is this initiated by the user?
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
 - **AttemptNumber**  Number of retry attempts before it was canceled.
 - **BundleId**  The identity of the Windows Insider build associated with this product.
-- **ProductId**  The Store Product ID for the product being installed.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **DownloadSize**  The total size of the download.
+- **ExtendedHResult**  Any extended HResult error codes.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this initiated by the user?
 - **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this a restore of a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
+- **PFN**  The Product Family Name of the app being download.
+- **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to download.
 - **UserAttemptNumber**  The number of attempts by the user to download.
-- **IsRestore**  Is this a restore of a previously acquired product?
-- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
-- **IsBundle**  Is this a bundle?
 - **WUContentId**  The Windows Update content ID.
-- **ExtendedHResult**  Any extended HResult error codes.
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
 
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -3660,29 +4578,29 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
 
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **BundleId**  The identity of the build associated with this product.
-- **PFN**  Product Family Name of the product being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ProductId**  The Store Product ID for the product being installed.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 - **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **ExtendedHResult**  The extended HResult error code.
 - **HResult**  The result code of the last action performed.
-- **IsRemediation**  Is this repairing a previous installation?
+- **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this an interactive installation?
-- **IsUpdate**  Is this an update?
 - **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
-- **IsRestore**  Is this automatically restoring a previously acquired product?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **ExtendedHResult**  The extended HResult error code.
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
@@ -3691,63 +4609,63 @@ This event is sent after a scan for product updates to determine if there are pa
 
 The following fields are available:
 
+- **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed.
 - **IsApplicability**  Is this request to only check if there are any applicable packages to install?
 - **IsInteractive**  Is this user requested?
-- **ClientAppId**  The identity of the app that initiated this operation.
 - **IsOnline**  Is the request doing an online check?
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
 
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsUpdate**  Is this an update?
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **ProductId**  The Store Product ID for the product being installed.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 - **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **IsInteractive**  Is this user requested?
-- **PFN**  The name of the package or packages requested for install.
 - **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
-- **IsRestore**  Is this restoring previously acquired content?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
 
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **IsInteractive**  Is this user requested?
-- **PFN**  The name of the package or packages requested for install.
-- **IsUpdate**  Is this an update?
-- **CategoryId**  The identity of the package or packages being installed.
-- **HResult**  The result code of the last action performed.
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
 - **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **ProductId**  The Store Product ID for the product being installed.
 - **BundleId**  The identity of the build associated with this product.
-- **IsRemediation**  Is this repairing a previous installation?
+- **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of system attempts.
-- **IsRestore**  Is this restoring previously acquired content?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
@@ -3761,100 +4679,100 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
 
-This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **ProductId**  The product ID of the app that is being updated or installed.
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **FailedRetry**  Was the installation or update retry successful?
+- **FailedRetry**  Indicates whether the installation or update retry was successful.
 - **HResult**  The HResult code of the operation.
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
 
-This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **ProductId**  The product ID of the app that is being updated or installed.
 - **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
 
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
 - **BundleId**  The identity of the build associated with this product.
-- **SkuId**  Specific edition ID being installed.
+- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specific edition ID being installed.
 - **VolumePath**  The disk path of the installation.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
 
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **IsRemediation**  Is this repairing a previous installation?
-- **PreviousHResult**  The result code of the last action performed before this operation.
-- **ProductId**  The Store Product ID for the product being installed.
-- **IsUpdate**  Is this an update?
-- **PreviousInstallState**  Previous state before the installation or update was paused.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
-- **BundleId**  The identity of the build associated with this product.
-- **PFN**  The Product Full Name.
 - **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The Product Full Name.
+- **PreviousHResult**  The result code of the last action performed before this operation.
+- **PreviousInstallState**  Previous state before the installation or update was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
-- **IsRestore**  Is this restoring previously acquired content?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
 
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **RelatedCV**  Correlation Vector for the original install before it was resumed.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 - **AttemptNumber**  The number of retry attempts before it was canceled.
 - **BundleId**  The identity of the build associated with this product.
-- **PreviousHResult**  The previous HResult error code.
-- **ClientAppId**  The identity of the app that initiated this operation.
 - **CategoryId**  The identity of the package or packages being installed.
-- **PFN**  The name of the package or packages requested for install.
-- **IsUpdate**  Is this an update?
-- **PreviousInstallState**  Previous state before the installation was paused.
-- **IsRemediation**  Is this repairing a previous installation?
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
+- **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
-- **ProductId**  The Store Product ID for the product being installed.
 - **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **IsUserRetry**  Did the user initiate the retry?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **PreviousHResult**  The previous HResult error code.
+- **PreviousInstallState**  Previous state before the installation was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector for the original install before it was resumed.
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
-- **IsRestore**  Is this restoring previously acquired content?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **IsBundle**  Is this a bundle?
-- **WUContentId**  The Windows Update content ID
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **IsUserRetry**  Did the user initiate the retry?
-- **HResult**  The result code of the last action performed before this operation.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
 
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -3863,22 +4781,22 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
 
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
+- **CatalogId**  The Store Catalog ID for the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SkuId**  Specfic edition of the app being updated.
-- **CatalogId**  The Store Product ID for the product being installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
 
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **PFamN**  The name of the product that is requested for update.
+- **PFamN**  The name of the app that is requested for update.
 
 
 ## Windows Update Delivery Optimization events
@@ -3889,22 +4807,22 @@ This event describes when a download was canceled with Delivery Optimization. It
 
 The following fields are available:
 
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
-- **fileID**  The ID of the file being downloaded.
-- **sessionID**  The ID of the file download session.
-- **scenarioID**  The ID of the scenario.
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **updateID**  The ID of the update being downloaded.
 - **background**  Is the download being done in the background?
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **clientTelId**  A random number used for device sampling.
+- **bytesFromCDN**  The number of bytes received from a CDN source.
 - **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
-- **errorCode**  The error code that was returned.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
 - **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
 - **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId**  A random number used for device sampling.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **errorCode**  The error code that was returned.
 - **experimentId**  When running a test, this is used to correlate events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
 - **isVpn**  Is the device connected to a Virtual Private Network?
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the file download session.
+- **updateID**  The ID of the update being downloaded.
 - **usedMemoryStream**  Did the download use memory streaming?
 
 
@@ -3914,37 +4832,36 @@ This event describes when a download has completed with Delivery Optimization. I
 
 The following fields are available:
 
-- **sessionID**  The ID of the download session.
-- **scenarioID**  The ID of the scenario.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
-- **updateID**  The ID of the update being downloaded.
-- **fileSize**  The size of the file being downloaded.
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **fileID**  The ID of the file being downloaded.
 - **background**  Is the download a background download?
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **totalTime**  How long did the download take (in seconds)?
-- **restrictedUpload**  Is the upload restricted?
-- **clientTelId**  A random number used for device sampling.
+- **bytesFromCDN**  The number of bytes received from a CDN source.
 - **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
-- **downloadMode**  The download mode used for this file download session.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **numPeers**  The total number of peers used for this download.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
+- **bytesRequested**  The total number of bytes requested for download.
 - **cdnConnectionCount**  The total number of connections made to the CDN.
-- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
-- **groupConnectionCount**  The total number of connections made to peers in the same group.
-- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
-- **cdnIp**  The IP address of the source CDN.
-- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
-- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
-- **downlinkUsageBps**  The download speed (in bytes per second).
-- **uplinkUsageBps**  The upload speed (in bytes per second).
-- **totalTimeMs**  Duration of the download (in seconds).
 - **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
 - **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **bytesRequested**  The total number of bytes requested for download.
+- **cdnIp**  The IP address of the source CDN.
+- **clientTelId**  A random number used for device sampling.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps**  The download speed (in bytes per second).
+- **downloadMode**  The download mode used for this file download session.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **fileSize**  The size of the file being downloaded.
+- **groupConnectionCount**  The total number of connections made to peers in the same group.
+- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
 - **isVpn**  Is the device connected to a Virtual Private Network?
+- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
+- **numPeers**  The total number of peers used for this download.
+- **restrictedUpload**  Is the upload restricted?
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **totalTimeMs**  Duration of the download (in seconds).
+- **updateID**  The ID of the update being downloaded.
+- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps**  The upload speed (in bytes per second).
 - **usedMemoryStream**  Did the download use memory streaming?
 
 
@@ -3954,48 +4871,48 @@ This event represents a temporary suspension of a download with Delivery Optimiz
 
 The following fields are available:
 
-- **updateID**  The ID of the update being paused.
-- **errorCode**  The error code that was returned.
-- **scenarioID**  The ID of the scenario.
 - **background**  Is the download a background download?
-- **sessionID**  The ID of the download session.
 - **clientTelId**  A random number used for device sampling.
-- **reasonCode**  The reason for pausing the download.
-- **fileID**  The ID of the file being paused.
+- **errorCode**  The error code that was returned.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being paused.
 - **isVpn**  Is the device connected to a Virtual Private Network?
+- **reasonCode**  The reason for pausing the download.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **updateID**  The ID of the update being paused.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
 
-This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
 
 The following fields are available:
 
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **errorCode**  The error code that was returned.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **peerID**  The ID for this Delivery Optimization client.
-- **doClientVersion**  The version of the Delivery Optimization client.
-- **jobID**  The ID of the Windows Update job.
-- **sessionID**  The ID of the download session.
-- **updateID**  The ID of the update being downloaded.
-- **scenarioID**  The ID of the scenario.
-- **fileID**  The ID of the file being downloaded.
-- **cdnUrl**  The URL of the CDN.
-- **filePath**  The path where the file will be written.
-- **groupID**  ID for the group.
-- **background**  Is the download a background download?
-- **downloadMode**  The download mode used for this file download session.
-- **minFileSizePolicy**  The minimum content file size policy to allow the download using Peering.
-- **diceRoll**  The dice roll value used in sampling events.
-- **deviceProfile**  Identifies the usage or form factor. Example: Desktop or Xbox
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **usedMemoryStream**  Did the download use memory streaming?
-- **minDiskSizePolicyEnforced**  Is the minimum disk size enforced via policy?
-- **minDiskSizeGB**  The minimum disk size (in GB) required for Peering.
+- **background**  Indicates whether the download is happening in the background.
+- **cdnUrl**  The URL of the source CDN.
 - **clientTelId**  A random number used for device sampling.
 - **costFlags**  A set of flags representing network cost.
+- **deviceProfile**  Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll**  Random number used for determining if a client will use peering.
+- **doClientVersion**  The version of the Delivery Optimization client.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **errorCode**  The error code that was returned.
+- **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID**  The ID of the file being downloaded.
+- **filePath**  The path to where the downloaded file will be written.
+- **groupID**  ID for the group.
+- **isVpn**  Indicates whether the device is connected to a Virtual Private Network.
+- **jobID**  The ID of the Windows Update job.
+- **minDiskSizeGB**  The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced**  Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy**  The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID**  The ID for this delivery optimization client.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID for the file download session.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Indicates whether the download used memory streaming.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
@@ -4004,19 +4921,19 @@ This event represents a failure to download from a CDN with Delivery Optimizatio
 
 The following fields are available:
 
+- **cdnHeaders**  The HTTP headers returned by the CDN.
+- **cdnIp**  The IP address of the CDN.
+- **cdnUrl**  The URL of the CDN.
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code that was returned.
+- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
 - **fileID**  The ID of the file being downloaded.
-- **errorCode**  The error code that was returned.
 - **httpStatusCode**  The HTTP status code returned by the CDN.
-- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
-- **sessionID**  The ID of the download session.
-- **cdnUrl**  The URL of the CDN.
-- **cdnIp**  The IP address of the CDN.
-- **cdnHeaders**  The HTTP headers returned by the CDN.
-- **clientTelId**  A random number used for device sampling.
 - **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
 - **requestSize**  The size of the range requested from the CDN.
 - **responseSize**  The size of the range response received from the CDN.
+- **sessionID**  The ID of the download session.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.JobError
@@ -4025,11 +4942,11 @@ This event represents a Windows Update job error. It allows for investigation of
 
 The following fields are available:
 
-- **jobID**  The Windows Update job ID.
-- **fileID**  The ID of the file being downloaded.
-- **errorCode**  The error code returned.
 - **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code returned.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **jobID**  The Windows Update job ID.
 
 
 ## Windows Update events
@@ -4040,11 +4957,11 @@ This event sends data collected at the end of the Data Migration Framework (DMF)
 
 The following fields are available:
 
-- **MigrationEndtime**  A system timestamp of when the DMF migration completed.
-- **UpdateIds**  A collection of GUIDs for updates that are associated with the DMF session.
-- **WuClientid**  The GUID of the Windows Update client responsible for triggering the DMF migration.
-- **MigrationDurationinmilliseconds**  How long the DMF migration took (in milliseconds).
+- **MigrationDurationInMilliseconds**  How long the DMF migration took (in milliseconds)
+- **MigrationEndTime**  A system timestamp of when the DMF migration completed.
 - **RevisionNumbers**  A collection of revision numbers for the updates associated with the DMF session.
+- **UpdateIds**  A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientId**  The GUID of the Windows Update client responsible for triggering the DMF migration
 
 
 ### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
@@ -4053,12 +4970,12 @@ This event sends data collected at the beginning of the Data Migration Framework
 
 The following fields are available:
 
-- **UpdateIds**  A collection of GUIDs identifying the upgrades that are running.
-- **MigrationStarttime**  The timestamp representing the beginning of the DMF migration.
-- **MigrationOEMphases**  The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade.
-- **WuClientid**  The GUID of the Windows Update client invoking DMF.
-- **MigrationMicrosoftphases**  The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade.
+- **MigrationMicrosoftPhases**  Revision numbers for the updates that were installed.
+- **MigrationOEMPhases**  WU Update IDs for the updates that were installed.
+- **MigrationStartTime**  The timestamp representing the beginning of the DMF migration
 - **RevisionNumbers**  A collection of the revision numbers associated with the UpdateIds.
+- **UpdateIds**  A collection of GUIDs identifying the upgrades that are running.
+- **WuClientId**  The GUID of the Windows Update client invoking DMF
 
 
 ### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
@@ -4067,42 +4984,185 @@ This event sends DMF migrator data to help keep Windows up to date.
 
 The following fields are available:
 
-- **MigratorGuid**  A GUID identifying the migrator that just completed.
-- **RunDurationInSeconds**  The time it took for the migrator to complete.
 - **CurrentStep**  This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
-- **MigratorName**  The name of the migrator that just completed.
-- **MigratorId**  A GUID identifying the migrator that just completed.
 - **ErrorCode**  The result (as an HRESULT) of the migrator that just completed.
+- **MigratorId**  A GUID identifying the migrator that just completed.
+- **MigratorName**  The name of the migrator that just completed.
+- **RunDurationInSeconds**  The time it took for the migrator to complete.
 - **TotalSteps**  Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
 
 
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+This event indicates that a notification dialog box is about to be displayed to user.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **EngagedModeLimit**  The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit**  The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag**  OneSettings versioning value.
+- **IsForcedEnabled**  Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled**  Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState**  Indicates which dialog box is shown.
+- **NotificationUxStateString**  Indicates which dialog box is shown.
+- **RebootUxState**  Indicates  the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString**  Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion**  Version of DTE.
+- **SkipToAutoModeLimit**  The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose on this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
+
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
+
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time of the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
+
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
+
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  The time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+
+
 ### Microsoft.Windows.Update.Orchestrator.CommitFailed
 
-This events tracks when a device needs to restart after an update but did not.
+This event indicates that a device was unable to restart after an update.
 
 The following fields are available:
 
-- **wuDeviceid**  The Windows Update device GUID.
 - **errorCode**  The error code that was returned.
+- **wuDeviceid**  The Windows Update device GUID.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Detection
 
-This event sends launch data for a Windows Update scan to help keep Windows up to date.
+This event indicates that a scan for a Windows Update occurred.
 
 The following fields are available:
 
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **revisionNumber**  Update revision number.
-- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **deferReason**  Reason why the device could not check for updates.
 - **detectionBlockreason**  Reason for detection not completing.
-- **interactive**  Identifies if session is User Initiated.
-- **updateId**  Update ID.
 - **detectionDeferreason**  A log of deferral reasons for every update state.
-- **flightID**  A unique update ID.
-- **updateScenarioType**  The update session type.
 - **errorCode**  The returned error code.
+- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session was user initiated.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Download
@@ -4111,31 +5171,31 @@ This event sends launch data for a Windows Update download to help keep Windows
 
 The following fields are available:
 
+- **deferReason**  Reason for download not completing.
 - **detectionDeferreason**  Reason for download not completing
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **interactive**  Identifies if session is user initiated.
+- **errorCode**  An error code represented as a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session is user initiated.
 - **revisionNumber**  Update revision number.
-- **deferReason**  Reason for download not completing
 - **updateId**  Update ID.
-- **eventScenario**  End to end update session ID.
-- **errorCode**  An error code represented as a hexadecimal value
-- **flightID**  Unique update ID.
 - **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
 
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+This event indicates that the update is no longer applicable to this device.
 
 The following fields are available:
 
-- **updateId**  Unique Update ID
-- **revisionNumber**  Revision Number of the Update
-- **UpdateStatus**  Integer that describes Update state
-- **EventPublishedTime**  time that the event was generated
-- **wuDeviceid**  Unique Device ID
-- **flightID**  Unique Update ID
-- **updateScenarioType**  The update session type.
+- **EventPublishedTime**  Time when this event was generated.
+- **flightID**  The specific ID of the Windows Insider build.
+- **revisionNumber**  Update revision number.
+- **updateId**  Unique Windows Update ID.
+- **updateScenarioType**  Update session type.
+- **UpdateStatus**  Last status of update.
+- **wuDeviceid**  Unique Device ID.
 
 
 ### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
@@ -4144,15 +5204,15 @@ This event sends data about an Orchestrator requesting a reboot from power manag
 
 The following fields are available:
 
-- **revisionNumber**  Revision number of the update.
 - **EventPublishedTime**  Time of the event.
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
 - **flightID**  Unique update ID
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Install
@@ -4161,59 +5221,59 @@ This event sends launch data for a Windows Update install to help keep Windows u
 
 The following fields are available:
 
-- **eventScenario**  End to end update session ID.
-- **deferReason**  Reason for install not completing.
-- **interactive**  Identifies if session is user initiated.
-- **wuDeviceid**  Unique device ID used by Windows Update.
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **deferReason**  Reason for install not completing.
 - **errorCode**  The error code reppresented by a hexadecimal value.
-- **updateId**  Update ID.
-- **revisionNumber**  Update revision number.
-- **flightID**  Unique update ID
-- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
-- **flightUpdate**  Flight update
-- **minutesToCommit**  The time it took to install updates.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **flightUpdate**  Indicates whether the update is a Windows Insider build.
 - **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
+- **interactive**  Identifies if session is user initiated.
+- **minutesToCommit**  The time it took to install updates.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.PostInstall
 
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event is sent after a Windows update install completes.
 
 The following fields are available:
 
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **eventScenario**  End to end update session ID.
-- **sessionType**  Interactive vs. Background.
-- **bundleRevisionnumber**  Bundle revision number.
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **bundleId**  Update grouping ID.
-- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **bundleId**  Identifier associated with the specific content bundle.
+- **bundleRevisionnumber**  Identifies the revision number of the content bundle.
+- **errorCode**  The error code returned for the current phase.
+- **eventScenario**  State of update action.
 - **flightID**  Unique update ID.
+- **sessionType**  The Windows Update session type (Interactive or Background).
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.RebootFailed
 
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
 
 The following fields are available:
 
-- **updateId**  Update ID.
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
-- **installRebootDeferreason**  Reason for reboot not occurring.
-- **revisionNumber**  Update revision number.
-- **EventPublishedTime**  The time that the reboot failure occurred.
 - **deferReason**  Reason for install not completing.
-- **wuDeviceid**  Unique device ID used by Windows Update.
+- **EventPublishedTime**  The time that the reboot failure occurred.
 - **flightID**  Unique update ID.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **installRebootDeferreason**  Reason for reboot not occurring.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot was scheduled outside of active hours.
+- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
@@ -4223,9 +5283,9 @@ This event sends data indicating that a reboot task is missing unexpectedly on a
 The following fields are available:
 
 - **RebootTaskRestoredTime**  Time at which this reboot task was restored.
-- **wuDeviceid**  Device id on which the reboot is restored
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
+- **wuDeviceid**  Device ID for the device on which the reboot is restored.
 
 
 ### Microsoft.Windows.Update.Orchestrator.SystemNeeded
@@ -4234,14 +5294,14 @@ This event sends data about why a device is unable to reboot, to help keep Windo
 
 The following fields are available:
 
-- **eventScenario**  End to end update session ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **systemNeededReason**  Reason ID
-- **updateId**  Update ID.
+- **eventScenario**  End-to-end update session ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
 - **revisionNumber**  Update revision number.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **systemNeededReason**  List of apps or tasks that are preventing the system from restarting.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
@@ -4250,11 +5310,11 @@ This event sends data on whether Update Management Policies were enabled on a de
 
 The following fields are available:
 
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime**  Time when policy cache was refreshed.
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
 - **wuDeviceid**  Unique device ID used by Windows Update.
-- **policyCacherefreshtime**  Refresh time
-- **policiesNamevaluesource**  Policy Name
-- **updateInstalluxsetting**  This shows whether a user has set policies via UX option
-- **configuredPoliciescount**  Policy Count
 
 
 ### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
@@ -4263,13 +5323,13 @@ This event sends data about whether an update required a reboot to help keep Win
 
 The following fields are available:
 
-- **updateId**  Update ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
 - **revisionNumber**  Update revision number.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightID**  Unique update ID.
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
@@ -4278,18 +5338,18 @@ This event sends data about the UpdateStackServicing check for updates, to help
 
 The following fields are available:
 
-- **EventScenario**  The scenario of the event. Example: Started, Failed, or Succeeded
-- **StatusCode**  The HRESULT code of the operation.
+- **BspVersion**  The version of the BSP.
 - **CallerApplicationName**  The name of the USS scheduled task. Example UssScheduled or UssBoot
 - **ClientVersion**  The version of the client.
-- **EventInstanceID**  The USS session ID.
-- **WUDeviceID**  The Windows Update device ID.
-- **ServiceGuid**  The GUID of the service.
-- **BspVersion**  The version of the BSP.
-- **OemName**  The name of the manufacturer.
-- **DeviceName**  The name of the device.
 - **CommercializationOperator**  The name of the operator.
 - **DetectionVersion**  The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+- **DeviceName**  The name of the device.
+- **EventInstanceID**  The USS session ID.
+- **EventScenario**  The scenario of the event. Example: Started, Failed, or Succeeded
+- **OemName**  The name of the manufacturer.
+- **ServiceGuid**  The GUID of the service.
+- **StatusCode**  The HRESULT code of the operation.
+- **WUDeviceID**  The Windows Update device ID.
 
 
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
@@ -4307,16 +5367,16 @@ This event sends data about a required reboot that is scheduled with no user int
 
 The following fields are available:
 
-- **updateId**  Update ID of the update that is getting installed with this reboot.
-- **ScheduledRebootTime**  Time of the scheduled reboot.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot.
-- **forcedreboot**  True, if a reboot is forced on the device. False, otherwise.
+- **activeHoursApplicable**  Indicates whether Active Hours applies on this device.
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
 - **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise.
 - **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
-- **rebootState**  The state of the reboot.
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState**  Current state of the reboot.
+- **revisionNumber**  Revision number of the OS.
+- **scheduledRebootTime**  Time scheduled for the reboot.
+- **updateId**  Identifies which update is being scheduled.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
@@ -4334,16 +5394,16 @@ This event sends basic information for scheduling a device restart to install se
 
 The following fields are available:
 
-- **ScheduledRebootTime**  The time that the device was restarted.
-- **updateId**  The Windows Update device GUID.
-- **revisionNumber**  The revision number of the OS being updated.
-- **wuDeviceid**  The Windows Update device GUID.
-- **forcedreboot**  Is the restart that's being scheduled a forced restart?
-- **rebootArgument**  The arguments that are passed to the OS for the restarted.
-- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
 - **activeHoursApplicable**  Is the restart respecting Active Hours?
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument**  The arguments that are passed to the OS for the restarted.
 - **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
 - **rebootState**  The state of the restart.
+- **revisionNumber**  The revision number of the OS being updated.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **updateId**  The Windows Update device GUID.
+- **wuDeviceid**  The Windows Update device GUID.
 
 
 ## Winlogon events
@@ -4354,3 +5414,4 @@ This event signals the completion of the setup process. It happens only once dur
 
 
 
+
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index bb8dd0082b..665450f693 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,27 +1,26 @@
 ---
-description: Learn more about the Windows diagnostic data that is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-keywords: privacy, diagnostic data
+keywords: privacy, telemetry
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: danihalfin
-ms.author: daniha
-ms.date: 06/20/2018
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
 ---
 
 
 # Windows 10, version 1709 basic level Windows diagnostic events and fields
 
-
  **Applies to**
 
 - Windows 10, version 1709
 
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
 
 The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
@@ -30,339 +29,315 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
 
 
-- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
 
 
-## Common data extensions
-
-### Common Data Extensions.App
-
- 
-
-The following fields are available:
-
-- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId**  The userID as known by the application.
-- **env**  The environment from which the event was logged.
-- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-
-
-### Common Data Extensions.CS
-
- 
-
-The following fields are available:
-
-- **sig**  A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
- 
-
-The following fields are available:
-
-- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op**  Represents the ETW Op Code.
-- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
-- **flags**  Represents the bitmap that captures various Windows specific flags.
-- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets**  A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq**  Upload buffer sequence number in the format \:\
-- **mon**  Combined monitor and event sequence numbers in the format \:\
-
-
-### Common Data Extensions.Device
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **name**  Represents the uniquely qualified name for the event.
-- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
-- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seqNum**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **iKey**  Represents an ID for applications or other logical groupings of events.
-- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **os**  Represents the operating system name.
-- **osVer**  Represents the OS version, and its format is OS dependent.
-- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **appVer**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
-
-
-### Common Data Extensions.OS
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale**  Represents the locale of the operating system.
-- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-
-
-### Common Data Extensions.User
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
- 
-
-The following fields are available:
-
-- **nbf**  Not before time
-- **expId**  Expiration time
-- **sbx**  XBOX sandbox identifier
-- **dty**  XBOX device type
-- **did**  XBOX device ID
-- **xid**  A list of base10-encoded XBOX User IDs.
-- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType**  Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken**  Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName**  Represents the name of the file requesting elevation from low IL.
-- **elevationReason**  Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName**  Represents the name of the file requesting elevation from low IL.
-- **signatureState**  Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName**  Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine**  Represents the full command line arguments being used to elevate.
-- **Hash.Length**  Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash**  Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId**  Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags**  Represents the details about the elevation prompt for CEIP data.
-- **timeStamp**  Represents the time stamp on the file requesting elevation.
-- **fileVersionMS**  Represents the major version of the file requesting elevation.
-- **fileVersionLS**  Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType**  Indicates the object type that the event applies to.
-- **Action**  The change that was invoked on a device inventory object.
-- **inventoryId**  Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
-
 
 ## Appraiser events
 
-### Microsoft.Windows.Appraiser.General.RunContext
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
 
-This event indicates what should be expected in the data payload.
+Invalid Signature - This event is superseded by an event that contains additional fields.
 
 The following fields are available:
 
-- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
-- **AppraiserProcess**  The name of the process that launched Appraiser.
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **Time**  The client time of the event.
+- **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS4**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceDevicePnp_RS4**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceDriverPackage_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **DecisionApplicationFile_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS4**  The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack**  The count of InventoryLanguagePack objects present on this machine.
+- **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
+- **InventorySystemBios**  The count of the number of this particular object type present on this device.
+- **InventoryTest**  The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
+- **PCFP**  An ID for the system, calculated by hashing hardware identifiers.
+- **SystemMemory**  The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
+- **SystemProcessorNx**  The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW**  The count of SystemProcessorPrefetchW objects present on this machine.
+- **SystemProcessorSse2**  The count of SystemProcessorSse2 objects present on this machine.
+- **SystemTouch**  The count of SystemTouch objects present on this machine.
+- **SystemWim**  The count of SystemWim objects present on this machine.
+- **SystemWindowsActivationStatus**  The count of SystemWindowsActivationStatus objects present on this machine.
+- **SystemWlan**  The count of the number of this particular object type present on this device.
+- **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS4**  The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
 
 
-### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
 
-A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
-- **AppraiserProcess**  The name of the process that launched Appraiser.
-- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **AuxFinal**  Obsolete, always set to false
-- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
-- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
-- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
-- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser diagnostic data run.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current diagnostic data run.
-- **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if diagnostic data was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
-- **Time**  The client time of the event.
-- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
+- **AvDisplayName**  If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex**  The compatibility prediction for this file.
+- **HasCitData**  Indicates whether the file is present in CIT data.
+- **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv**  Is the file an anti-virus reporting EXE?
+- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
-### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
 
-The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **Time**  The client time of the event.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
 
-This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **ActiveNetworkConnection**  Indicates whether the device is an active network device.
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **IsBootCritical**  Indicates whether the device boot is critical.
+- **WuDriverCoverage**  Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **AvDisplayName** If the app is an anti-virus app, this is its display name.
-- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
-- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
-- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
-- **CompanyName**  The company name of the vendor who developed this file.
-- **FileId**  A hash that uniquely identifies a file.
-- **FileVersion**  The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
-- **IsAv** Is the file an anti-virus reporting EXE?
-- **LinkDate**  The date and time that this file was linked on.
-- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
-- **Name**  The name of the file that was inventoried.
-- **ProductName**  The Product name field from the file metadata under Properties -> Details.
-- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
-- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
-- **Size**  The size of the file (in hexadecimal bytes).
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
 
-This event represents the drivers that an application installs.
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion** The version of the inventory component 
-- **Programids** The unique program identifier the driver is associated with.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
 
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. 
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion** The version of the inventory component.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
 This event sends compatibility decision data about a file to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
 - **BlockAlreadyInbox**  The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication**  Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication**  Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
 - **DisplayGenericMessage**  Will be a generic message be shown for this file?
 - **HardBlock**  This file is blocked in the SDB.
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
@@ -380,93 +355,40 @@ The following fields are available:
 - **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
 - **SoftBlock**  The file is softblocked in the SDB and has a warning.
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
 
-The following fields are available:
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-- **BlockingApplication**  Are there are any application issues that interfere with upgrade due to matching info blocks?
-- **DisplayGenericMessage**  Will a generic message be shown for this block?
-- **NeedsUninstallAction**  Does the user need to take an action in setup due to a matching info block?
-- **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
-- **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
-- **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
-
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BlockingApplication**  Are there any application issues that interfere with upgrade due to matching info blocks?
-- **MigApplication**  Is there a matching info block with a mig for the current mode of upgrade?
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
 
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
-
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **NeedsInstallPostUpgradeData**  Will the file have a notification after upgrade to install a replacement for the app?
-- **NeedsNotifyPostUpgradeData**  Should a notification be shown for this file after upgrade?
-- **NeedsReinstallPostUpgradeData**  Will the file have a notification after upgrade to reinstall the app?
-- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
-
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **ActiveNetworkConnection**  Is the device an active network device?
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-- **IsBootCritical**  Is the device boot critical?
-- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
-- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate**  Will the driver associated with this plug-and-play device migrate?
 - **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
 - **BlockingDevice**  Is this PNP device blocking upgrade?
 - **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
@@ -482,17 +404,33 @@ The following fields are available:
 - **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
 
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
 
 ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
 
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -504,188 +442,144 @@ The following fields are available:
 - **SdbDriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
 
 
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
 
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BiosDate**  The release date of the BIOS in UTC format.
-- **BiosName**  The name field from Win32_BIOS.
-- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
-- **Model**  The model field from Win32_ComputerSystem.
 
 
-### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
 
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the device from upgrade due to memory restrictions?
-- **MemoryRequirementViolated**  Was a memory requirement violated?
-- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
-- **ram**  The amount of memory on the device.
-- **ramKB**  The amount of memory (in KB).
-- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
-- **virtualKB**  The amount of virtual memory (in KB).
-
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
-
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the device blocked from upgrade due to a BIOS block?
-- **HasBiosBlock**  Does the device have a BIOS block?
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
-
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this BIOS.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
-
-This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **CompareExchange128Support**  Does the CPU support CompareExchange128?
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
-
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
-
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
-- **NXProcessorSupport**  Does the processor support NX?
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
 
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **BlockingApplication**  Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage**  Will a generic message be shown for this block?
+- **NeedsUninstallAction**  Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **PrefetchWSupport**  Does the processor support PrefetchW?
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
 
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **SSE2ProcessorSupport**  Does the processor support SSE2?
 
 
-### Microsoft.Windows.Appraiser.General.SystemWimAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
 
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
-- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
+- **BlockingApplication**  Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication**  Is there a matching info block with a mig for the current mode of upgrade?
 
 
-### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
 
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
-- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
 
 
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
 
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
-- **WindowsNotActivatedDecision**  Is the current operating system activated?
 
 
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
 
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **HasLanguagePack**  Does this device have 2 or more language packs?
-- **LanguagePackCount**  How many language packs are installed?
+- **NeedsInstallPostUpgradeData**  Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData**  Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData**  Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
 
 
-### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
-- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
-- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
-- **WlanExists**  Does the device support WLAN at all?
-- **WlanModulePresent**  Are any WLAN modules present?
-- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
 
 
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
 
-This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **EverLaunched**  Has Windows Media Center ever been launched?
-- **HasConfiguredTv**  Has the user configured a TV tuner through Windows Media Center?
-- **HasExtendedUserAccounts**  Are any Windows Media Center Extender user accounts configured?
-- **HasWatchedFolders**  Are any folders configured for Windows  Media Center to watch?
-- **IsDefaultLauncher**  Is Windows Media Center the default app for opening music or video files?
-- **IsPaid**  Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
-- **IsSupported**  Does the running OS support Windows Media Center?
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
 
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -698,187 +592,11 @@ The following fields are available:
 - **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
 
 
-### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
 
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event indicates that the DecisionMediaCenter object is no longer present.
 
-The following fields are available:
-
-- **DatasourceApplicationFile_RS2**  The total DatasourceApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDevicePnp_RS2**  The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDriverPackage_RS2**  The total DatasourceDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoBlock_RS2**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPassive_RS2**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS2**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceSystemBios_RS2**  The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **DecisionApplicationFile_RS2**  The total DecisionApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDevicePnp_RS2**  The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDriverPackage_RS2**  The total DecisionDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoBlock_RS2**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPassive_RS2**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPostUpgrade_RS2**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMediaCenter_RS2**  The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
-- **DecisionSystemBios_RS2**  The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **InventoryApplicationFile**  The total InventoryApplicationFile objects that are present on this device.
-- **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
-- **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
-- **InventorySystemBios**  The total InventorySystemBios objects that are present on this device.
-- **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
-- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **SystemMemory**  The total SystemMemory objects that are present on this device.
-- **SystemProcessorCompareExchange**  The total SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf**  The total SystemProcessorLahfSahf objects that are present on this device.
-- **SystemProcessorNx**  The total SystemProcessorNx objects that are present on this device.
-- **SystemProcessorPrefetchW**  The total SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2**  The total SystemProcessorSse2 objects that are present on this device.
-- **SystemTouch**  The total SystemTouch objects that are present on this device.
-- **SystemWim**  The total SystemWim objects that are present on this device
-- **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
-- **SystemWlan**  The total SystemWlan objects that are present on this device.
-- **Wmdrm_RS2**  The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceApplicationFile_RS3**  "The total DecisionApplicationFile objects targeting the next release of Windows on this device. "
-- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-
-This event indicates that a new set of SystemMemoryAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-
-This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-
-This event indicates that a new set of SystemWimAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-
-This event indicates that a new set of SystemTouchAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
-
-This event indicates that a full set of DatasourceDriverPackageAdd events has been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-
-This event indicates that a new set of SystemWlanAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -889,198 +607,48 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
 
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
 
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock**  Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
 
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-
-This event indicates that a new set of WmdrmAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
-
-This event indicates that a full set of DataSourceMatchingInfoPassiveAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.WmdrmAdd
-
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BlockingApplication**  Same as NeedsDismissAction
-- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
-- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
-- **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
-- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased
-- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
-- **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
-- **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
-
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BootCritical**  Is the driver package marked as boot critical?
-- **Build**  The build value from the driver package.
-- **CatalogFile**  The name of the catalog file within the driver package.
-- **Class**  The device class from the driver package.
-- **ClassGuid**  The device class GUID from the driver package.
-- **Date**  The date from the driver package.
-- **Inbox**  Is the driver package of a driver that is included with Windows?
-- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
-- **Provider**  The provider of the driver package.
-- **PublishedName**  The name of the INF file, post-rename.
-- **Revision**  The revision of the driver package.
-- **SignatureStatus**  Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
-- **VersionMajor**  The major version of the driver package.
-- **VersionMinor**  The minor version of the driver package.
-
 ### Microsoft.Windows.Appraiser.General.GatedRegChange
 
 This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
@@ -1095,109 +663,546 @@ The following fields are available:
 - **Time**  The client time of the event.
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
 
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **AvDisplayName**  If the app is an antivirus app, this is its display name.
+- **AvProductState**  Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName**  The company name of the vendor who developed this file.
+- **FileId**  A hash that uniquely identifies a file.
+- **FileVersion**  The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe**  Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv**  Indicates whether the file an antivirus reporting EXE.
+- **LinkDate**  The date and time that this file was linked on.
+- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
+- **Name**  The name of the file that was inventoried.
+- **ProductName**  The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size**  The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
 
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
 
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **HasLanguagePack**  Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount**  The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
 
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
 
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-
-This event indicates that the DecisionMediaCenter object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **EverLaunched**  Has Windows Media Center ever been launched?
+- **HasConfiguredTv**  Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts**  Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders**  Are any folders configured for Windows  Media Center to watch?
+- **IsDefaultLauncher**  Is Windows Media Center the default app for opening music or video files?
+- **IsPaid**  Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported**  Does the running OS support Windows Media Center?
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
 
 This event indicates that the InventoryMediaCenter object is no longer present.
 
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
 
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
 
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BiosDate**  The release date of the BIOS in UTC format.
+- **BiosName**  The name field from Win32_BIOS.
+- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
+- **Model**  The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BootCritical**  Is the driver package marked as boot critical?
+- **Build**  The build value from the driver package.
+- **CatalogFile**  The name of the catalog file within the driver package.
+- **Class**  The device class from the driver package.
+- **ClassGuid**  The device class unique ID from the driver package.
+- **Date**  The date from the driver package.
+- **Inbox**  Is the driver package of a driver that is included with Windows?
+- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider**  The provider of the driver package.
+- **PublishedName**  The name of the INF file after it was renamed.
+- **Revision**  The revision of the driver package.
+- **SignatureStatus**  Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor**  The major version of the driver package.
+- **VersionMinor**  The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated**  Was a memory requirement violated?
+- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram**  The amount of memory on the device.
+- **ramKB**  The amount of memory (in KB).
+- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB**  The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **CompareExchange128Support**  Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport**  Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **PrefetchWSupport**  Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport**  Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
+- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
 
 
 ### Microsoft.Windows.Appraiser.General.SystemTouchRemove
 
-"This event indicates that the SystemTouch object is no longer present. "
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision**  Is the current operating system activated?
+
+
 ### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
 
 This event indicates that the SystemWindowsActivationStatus object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1205,185 +1210,120 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanRemove
 
-"This event indicates that the SystemWlan object is no longer present. "
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
 
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-This event indicates that the SystemProcessorNx object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-
-This event that the SystemMemory object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-
-This event indicates that the InventoryApplicationFile object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimRemove
-
-"This event indicates that the SystemWim object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-
-"This event indicates that the InventorySystemBios object is no longer present. "
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal**  Obsolete, always set to false.
+- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult**  The hresult of the Appraiser telemetry run.
+- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull**  Obsolete, always set to false
+- **TelementrySent**  Indicates if telemetry was successfully sent.
+- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time**  The client time of the event.
+- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Same as NeedsDismissAction.
+- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
 
 
 ### Microsoft.Windows.Appraiser.General.WmdrmRemove
 
 This event indicates that the Wmdrm object is no longer present.
 
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-
-"This event indicates that the SystemProcessorLahfSahf object is no longer present. "
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
 
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-
-This event indicates that the DecisionDriverPackage object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-
-This event indicates that the DecisionSystemBios object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-
-"This event indicates that the SystemProcessorCompareExchange object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
-
-This event indicates that a full set of InventoryDriverBinaryAdd events has been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
 ## Census events
 
+### Census.App
+
+Provides information on IE and Census versions running on the device
+
+The following fields are available:
+
+- **AppraiserEnterpriseErrorCode**  The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode**  The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp**  The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed**  Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp**  The start time of the last Appraiser run.
+- **AppraiserTaskEnabled**  Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode**  The Appraiser task exist code.
+- **AppraiserTaskLastRun**  The last runtime for the Appraiser task.
+- **CensusVersion**  The version of Census that generated the current data for this device.
+- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
+
+
 ### Census.Battery
 
 This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
@@ -1397,6 +1337,16 @@ The following fields are available:
 - **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
 
 
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
 ### Census.Enterprise
 
 This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
@@ -1408,7 +1358,7 @@ The following fields are available:
 - **CDJType**  Represents the type of cloud domain joined for the machine.
 - **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
-- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
 - **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
@@ -1422,48 +1372,6 @@ The following fields are available:
 - **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
-### Census.App
-
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CensusVersion**  The version of Census that generated the current data for this device.
-- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
-
-
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
-### Census.UserDisplay
-
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
-
-The following fields are available:
-
-- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
-- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
-- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
-- **InternalPrimaryDisplayType**  Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
-- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
-- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
-- **VRAMDedicated**  Retrieves the video RAM in MB.
-- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
-- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
-
-
 ### Census.Firmware
 
 This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
@@ -1478,11 +1386,11 @@ The following fields are available:
 
 ### Census.Flighting
 
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
 
 The following fields are available:
 
-- **DeviceSampleRate**  The diagnostic data sample rate assigned to the device.
+- **DeviceSampleRate**  The telemetry sample rate assigned to the device.
 - **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
 - **FlightIds**  A list of the different Windows Insider builds on this device.
 - **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
@@ -1493,23 +1401,23 @@ The following fields are available:
 
 ### Census.Hardware
 
-This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
 
 The following fields are available:
 
 - **ActiveMicCount**  The number of active microphones attached to the device.
 - **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
 - **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
-- **D3DMaxFeatureLevel** The supported Direct3D version.
+- **D3DMaxFeatureLevel**  Supported Direct3D version.
 - **DeviceColor**  Indicates a color of the device.
 - **DeviceForm**  Indicates the form as per the device classification.
 - **DeviceName**  The device name that is set by the user.
 - **DigitizerSupport**  Is a digitizer supported?
 - **DUID**  The device unique ID.
-- **Gyroscope** Indicates whether the device has a gyroscope.
+- **Gyroscope**  Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
 - **InventoryId**  The device ID used for compatibility testing.
-- **Magnetometer** Indicates whether the device has a magnetometer.
-- **NFCProximity** Indicates whether the device supports NFC.
+- **Magnetometer**  Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity**  Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
 - **OEMDigitalMarkerFileName**  The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
 - **OEMManufacturerName**  The device manufacturer name.  The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
 - **OEMModelBaseBoard**  The baseboard model used by the OEM.
@@ -1525,9 +1433,9 @@ The following fields are available:
 - **PowerPlatformRole**  The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
 - **SoCName**  The firmware manufacturer of the device.
 - **StudyID**  Used to identify retail and non-retail device.
-- **TelemetryLevel**  The diagnostic data level the user has opted into, such as Basic or Enhanced.
-- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
-- **TelemetrySettingAuthority**  Determines who set the diagnostic data level, such as GP, MDM, or the user.
+- **TelemetryLevel**  The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced**  The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority**  Determines who set the telemetry level, such as GP, MDM, or the user.
 - **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
 - **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
 
@@ -1572,9 +1480,9 @@ This event sends data about the operating system such as the version, locale, up
 The following fields are available:
 
 - **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
-- **AssignedAccessStatus** The kiosk configuration mode.
+- **AssignedAccessStatus**  Kiosk configuration mode.
 - **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
-- **DeveloperUnlockStatus**  "Represents if a device has been developer unlocked by the user or Group Policy. "
+- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy.
 - **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
 - **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
 - **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
@@ -1584,10 +1492,9 @@ The following fields are available:
 - **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
 - **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
 - **LanguagePacks**  The list of language packages installed on the device.
-- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the Microsoft Store.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
-- **OSInstallDateTime**  Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
@@ -1610,38 +1517,41 @@ The following fields are available:
 
 ### Census.Processor
 
-This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+Provides information on several important data points about Processor settings
 
 The following fields are available:
 
-- **KvaShadow** Microcode info of the processor.
-- **MMSettingOverride** Microcode setting of the processor.
-- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
-- **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
-- **ProcessorCores**  Retrieves the number of cores in the processor.
-- **ProcessorIdentifier**  The processor identifier of a manufacturer.
-- **ProcessorManufacturer**  Retrieves the name of the processor's manufacturer.
-- **ProcessorModel**  Retrieves the name of the processor model.
+- **KvaShadow**  Microcode info of the processor.
+- **MMSettingOverride**  Microcode setting of the processor.
+- **MMSettingOverrideMask**  Microcode setting override of the processor.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed**  Clock speed of the processor in MHz.
+- **ProcessorCores**  Number of logical cores in the processor.
+- **ProcessorIdentifier**  Processor Identifier of a manufacturer.
+- **ProcessorManufacturer**  Name of the processor manufacturer.
+- **ProcessorModel**  Name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
-- **ProcessorUpdateRevision** The microcode version.
-- **SocketCount**  Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **ProcessorUpdateRevision**  Microcode revision
+- **ProcessorUpdateStatus**  Enum value that represents the processor microcode load status
+- **SocketCount**  Count of CPU sockets.
+- **SpeculationControl**  If the system has enabled protections needed to validate the speculation control vulnerability.
 
 
 ### Census.Security
 
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+This event provides information on about security settings used to help keep Windows up to date and secure.
 
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest.
-- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host.
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
+The following fields are available:
+
+- **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard.
+- **CGRunning**  Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState**  This field summarizes the Device Guard state.
+- **HVCIRunning**  Is HVCI running?
+- **IsSawGuest**  Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost**  Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties**  Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable**  Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **VBSState**  Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation.  VBS has a tri-state that can be Disabled, Enabled, or Running.
 
 
 ### Census.Speech
@@ -1654,14 +1564,13 @@ The following fields are available:
 - **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
 - **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
 - **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled**  "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
 - **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **RemotelyManaged**  Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
 - **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
 - **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
 
 
-
 ### Census.Storage
 
 This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
@@ -1672,14 +1581,36 @@ The following fields are available:
 - **PrimaryDiskType**  Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
 - **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
 
+
 ### Census.Userdefault
 
 This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
 
 The following fields are available:
 
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
-- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
+- **VRAMDedicated**  Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
 
 
 ### Census.UserNLS
@@ -1694,26 +1625,22 @@ The following fields are available:
 - **KeyboardInputLanguages**  The Keyboard input languages installed on the device.
 - **SpeechInputLanguages**  The Speech Input languages installed on the device.
 
+
 ### Census.VM
 
 This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
 
 The following fields are available:
 
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **CloudService**  Indicates which cloud service, if any, that this virtual machine is running within.
 - **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
 - **IOMMUPresent**  Represents if an input/output memory management unit (IOMMU) is present.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
-- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **IsVDI**  Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
 - **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
 - **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
 
 
-
-
-
-
-
 ### Census.WU
 
 This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
@@ -1725,25 +1652,26 @@ The following fields are available:
 - **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
 - **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
 - **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
-- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
-- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
-- **OSAssessmentForSecurityUpdate** Is the device  on the latest security update?
-- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
-- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate**  Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate**  Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate**  Is the device  on the latest security update?
+- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime**  The freshness of release information used to perform an assessment.
 - **OSRollbackCount**  The number of times feature updates have rolled back on the device.
 - **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
 - **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
 - **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
 - **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates
-- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
 - **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState**  Retrieves WU setting to determine if updates are paused
+- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
 
+
 ### Census.Xbox
 
 This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
@@ -1752,349 +1680,863 @@ The following fields are available:
 
 - **XboxConsolePreferredLanguage**  Retrieves the preferred language selected by the user on Xbox console.
 - **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
-- **XboxLiveDeviceId**  Retrieves the unique device id of the console.
-- **XboxLiveSandboxId**  Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxLiveDeviceId**  Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId**  Retrieves the developer sandbox ID if the device is internal to Microsoft.
 
 
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env**  The environment from which the event was logged.
+- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **userId**  The userID as known by the application.
+- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **localId**  The device ID as known by the client.
+- **osVer**  The operating system version.
+- **type**  The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig**  A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
+- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer**  Represents the version number of the application. Used to understand errors by version and usage by version across an app.
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data**  Represents the optional unique diagnostic data for a particular event schema.
+- **epoch**  ID used to help distinguish events in the sequence by indicating the current boot session.
+- **ext_app**  Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container**  Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs**  Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device**  Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os**  Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_user**  Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc**  Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl**  Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey**  Represents an ID for applications or other logical groupings of events.
+- **name**  Represents the uniquely qualified name for the event.
+- **os**  The operating system name.
+- **osVer**  The operating system version.
+- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
+- **seqNum**  Used to track the absolute order of uploaded events.
+- **tags**  A header for semi-managed extensions.
+- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale**  Represents the locale of the operating system.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId**  This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq**  Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **flags**  Represents the bitmap that captures various Windows specific flags.
+- **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op**  Represents the ETW Op Code.
+- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **sqmId**  The Windows SQM ID.
+- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **tickets**  An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims**  Any additional claims whose short claim name hasn't been added to this structure.
+- **did**  XBOX device ID
+- **dty**  XBOX device type
+- **dvr**  The version of the operating system on the device.
+- **eid**  A unique ID that represents the developer entity.
+- **exp**  Expiration time
+- **ip**  The IP address of the client device.
+- **nbf**  Not before time
+- **pid**  A comma separated list of PUIDs listed as base10 numbers.
+- **sbx**  XBOX sandbox identifier
+- **sid**  The service instance ID.
+- **sty**  The service type.
+- **tid**  The XBOX Live title ID.
+- **tvr**  The XBOX Live title version.
+- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid**  A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action**  The change that was invoked on a device inventory object.
+- **inventoryId**  Device ID used for Compatibility testing
+- **objectInstanceId**  Object identity which is unique within the device scope.
+- **objectType**  Indicates the object type that the event applies to.
+- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
 
 
 ## Diagnostic data events
 
-### TelClientSynthetic.AuthorizationInfo_Startup
-
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting**  True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data client was last started.
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-
-
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting**  True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
 
 
-### TelClientSynthetic.ConnectivityHeartBeat_0
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+### TelClientSynthetic.AuthorizationInfo_Startup
 
-The following fields are available:
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
 
-- **CensusExitCode**  Returns last execution codes from census client run.
-- **CensusStartTime**  Returns timestamp corresponding to last successful census run.
-- **CensusTaskEnabled**  Returns Boolean value for the census task (Enable/Disable) on client machine.
-- **LastConnectivityLossTime**  Retrieves the last time the device lost free network.
-- **LastConntectivityLossTime**  Retrieves the last time the device lost free network.
-- **NetworkState**  Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
-- **NoNetworkTime**  Retrieves the time spent with no network (since the last time) in seconds.
-- **RestrictedNetworkTime**  Retrieves the time spent on a metered (cost restricted) network in seconds.
 
 
 ### TelClientSynthetic.HeartBeat_5
 
 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
 
-The following fields are available:
-
-- **AgentConnectionErrorsCount**  The number of non-timeout errors associated with the host/agent channel.
-- **CensusExitCode**  The last exit code of the Census task.
-- **CensusStartTime**  The time of the last Census run.
-- **CensusTaskEnabled**  Indicates whether Census is enabled.
-- **ConsumerDroppedCount**  The number of events dropped by the consumer layer of the diagnostic data client.
-- **CriticalDataDbDroppedCount**  The number of critical data sampled events that were dropped at the database layer.
-- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
-- **CriticalOverflowEntersCounter**  The number of times a critical overflow mode was entered into the event database.
-- **DbCriticalDroppedCount**  The total number of dropped critical events in the event database.
-- **DbDroppedCount**  The number of events that were dropped because the database was full.
-- **DecodingDroppedCount**  The number of events dropped because of decoding failures.
-- **EnteringCriticalOverflowDroppedCounter**  The number of events that was dropped because a critical overflow mode was initiated.
-- **EtwDroppedBufferCount**  The number of buffers dropped in the CUET ETW session.
-- **EtwDroppedCount**  The number of events dropped by the ETW layer of the diagnostic data client.
-- **EventSubStoreResetCounter**  The number of times the event database was reset.
-- **EventSubStoreResetSizeSum**  The total size of the event database across all resets reports in this instance.
-- **EventsUploaded**  The number of events that have been uploaded.
-- **Flags**  Flags that indicate device state, such as network, battery, and opt-in state.
-- **FullTriggerBufferDroppedCount**  The number of events that were dropped because the trigger buffer was full.
-- **HeartBeatSequenceNumber**  A monotonically increasing heartbeat counter.
-- **InvalidHttpCodeCount**  The number of invalid HTTP codes received from Vortex.
-- **LastAgentConnectionError**  The last non-timeout error that happened in the host/agent channel.
-- **LastEventSizeOffender**  The name of the last event that exceeded the maximum event size.
-- **LastInvalidHttpCode**  The last invalid HTTP code received from Vortex.
-- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
-- **MaxInUseScenarioCounter**  The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
-- **PreviousHeartBeatTime**  The time of last heartbeat event. This allows chaining of events.
-- **SettingsHttpAttempts**  The number of attempts to contact the OneSettings service.
-- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
-- **ThrottledDroppedCount**  The number of events dropped due to throttling of noisy providers.
-- **UploaderDroppedCount**  The number of events dropped by the uploader layer of the diagnostic data client.
-- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
-- **VortexHttpAttempts**  The number of attempts to contact the Vortex service.
-- **VortexHttpFailures4xx**  The number of 400-499 error codes received from Vortex.
-- **VortexHttpFailures5xx**  The number of 500-599 error codes received from Vortex.
 
 
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+### TelClientSynthetic.HeartBeat_Aria_5
 
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+This event is the telemetry client ARIA heartbeat.
 
 The following fields are available:
 
-- **PostUpgradeSettings**  The privacy settings after a feature update.
-- **PreUpgradeSettings**  The privacy settings before a feature update.
-
-
-## DxgKernelTelemetry events
-
-### DxgKrnlTelemetry.GPUAdapterInventoryV2
-
-This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
-
-The following fields are available:
-
-- **aiSeqId**  The event sequence ID.
-- **bootId**  The system boot ID.
-- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
-- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
-- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
-- **DisplayAdapterLuid**  The display adapter LUID.
-- **DriverDate**  The date of the display driver.
-- **DriverRank**  The rank of the display driver.
-- **DriverVersion**  The display driver version.
-- **GPUDeviceID**  The GPU device ID.
-- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
-- **GPURevisionID**  The GPU revision ID.
-- **GPUVendorID**  The GPU vendor ID.
-- **InterfaceId**  The GPU interface ID.
-- **IsDisplayDevice**  Does the GPU have displaying capabilities?
-- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
-- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
-- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
-- **IsMiracastSupported**  Does the GPU support Miracast?
-- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
-- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
-- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
-- **IsPostAdapter**  Is this GPU the POST GPU in the device?
-- **IsRenderDevice**  Does the GPU have rendering capabilities?
-- **IsSoftwareDevice**  Is this a software implementation of the GPU?
-- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
-- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
-- **SubSystemID**  The subsystem ID.
-- **SubVendorID**  The GPU sub vendor ID.
-- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
-- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
-- **version**  The event version.
-- **WDDMVersion**  The Windows Display Driver Model version.
-- **NumVidPnSources**  The number of supported display output sources.
-- **NumVidPnTargets**  The number of supported display output targets.
-
-
-## Fault Reporting events
-
-### Microsoft.Windows.FaultReporting.AppCrashEvent
-
-"This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes"" by a user DO NOT emit this event."
-
-The following fields are available:
-
-- **AppName**  The name of the app that has crashed.
-- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
-- **AppTimeStamp**  The date/time stamp of the app.
-- **AppVersion**  The version of the app that has crashed.
-- **ExceptionCode**  The exception code returned by the process that has crashed.
-- **ExceptionOffset**  The address where the exception had occurred.
-- **Flags**  "Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. "
-- **ModName**  Exception module name (e.g. bar.dll).
-- **ModTimeStamp**  The date/time stamp of the module.
-- **ModVersion**  The version of the module that has crashed.
-- **PackageFullName**  Store application identity.
-- **PackageRelativeAppId**  Store application identity.
-- **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime**  The time of creation of the process that has crashed.
-- **ProcessId**  The ID of the process that has crashed.
-- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId**  The kernel reported AppId of the application being reported.
-- **TargetAppVer**  The specific version of the application being reported
-- **TargetAsId**  The sequence number for the hanging process.
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event database.
+- **DbDroppedCount**  Number of events dropped at the database layer.
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EventSubStoreResetCounter**  Number of times event database was reset.
+- **EventSubStoreResetSizeSum**  Total size of event database across all resets reports in this instance.
+- **EventsUploaded**  Number of events uploaded.
+- **InvalidHttpCodeCounter**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  Number of failures from contacting OneSettings service.
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
+- **VortexFailuresTimeout**  Number of time out failures received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
 
 
 ## Feature update events
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
 
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
 
 The following fields are available:
 
-- **failureReason**  Provides data about the uninstall initialization operation failure
-- **hr**  Provides the Win32 error code for the operation failure
+- **failureReason**  Provides data about the uninstall initialization operation failure.
+- **hr**  Provides the Win32 error code for the operation failure.
 
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
 
-Indicates that the uninstall was properly configured and that a system reboot was initiated
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
 
 The following fields are available:
 
 - **name**  Name of the event
 
 
-## Hang Reporting events
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
 
-### Microsoft.Windows.HangReporting.AppHangEvent
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
 
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
-
-The following fields are available:
-
-- **AppName**  The name of the app that has hung.
-- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
-- **AppVersion**  The version of the app that has hung.
-- **PackageFullName**  Store application identity.
-- **PackageRelativeAppId**  Store application identity.
-- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime**  The time of creation of the process that has hung.
-- **ProcessId**  The ID of the process that has hung.
-- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId**  The kernel reported AppId of the application being reported.
-- **TargetAppVer**  The specific version of the application being reported.
-- **TargetAsId**  The sequence number for the hanging process.
-- **TypeCode**  Bitmap describing the hang type.
-- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
-- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
-- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
-- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
 
 
 ## Inventory events
 
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
 
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
+- **Device**  A count of device objects in cache.
+- **DeviceCensus**  A count of devicecensus objects in cache.
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache.
+- **File**  A count of file objects in cache.
+- **FileSigningInfo**  A count of file signing objects in cache.
+- **Generic**  A count of generic objects in cache.
+- **HwItem**  A count of hwitem objects in cache.
+- **InventoryApplication**  A count of application objects in cache.
+- **InventoryApplicationFile**  A count of application file objects in cache.
+- **InventoryDeviceContainer**  A count of device container objects in cache.
+- **InventoryDeviceInterface**  A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass**  A count of device media objects in cache.
+- **InventoryDevicePnp**  A count of device Plug and Play objects in cache.
+- **InventoryDeviceUsbHubClass**  A count of device usb objects in cache
+- **InventoryDriverBinary**  A count of driver binary objects in cache.
+- **InventoryDriverPackage**  A count of device objects in cache.
+- **Metadata**  A count of metadata objects in cache.
+- **Orphan**  A count of orphan file objects in cache.
+- **Programs**  A count of program objects in cache.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv**  The version of the App inventory component.
+- **devinv**  The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
+- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
+- **InstallDateMsi**  The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Language**  The language code of the program.
+- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode**  A GUID that describe the MSI Product.
+- **Name**  The name of the application.
+- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
+- **PackageFullName**  The package full name for a Store application.
+- **ProgramInstanceId**  A hash of the file IDs in an app.
+- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath**  The path to the root directory where the program was installed.
+- **Source**  How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version**  The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory component
+- **ProgramIds**  The unique program identifier the driver is associated with.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId**  A hash that uniquely identifies a file.
+- **Frameworks**  The list of frameworks this file depends on.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories**  A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod**  The discovery method for the device container.
+- **FriendlyName**  The name of the device container.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer**  Is the container the root device itself?
+- **IsNetworked**  Is this a networked device?
+- **IsPaired**  Does the device container require pairing?
+- **Manufacturer**  The manufacturer name for the device container.
+- **ModelId**  A unique model ID.
+- **ModelName**  The model name.
+- **ModelNumber**  The model number for the device container.
+- **PrimaryCategory**  The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
+- **AmbientLight**  Indicates if an Ambient Light sensor is found.
+- **Barometer**  Indicates if a Barometer sensor is found.
+- **Custom**  Indicates if a Custom sensor is found.
+- **EnergyMeter**  Indicates if an Energy sensor is found.
+- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector**  Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
+- **Humidity**  Indicates if a Humidity sensor is found.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
+- **Orientation**  Indicates if an Orientation sensor is found.
+- **Pedometer**  Indicates if a Pedometer sensor is found.
+- **Proximity**  Indicates if a Proximity sensor is found.
+- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
+- **Temperature**  Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
+- **Audio_RenderDriver**  The Audio device render driver endpoint.
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **Class**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **ClassGuid**  A unique identifier for the driver installed.
+- **COMPID**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **ContainerId**  INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **Description**  The version of the inventory binary generating the events.
+- **DeviceState**  The current error code for the device.
+- **DriverId**  A unique identifier for the driver installed.
+- **DriverName**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **DriverVerDate**  The date of the driver loaded for the device.
+- **DriverVerVersion**  The version of the driver loaded for the device.
+- **Enumerator**  The bus that enumerated the device.
+- **HWID**  List of hardware ids for the device.
+- **Inf**  INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **InstallState**  Device installation state.
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **LowerClassFilters**  Lower filter class drivers IDs installed for the device.
+- **LowerFilters**  Lower filter drivers IDs installed for the device.
+- **Manufacturer**  The device manufacturer.
+- **MatchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **Model**  The device model.
+- **ParentId**  Device instance id of the parent of the device.
+- **ProblemCode**  The current error code for the device.
+- **Provider**  The device provider.
+- **Service**  The device service name
+- **STACKID**  The device service name.
+- **UpperClassFilters**  The list of hardware ids for the stack
+- **UpperFilters**  Upper filter drivers IDs installed for the device
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
 
-This event sends basic metadata about the USB hubs on the device
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
-- **TotalUserConnectablePorts**  Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **TotalUserConnectablePorts**  Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports.
 
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
 
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **Count**  Count of total Microsoft Office VBA rule violations
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum**  The checksum of the driver file.
+- **DriverCompany**  The company name that developed the driver.
+- **DriverInBox**  Is the driver included with the operating system?
+- **DriverIsKernelMode**  Is it a kernel mode driver?
+- **DriverName**  The file name of the driver.
+- **DriverPackageStrongName**  The strong name of the driver package
+- **DriverSigned**  The strong name of the driver package
+- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
+- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion**  The version of the driver file.
+- **ImageSize**  The size of the driver file.
+- **Inf**  The name of the INF file.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Product**  The product name that is included in the driver file.
+- **ProductVersion**  The product version that is included in the driver file.
+- **Service**  The name of the service that is installed for the device.
+- **WdfVersion**  The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class**  The class name for the device driver.
+- **ClassGuid**  The class GUID for the device driver.
+- **Date**  The driver package date.
+- **Directory**  The path to the driver package.
+- **DriverInBox**  Is the driver included with the operating system?
+- **Inf**  The INF name of the driver package.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Provider**  The provider for the driver package.
+- **SubmissionId**  The HLK submission ID for the driver package.
+- **Version**  The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
-This event provides data on the installed Office Add-ins.
+Invalid variant - Provides data on the installed Office Add-ins
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AddinCLSID**  The CLSID for the Office addin
+- **AddInCLSID**  The CLSID for the Add-in
+- **AddInId**  Add-In identifier
+- **AddinType**  The type of the Office addin.
+- **BinFileTimestamp**  Timestamp of the Office addin
+- **BinFileVersion**  Version of the Office addin
+- **Description**  Add-in description
+- **FileId**  FileId of the Office addin
+- **FileSize**  File size of the Office addin
+- **FriendlyName**  Add-in friendly name
+- **FullPath**  Full path to the add-in module
+- **LoadBehavior**  The load behavior
+- **LoadTime**  The load time for the add-in
+- **OfficeApplication**  The Microsoft Office application associated with the add-in
+- **OfficeArchitecture**  Architecture of the addin
+- **OfficeVersion**  The Microsoft Office version installed
+- **OutlookCrashingAddin**  Whether the Outlook addin is crashing
+- **ProductCompany**  The name of the company associated with the Office addin
+- **ProductName**  The product name associated with the Office addin
+- **ProductVersion**  The version associated with the Office addin
+- **ProgramId**  The unique program identifier of the Office addin
+- **Provider**  Name of the provider for this addin
+- **Usage**  Data regarding usage of the add-in.
 
-- **AddInCLSID** The CLSID key office for the Office addin.
-- **AddInId** The identifier of the Office addin.
-- **AddinType** The type of the Office addin.
-- **BinFileTimestamp** The timestamp of the Office addin.
-- **BinFileVersion** The version of the Office addin.
-- **Description** The description of the Office addin.
-- **FileId** The file ID of the Office addin.
-- **FriendlyName** The friendly name of the Office addin.
-- **FullPath** The full path to the Office addin.
-- **LoadBehavior** A Uint32 that describes the load behavior.
-- **LoadTime** The load time for the Office addin.
-- **OfficeApplication** The OIffice application for this addin.
-- **OfficeArchitecture** The architecture of the addin.
-- **OfficeVersion** The Office version for this addin.
-- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
-- **ProductCompany** The name of the company associated with the Office addin.
-- **ProductName** The product name associated with the Office addin.
-- **ProductVersion** The version associated with the Office addin.
-- **ProgramId** The unique program identifier of the Office addin.
-- **Provider** The provider name for this addin.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
 
 This event indicates that the particular data object represented by the objectInstanceId is no longer present.
 
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the Office identifiers
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OAudienceData**  Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId**  Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID**  Identifier for the Office SQM Machine
+- **OPlatform**  Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId**  Unique GUID representing the Microsoft O365 Tenant
+- **OVersion**  Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID**  Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event includes the Office-related Internet Explorer features
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OIeFeatureAddon**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing**  Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall**  Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable**  Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind**  Flag indicating which Microsoft Office products have this setting enabled.  The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
 
-This event provides insight data on the installed Office products.
+Provides insight data on the installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **OfficeApplication** The name of the Office application.
-- **OfficeArchitecture** The bitness of the Office application.
-- **OfficeVersion** The version of the Office application.
-- **Value** The insights collected about this entity.
+- **OfficeApplication**  The name of the Office application.
+- **OfficeArchitecture**  The bitness of the Office application.
+- **OfficeVersion**  The version of the Office application.
+- **Value**  The insights collected about this entity.
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
 
 This event indicates that the particular data object represented by the objectInstanceId is no longer present.
 
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
 
-This diagnostic event indicates that a new sync is being generated for this object type.
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event list all installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OC2rApps**  A GUID the describes the Office Click-To-Run apps
+- **OC2rSkus**  Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps**  Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
+- **OProductCodes**  A GUID that describes the Office MSI products
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-There are no fields in this event.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
 
-This event describes various Office settings.
+This event describes various Office settings
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **BrowserFlags** Browser flags for Office-related products.
-- **ExchangeProviderFlags** Provider policies for Office Exchange.
-- **SharedComputerLicensing** Office shared computer licensing policies.
+- **BrowserFlags**  Browser flags for Office-related products
+- **ExchangeProviderFlags**  Office Exchange provider policies
+- **SharedComputerLicensing**  Office Shared Computer Licensing policies
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
 
-Diagnostic event to indicate a new sync is being generated for this object type. 
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
-There are no fields in this event.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
 
 This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **Design**  Count of files with design issues found
@@ -2124,43 +2566,74 @@ The following fields are available:
 
 This event indicates that the particular data object represented by the objectInstanceId is no longer present.
 
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Count**  Count of total Microsoft Office VBA rule violations
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
 
 This event indicates that the particular data object represented by the objectInstanceId is no longer present.
 
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
 
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
+- **Identifier**  UUP identifier
+- **LastActivatedVersion**  Last activated version
+- **PreviousVersion**  Previous version
+- **Source**  UUP source
+- **Version**  UUP version
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
 
-This event provides the basic metadata about the frameworks an application may depend on
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
-The following fields are available:
-
-- **FileId**  A hash that uniquely identifies a file
-- **Frameworks**  The list of frameworks this file depends on
-- **InventoryVersion**  The version of the inventory file generating the events
-- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
 
-The following fields are available:
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-- **IndicatorValue**  The indicator value
-- **Value**  Describes an operating system indicator that may be relevant for the device upgrade.
 
 
 ### Microsoft.Windows.Inventory.Indicators.Checksum
@@ -2173,627 +2646,147 @@ The following fields are available:
 - **PCFP**  Equivalent to the InventoryId field that is found in other core events.
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
-- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
-- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
-- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
-- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Language**  The language code of the program.
-- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
-- **MsiProductCode**  A GUID that describe the MSI Product.
-- **Name**  The name of the application
-- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
-- **PackageFullName**  The package full name for a Store application.
-- **ProgramInstanceId**  A hash of the file IDs in an app.
-- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
-- **RootDirPath**  The path to the root directory where the program was installed.
-- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
-- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
-- **Type**  "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
-- **Version**  The version number of the program.
+- **IndicatorValue**  The indicator value.
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-
-This event indicates that the InventoryDeviceContainer object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-
-This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Class**  The class name for the device driver.
-- **ClassGuid**  The class GUID for the device driver.
-- **Date**  The driver package date.
-- **Directory**  The path to the driver package.
-- **DriverInBox** Is the driver included with the operating system?
-- **Inf**  The INF name of the driver package.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Provider**  The provider for the driver package.
-- **SubmissionId**  The HLK submission ID for the driver package.
-- **Version**  The version of the driver package.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-
-This event indicates that the InventoryDriverBinary object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Categories**  A comma separated list of functional categories in which the container belongs.
-- **DiscoveryMethod**  The discovery method for the device container.
-- **FriendlyName**  The name of the device container.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
-- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
-- **IsMachineContainer**  Is the container the root device itself?
-- **IsNetworked**  Is this a networked device?
-- **IsPaired**  Does the device container require pairing?
-- **Manufacturer**  The manufacturer name for the device container.
-- **ModelId**  A model GUID.
-- **ModelName**  The model name.
-- **ModelNumber**  The model number for the device container.
-- **PrimaryCategory**  The primary category for the device container.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
-
-The following fields are available:
-
-- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
-- **Audio_RenderDriver**  The Audio device render driver endpoint.
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-
-This event represents the basic metadata about a PNP device and its associated driver
-
-The following fields are available:
-
-- **class**  The device setup class of the driver loaded for the device
-- **classGuid**  The device class GUID from the driver package
-- **COMPID**  A JSON array the provides the value and order of the compatible ID tree for the device.
-- **ContainerId**  A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **description**  The device description
-- **deviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverId**  A unique identifier for the installed device.
-- **DriverName**  The name of the driver image file.
-- **driverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **driverVerDate**  The date of the driver loaded for the device
-- **driverVerVersion**  The version of the driver loaded for the device
-- **enumerator**  The bus that enumerated the device
-- **HWID**  A JSON array that provides the value and order of the HWID tree for the device.
-- **Inf**  The INF file name.
-- **installState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **lowerClassFilters**  Lower filter class drivers IDs installed for the device.
-- **lowerFilters**  Lower filter drivers IDs installed for the device
-- **manufacturer**  The device manufacturer
-- **matchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance
-- **model**  The device model
-- **parentId**  Device instance id of the parent of the device
-- **ProblemCode**  The current error code for the device.
-- **provider**  The device provider
-- **service**  The device service name#N##N##N##N##N#
-- **STACKID**  A JSON array that provides the value and order of the STACKID tree for the device.
-- **upperClassFilters**  Upper filter class drivers IDs installed for the device
-- **upperFilters**  Upper filter drivers IDs installed for the device
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-
-This event provides the basic metadata about driver binaries running on the system
-
-The following fields are available:
-
-- **DriverCheckSum**  The checksum of the driver file.
-- **DriverCompany**  The company name that developed the driver.
-- **driverInBox**  Is the driver included with the operating system?
-- **driverIsKernelMode**  Is it a kernel mode driver?
-- **DriverName**  The file name of the driver.
-- **driverPackageStrongName**  The strong name of the driver package
-- **driverSigned**  The strong name of the driver package
-- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
-- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
-- **DriverVersion**  The version of the driver file.
-- **ImageSize**  The size of the driver file.
-- **Inf**  The name of the INF file.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Product**  The product name that is included in the driver file.
-- **ProductVersion**  The product version that is included in the driver file.
-- **service**  The device service name
-- **WdfVersion**  The Windows Driver Framework version.
-
-
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicator
-
-This event sends value data about the markers on custom devices, to help keep Windows up to date. The formal name for markers is UEX Indicators. See marker list for definitions.
-
-The following fields are available:
-
-- **IndicatorValue**  Value of the marker/indicator
-- **Key**  Name of the marker/indicator
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-
-This event sends inventory component versions for the Device Inventory data.
-
-The following fields are available:
-
-- **aeinv**  The version of the App inventory component.
-- **devinv**  The file version of the Device inventory component.
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
-
-The following fields are available:
-
-- **Device**  A count of device objects in cache
-- **DeviceCensus**  A count of devicecensus objects in cache
-- **DriverPackageExtended**  A count of driverpackageextended objects in cache
-- **File**  A count of file objects in cache
-- **FileSigningInfo**  A count of file signing info objects in cache.
-- **Generic**  A count of generic objects in cache
-- **HwItem**  A count of hwitem objects in cache
-- **InventoryApplication**  A count of application objects in cache
-- **InventoryApplicationFile**  A count of application file objects in cache
-- **InventoryDeviceContainer**  A count of device container objects in cache
-- **InventoryDeviceInterface**  A count of inventory device interface objects in cache.
-- **InventoryDeviceMediaClass**  A count of device media objects in cache
-- **InventoryDevicePnp**  A count of devicepnp objects in cache
-- **InventoryDriverBinary**  A count of driver binary objects in cache
-- **InventoryDriverPackage**  A count of device objects in cache
-- **Metadata**  A count of metadata objects in cache
-- **Orphan**  A count of orphan file objects in cache
-- **Programs**  A count of program objects in cache
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-
-This event retrieves information about what sensor interfaces are available on the device.
-
-The following fields are available:
-
-- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
-- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
-- **AmbientLight**  Indicates if an Ambient Light sensor is found.
-- **Barometer**  Indicates if a Barometer sensor is found.
-- **Custom**  Indicates if a Custom sensor is found.
-- **EnergyMeter** Indicates if an Energy sensor is found.
-- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
-- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
-- **GravityVector**  Indicates if a Gravity Detector sensor is found.
-- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
-- **Humidity**  Indicates if a Humidity sensor is found.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
-- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
-- **Orientation**  Indicates if an Orientation sensor is found.
-- **Pedometer**  Indicates if a Pedometer sensor is found.
-- **Proximity**  Indicates if a Proximity sensor is found.
-- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
-- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
-- **Temperature**  Indicates if a Temperature sensor is found.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-
-This event provides data on the installed Office identifiers.
-
-- **OAudienceData** The Office Audience descriptor.
-- **OAudienceId** The Office Audience ID.
-- **OMID** The Office machine ID.
-- **OPlatform** The Office architecture.
-- **OVersion** The Office version
-- **OTenantId** The Office 365 Tenant GUID.
-- **OWowMID** The Office machine ID.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-
-This event provides data on the installed Office-related Internet Explorer features.
-
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-
-This event describes the Office products that are installed.
-
-- **OC2rApps** The Office Click-to-Run apps.
-- **OC2rSkus** The Office Click-to-Run products.
-- **OMsiApps** The Office MSI apps.
-- **OProductCodes** The Office MSI product code.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
-
-There are no fields in this event.
-
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
 
 This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
 
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
-## OneDrive events
 
-### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
 
-This event determines the status of the OneDrive integration with Microsoft Office.
+## Kernel events
+
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
 
 The following fields are available:
 
-- **isValid**  Is the Microsoft Office registration valid?
+- **BytesRead**  The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten**  The total number of bytes written to or written by the OS upon system startup.
 
 
-### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
 
-This event determines status of the update tier registry values.
+OS information collected during Boot, used to evaluate the success of the upgrade process.
 
 The following fields are available:
 
-- **regReadEnterpriseHr**  The HResult of the enterprise reg read value.
-- **regReadTeamHr**  The HResult of the team reg read value.
-
-
-### Microsoft.OneDrive.Sync.Updater.RepairResult
-
-The event determines the result of the installation repair.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-
-This event determines the status when downloading the OneDrive update configuration file.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
-
-This event indicates the status when downloading the OneDrive setup file.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-
-This event determines the outcome of the operation.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-- **IsLoggingEnabled**  Is logging enabled?
-- **UpdaterVersion**  The version of the updater.
-
-
-### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-
-This event determines the error code that was returned when verifying Internet connectivity.
-
-The following fields are available:
-
-- **winInetError**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
-
-The following fields are available:
-
-- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
-- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
-- **SixtyFourBit**  The status of the OneDrive overlay icon on a 32-bit operating system.
-- **ThirtyTwoBit**  The status of the OneDrive overlay icon on a 64-bit operating system.
-
-
-### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-
-This event determines the installation state of dependent OneDrive components.
-
-The following fields are available:
-
-- **ComponentName**  The name of the dependent component.
-- **isInstalled**  Is the dependent component installed?
-
-
-### Microsoft.OneDrive.Sync.Updater.CommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion**  The version of the app.
-- **BuildArch**  Is the architecture x86 or x64?
-- **Environment**  Is the device on the production or int service?
-- **IsMSFTInternal**  Is this an internal Microsoft device?
-- **MachineGuid**  The CEIP machine ID.
-- **Market**  Which market is this in?
-- **OfficeVersion**  The version of Office that is installed.
-- **OneDriveDeviceId**  The OneDrive device ID.
-- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
-- **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **UserGuid**  A unique global user identifier.
-
-
-### Microsoft.OneDrive.Sync.Setup.APIOperation
-
-This event includes basic data about install and uninstall OneDrive API operations.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **Duration**  How long the operation took.
-- **IsSuccess**  Was the operation successful?
-- **ResultCode**  The result code.
-- **ScenarioName**  The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-
-This event is related to registering or unregistering the OneDrive update task.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **IsSuccess**  Was the operation successful?
-- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
-- **ScenarioName**  The name of the scenario.
-- **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
-
-
-### Microsoft.OneDrive.Sync.Setup.EndExperience
-
-This event includes a success or failure summary of the installation.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **HResult**  Indicates the result code of the event
-- **IsSuccess**  Was the operation successful?
-- **ScenarioName**  The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
-
-The following fields are available:
-
-- **CurrentOneDriveVersion**  The current version of OneDrive.
-- **CurrentOSBuildBranch**  The current branch of the operating system.
-- **CurrentOSBuildNumber**  The current build number of the operating system.
-- **CurrentOSVersion**  The current version of the operating system.
-- **HResult**  The HResult of the operation.
-- **SourceOSBuildBranch**  The source branch of the operating system.
-- **SourceOSBuildNumber**  The source build number of the operating system.
-- **SourceOSVersion**  The source version of the operating system.
-
-
-### Microsoft.OneDrive.Sync.Setup.SetupCommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion**  The version of the app.
-- **BuildArchitecture**  Is the architecture x86 or x64?
-- **Environment**  Is the device on the production or int service?
-- **MachineGuid**  The CEIP machine ID.
-- **Market**  Which market is this in?
-- **MSFTInternal**  Is this an internal Microsoft device?
-- **OfficeVersionString**  The version of Office that is installed.
-- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
-- **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **UserGuid**  The CEIP user ID.
+- **BootApplicationId**  This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount**  The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence**  The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy**  Identifies the applicable Boot Status Policy.
+- **BootType**  Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp**  Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied**  Flag indicating that a reason for system reset was provided by firmware.
+- **IO**  Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded**  Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded**  Flag indicating whether the last shutdown was successful.
+- **MenuPolicy**  Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled**  Indicates whether recovery is enabled.
+- **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
 ## Remediation events
 
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
-
 ### Microsoft.Windows.Remediation.Applicable
 
-Reports whether a specific remediation to issues preventing security and quality updates is applicable based on detection.
+This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the remediation plugin specified for each generic plugin event.
-- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated is disabled.
-- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is SCCM managed.
-- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
-- **Result** Result for detection or perform action phases of the remediation system.
+- **ActionName**  The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult**  Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition**  Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult**  Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled**  Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed**  Indicates the Appraiser task did not function and requires intervention.
+- **CV**  Correlation vector
+- **DateTimeDifference**  The difference between local and reference clock times.
+- **DateTimeSyncEnabled**  Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH**  The number of days since the most recent SIH executed.
+- **DaysToNextSIH**  The number of days until the next scheduled SIH execution.
+- **DetectedCondition**  Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed**  Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed**  Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by the remediation system.
+- **HResult**  The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult**  The HRESULT from the appraiser task.
+- **IsConfigurationCorrected**  Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult**  The HRESULT for detection or perform action phases of the plugin.
+- **LastRun**  The date of the most recent SIH run.
+- **NextRun**  Date of the next scheduled SIH run.
+- **PackageVersion**  The version of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Reload**  True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus**  Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount**  The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled**  Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists**  Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount**  Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime**  The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize**  Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled**  TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult**  The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork**  TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled**  Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists**  Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount**  Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode**  The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState**  The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn**  TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin**  TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged**  TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS**  TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm**  TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust**  TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine**  Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy**  True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan**  True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup**  True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT**  True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask**  True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask**  True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask**  True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask**  True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled**  Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled**  Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled**  Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled**  Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled**  Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled**  Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled**  Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled**  Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled**  Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled**  Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled**  Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled**  Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled**  Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled**  Indicates whether WUAUSERV service is enabled.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed**  Indicates RunAppraiser failed to run correctly.
+- **RunTask**  TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer**  The URL for the NTP time server used by device.
+- **TimeServiceStartType**  The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined**  True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType**  Type of sync behavior for Date & Time service on device.
+
 
 ### Microsoft.Windows.Remediation.ChangePowerProfileDetection
 
@@ -2801,166 +2794,181 @@ Indicates whether the remediation system can put in a request to defer a system-
 
 The following fields are available:
 
-- **ActionName** A descriptive name for the plugin action.
-- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device.
-- **CV** Correlation vector.
-- **GlobalEventCounter** Counter that indicates the ordering of events on the device.
-- **PackageVersion** Current package version of remediation service.
-- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0).
-- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update.
-- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates.
-- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues.
-- **SetupMutexAvailable** Result that shows whether setup mutex is available or not.
-- **SysPowerStatusAC** Result that shows whether system is on AC power or not.
+- **ActionName**  A descriptive name for the plugin action
+- **CurrentPowerPlanGUID**  The ID of the current power plan configured on the device
+- **CV**  Correlation vector
+- **GlobalEventCounter**  Counter that indicates the ordering of events on the device
+- **PackageVersion**  Current package version of remediation service
+- **RemediationBatteryPowerBatteryLevel**  Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0)
+- **RemediationFUInProcess**  Result that shows whether the device is currently installing a feature update
+- **RemediationFURebootRequred**  Indicates that a feature update reboot required was detected so the plugin will exit.
+- **RemediationScanInProcess**  Result that shows whether the device is currently scanning for updates
+- **RemediationTargetMachine**  Result that shows whether this device is a candidate for remediation(s) that will fix update issues
+- **SetupMutexAvailable**  Result that shows whether setup mutex is available or not
+- **SysPowerStatusAC**  Result that shows whether system is on AC power or not
+
 
 ### Microsoft.Windows.Remediation.Completed
 
-Enables tracking the completion of a process that remediates issues preventing security and quality updates.
+This event enables completion tracking of a process that remediates issues preventing security and quality updates.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **RemediationNoisyHammerTaskKickOffIsSuccess** Event that indicates the Update Assistant task has been started successfully.
-- **Result** Indicates whether the remediation has completed.
+- **ActionName**  Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed**  TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed**  TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed**  TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed**  TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing**  TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId**  TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed**  TRUE if the Appraiser Task XML failed to complete successfully.
+- **branchReadinessLevel**  Branch readiness level policy.
+- **cloudControlState**  Value indicating whether the shell is enabled on the cloud control settings.
+- **CrossedDiskSpaceThreshold**  Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV**  The Correlation Vector.
+- **DateTimeDifference**  The difference between the local and reference clocks.
+- **DaysSinceOsInstallation**  The number of days since the installation of the Operating System.
+- **DiskMbCleaned**  The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup**  The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup**  The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered**  TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter**  Client-side counter that indicates ordering of events sent by the active user.
+- **HandlerCleanupFreeDiskInMegabytes**  The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **hasRolledBack**  Indicates whether the client machine has rolled back.
+- **hasUninstalled**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **hResult**  The result of the event execution.
+- **HResult**  The result of the event execution.
+- **installDate**  The value of installDate registry key. Indicates the install date.
+- **isNetworkMetered**  Indicates whether the client machine has uninstalled a later version of the OS.
+- **LatestState**  The final state of the plug-in component.
+- **MicrosoftCompatibilityAppraiser**  The name of the component targeted by the Appraiser plug-in.
+- **PackageVersion**  The package version for the current Remediation.
+- **PageFileCount**  The number of Windows Page files.
+- **PageFileCurrentSize**  The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation**  The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize**  The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName**  The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup**  TRUE if the plug-in ran disk cleanup.
+- **RemediationBatteryPowerBatteryLevel**  Indicates the battery level at which it is acceptable to continue operation.
+- **RemediationBatteryPowerExitDueToLowBattery**  True when we exit due to low battery power.
+- **RemediationBatteryPowerOnBattery**  True if we allow execution on battery.
+- **RemediationConfigurationTroubleshooterExecuted**  True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix**  TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix**  TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes**  The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB**  The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB**  The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes**  The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB**  The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded**  TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists**  TRUE if there is a One Settings Doorstop value.
+- **RemediationDoorstopRegkeyError**  TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded**  TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber**  The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded**  TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded**  TRUE if the user token was successfully duplicated.
+- **remediationExecution**  Remediation shell is in "applying remediation" state.
+- **RemediationHibernationMigrated**  TRUE if hibernation was migrated.
+- **RemediationHibernationMigrationSucceeded**  TRUE if hibernation migration succeeded.
+- **RemediationImpersonateUserSucceeded**  TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess**  TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded**  TRUE if the user token was successfully queried.
+- **RemediationRanHibernation**  TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded**  TRUE if reversion to the system context succeeded.
+- **RemediationShellHasUpgraded**  TRUE if the device upgraded.
+- **RemediationShellMinimumTimeBetweenShellRuns**  Indicates the time between shell runs exceeded the minimum required to execute plugins.
+- **RemediationShellRunFromService**  TRUE if the shell driver was run from the service.
+- **RemediationShellSessionIdentifier**  Unique identifier tracking a shell session.
+- **RemediationShellSessionTimeInSeconds**  Indicates the time the shell session took in seconds.
+- **RemediationShellTaskDeleted**  Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation.
+- **RemediationUpdateServiceHealthRemediationResult**  The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult**  The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList**  A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound**  The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed**  The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace**  The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter**  The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace**  The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize**  The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult**  The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin**  The nae of the Service Health plug-in.
+- **StartComponentCleanupTask**  TRUE if the Component Cleanup task started successfully.
+- **systemDriveFreeDiskSpace**  Indicates the free disk space on system drive in MBs.
+- **systemUptimeInHours**  Indicates the amount of time the system in hours has been on since the last boot.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes**  The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes**  The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes**  The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **uninstallActive**  TRUE if previous uninstall has occurred for current OS
+- **usoScanDaysSinceLastScan**  The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent**  TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent**  TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent**  TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress**  TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered**  TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent**  TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn**  TRUE if the user is logged on.
+- **usoScanPastThreshold**  TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType**  The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **windows10UpgraderBlockWuUpdates**  Event to report the value of Windows 10 Upgrader BlockWuUpdates Key.
+- **windowsEditionId**  Event to report the value of Windows Edition ID.
+- **WindowsHyberFilSysSizeInMegabytes**  The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes**  The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes**  The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB**  The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes**  The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes**  The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes**  The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes**  The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+- **windowsUpgradeRecoveredFromRs4**  Event to report the value of the Windows Upgrade Recovered key.
+
 
 ### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
 
-Enables tracking the ID of a process that remediates issues preventing security and quality updates.
+Enables tracking of completion of process that remediates issues preventing security and quality updates.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running.
-- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors.
-- **RemediationShellFoundDriverDll** Indicates whether the remediation system found its component files to run properly.
-- **RemediationShellLoadedShellDriver** Indicates whether the remediation system loaded its component files to run properly.
-- **RemediationShellLoadedShellFunction** Indicates whether the remediation system loaded the functions from its component files to run properly.
+- **CV**  Client side counter which indicates ordering of events sent by the remediation system.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by the remediation system.
+- **PackageVersion**  Current package version of Remediation.
+- **RemediationShellCanAcquireSedimentMutex**  True if the remediation was able to acquire the sediment mutex. False if it is already running.
+- **RemediationShellExecuteShellResult**  Indicates if the remediation system completed without errors.
+- **RemediationShellFoundDriverDll**  Result whether the remediation system found its component files to run properly.
+- **RemediationShellLoadedShellDriver**  Result whether the remediation system loaded its component files to run properly.
+- **RemediationShellLoadedShellFunction**  Result whether the remediation system loaded the functions from its component files to run properly.
+
 
 ### Microsoft.Windows.Remediation.Started
 
-Enables tracking the start of a process that remediates issues preventing security and quality updates.
+This event reports whether a plug-in started, to help ensure Windows is up to date.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **Result** Results of the detection or perform action phases of the remediation system.
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
 
-## Sediment Service events
 
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
+## Sediment events
 
-### Microsoft.Windows.SedimentService.Applicable
+### Microsoft.Windows.Sediment.OSRSS.UrlState
 
-Indicates whether a given plugin is applicable.
+This event indicates the state the Operating System Remediation System Service (OSRSS)  is in while attempting a download from the URL.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **Id**  A number identifying the URL
+- **ServiceVersionMajor**  Version info for the component
+- **ServiceVersionMinor**  Version info for the component
+- **StateData**  State-specific data, such as which attempt number for the download
+- **StateNumber**  A number identifying which state the URL is in (found, downloading, extracted, etc.)
+- **Time**  System timestamp the event was fired
 
-### Microsoft.Windows.SedimentService.Completed
-
-Indicates whether a given plugin has completed its work.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedimentServiceCheckTaskFunctional** Result of checking if the scheduled task is functional.
-- **SedimentServiceCurrentBytes** Current number of bytes the service is consuming.
-- **SedimentServiceKillService** True/False based on whether the service should be stopped.
-- **SedimentServiceMaximumBytes** Maximum bytes the service can consume.
-- **SedimentServiceRetrievedKillService** True/False whether the kill service information was retrieved.
-- **SedimentServiceStopping** True/False indicating whether the service was found to be stopping.
-- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
-- **SedimentServiceTotalIterations** Number of iterations service will wait before running again.
-
-### Microsoft.Windows.SedimentService.Error
-
-Indicates whether an error condition occurs in the plugin.
-
-The following fields are available:
-
-- **Message** String message containing information from the service.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
-
-### Microsoft.Windows.SedimentService.FallbackError
-
-Indicates whether an error occurs for a fallback in the plugin.
-
-The following fields are available:
-
-- **s0** Fallback error level.
-- **wilResult** Result for Windows Installer Logging function.
-
-### Microsoft.Windows.SedimentService.Information
-
-General information returned from the plugin.
-
-The following fields are available:
-
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
-
-### Microsoft.Windows.SedimentService.Started
-
-Indicates that a given plugin has started.
-
-The following fields are available:
-
-- **CV** Correlation vector
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
-
-### Microsoft.Windows.SedimentService.wilResult
-
-Result from the windows internal library.
-
-The following fields are available:
-
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
-
-## Sediment Launcher events
-
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
 
 ### Microsoft.Windows.SedimentLauncher.Applicable
 
@@ -2968,14 +2976,15 @@ Indicates whether a given plugin is applicable.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **CV**  Correlation vector.
+- **DetectedCondition**  Boolean true if detect condition is true and perform action will be run.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings**  True if self update enabled in Settings.
+- **IsSelfUpdateNeeded**  True if self update needed by device.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
 
 ### Microsoft.Windows.SedimentLauncher.Completed
 
@@ -2983,13 +2992,14 @@ Indicates whether a given plugin has completed its work.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures. 
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedLauncherExecutionResult** Final result of launcher running the plugins from the dll.
+- **CV**  Correlation vector.
+- **FailedReasons**  Concatenated list of failure reasons.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedLauncherExecutionResult**  HRESULT for one execution of the Sediment Launcher.
+
 
 ### Microsoft.Windows.SedimentLauncher.Error
 
@@ -2997,89 +3007,180 @@ Error occurred during execution of the plugin.
 
 The following fields are available:
 
-- **Message** Information message returned from a plugin containing only information internal to plugin execution.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
+- **HResult**  The result for the Detection or Perform Action phases of the plug-in.
+- **Message**  A message containing information about the error that occurred (if any).
+- **PackageVersion**  The version number of the current remediation package.
+
 
 ### Microsoft.Windows.SedimentLauncher.FallbackError
 
-Error occurred during execution of the plugin fallback.
+This event indicates that an error occurred during execution of the plug-in fallback.
 
 The following fields are available:
 
-- **s0** Fallback error level for plugin.
-- **wilResult** Result from executing Windows Installer Logging based function.
+- **s0**  Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
+- **wilResult**  Result from executing wil based function. See [wilResult](#wilresult).
+
 
 ### Microsoft.Windows.SedimentLauncher.Information
 
-General information returned from the plugin.
+This event provides general information returned from the plug-in.
 
 The following fields are available:
 
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Information message returned from a plugin containing only information internal to the plugins execution.
+- **PackageVersion**  Current package version of Remediation.
+
 
 ### Microsoft.Windows.SedimentLauncher.Started
 
-Indicates that a given plugin has started.
+This event indicates that a given plug-in has started.
 
 The following fields are available:
 
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
+- **CV**  Correlation vector.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
 
 ### Microsoft.Windows.SedimentLauncher.wilResult
 
-Result from the windows internal library.
+This event provides the result from the Windows internal library.
 
 The following fields are available:
 
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failurecount** Number of failures seen.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **function** Name of the function where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
+- **callContext**  List of telemetry activities containing this error.
+- **currentContextId**  Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName**  Name of the newest telemetry activity containing this error.
+- **failureCount**  Number of failures seen within the binary where the error occurred.
+- **failureId**  Identifier assigned to this failure.
+- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName**  Source code file name where the error occurred.
+- **function**  Name of the function where the error occurred.
+- **hresult**  Failure error code.
+- **lineNumber**  Line number within the source code file where the error occurred.
+- **message**  Custom message associated with the failure (if any).
+- **module**  Name of the binary where the error occurred.
+- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName**  Name of the oldest telemetry activity containing this error.
+- **threadId**  Identifier of the thread the error occurred on.
+
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event indicates whether a given plug-in is applicable.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **DetectedCondition**  Determine whether action needs to run based on device properties.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings**  Indicates if self update is enabled in One Settings.
+- **IsSelfUpdateNeeded**  Indicates if self update is needed.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event indicates whether a given plug-in has completed its work.
+
+The following fields are available:
+
+- **CV**  Correlation vector.
+- **FailedReasons**  List of reasons when the plugin action failed.
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion**  Current package version of Remediation.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for detection or perform action phases of the plugin.
+- **SedimentServiceCheckTaskFunctional**  True/False if scheduled task check succeeded.
+- **SedimentServiceCurrentBytes**  Number of current private bytes of memory consumed by sedsvc.exe.
+- **SedimentServiceKillService**  True/False if service is marked for kill (Shell.KillService).
+- **SedimentServiceMaximumBytes**  Maximum bytes allowed for the service.
+- **SedimentServiceRetrievedKillService**  True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call).
+- **SedimentServiceStopping**  True/False indicating whether the service is stopping.
+- **SedimentServiceTaskFunctional**  True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
+- **SedimentServiceTotalIterations**  Number of 5 second iterations service will wait before running again.
+
+
+### Microsoft.Windows.SedimentService.Error
+
+This event indicates whether an error condition occurred in the plug-in.
+
+The following fields are available:
+
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Custom message associated with the failure (if any).
+- **PackageVersion**  Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.FallbackError
+
+This event indicates whether an error occurred for a fallback in the plug-in.
+
+The following fields are available:
+
+- **s0**  Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
+- **wilResult**  Result for wil based function. See [wilResult](#wilresult).
+
+
+### Microsoft.Windows.SedimentService.Information
+
+This event provides general information returned from the plug-in.
+
+The following fields are available:
+
+- **HResult**  This is the HRESULT for detection or perform action phases of the plugin.
+- **Message**  Custom message associated with the failure (if any).
+- **PackageVersion**  Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV**  The Correlation Vector.
+- **GlobalEventCounter**  The client-side counter that indicates ordering of events.
+- **PackageVersion**  The version number of the current remediation package.
+- **PluginName**  Name of the plugin specified for each generic plugin event.
+- **Result**  This is the HRESULT for Detection or Perform Action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.wilResult
+
+This event provides the result from the Windows internal library.
+
+The following fields are available:
+
+- **callContext**  List of telemetry activities containing this error.
+- **currentContextId**  Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage**  Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName**  Name of the newest telemetry activity containing this error.
+- **failureCount**  Number of failures seen within the binary where the error occurred.
+- **failureId**  Identifier assigned to this failure.
+- **failureType**  Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName**  Source code file name where the error occurred.
+- **function**  Name of the function where the error occurred.
+- **hresult**  Failure error code.
+- **lineNumber**  Line number within the source code file where the error occurred.
+- **message**  Custom message associated with the failure (if any).
+- **module**  Name of the binary where the error occurred.
+- **originatingContextId**  Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage**  Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName**  Name of the oldest telemetry activity containing this error.
+- **threadId**  Identifier of the thread the error occurred on.
+
 
 ## Setup events
 
-### SetupPlatformTel.SetupPlatformTelActivityStarted
-
-This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
-
-The following fields are available:
-
-- **Name**  The name of the dynamic update type. Example: GDR driver
-
-
-### SetupPlatformTel.SetupPlatformTelActivityEvent
-
-This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up-to-date
-
-The following fields are available:
-
-- **ActivityId**  Provides a unique Id to correlate events that occur between a activity start event, and a stop event
-- **ActivityName**  Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
-- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-- **value**  Value associated with the corresponding event name. For example, time-related events will include the system time
-
-
 ### SetupPlatformTel.SetupPlatformTelEvent
 
 This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
@@ -3087,21 +3188,22 @@ This service retrieves events generated by SetupPlatform, the engine that drives
 The following fields are available:
 
 - **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
 - **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
 
 
 ## Shared PC events
 
 ### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
 
-Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk space to improve Windows Update success rates.
 
 The following fields are available:
 
 - **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
+- **deleteState**  Whether the attempted deletion of the user account was successful.
 - **userSid**  The security identifier of the account.
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
 
 
 ### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -3110,129 +3212,232 @@ Activity for run of the Transient Account Manager that determines if any user ac
 
 The following fields are available:
 
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
-- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
 - **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The function where the failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The call context stack where failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
+
+
+## SIH events
+
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
+
+The following fields are available:
+
+- **ActionReasons**  If an action has been assessed as inapplicable, the additional logic prevented it.
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **HandlerReasons**  If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **StandardReasons**  If an action has been assessed as inapplicable, the standard logic the prevented it.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **RebootRequired**  Indicates if a reboot was required to complete the action.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.PostRebootReport
+
+This event reports the status of an action following a reboot, should one have been required.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.ServiceStateChange
+
+This event reports the status of attempts to stop or start a service as part of executing an action.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **Service**  The service that is being stopped/started.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StateChange**  The service operation (stop/start) is being attempted.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.SLSActionData
+
+This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **FailedParseActions**  The list of actions that were not successfully parsed.
+- **ParsedActions**  The list of actions that were successfully parsed.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
 
 
 ## Software update events
 
-### SoftwareUpdateClientTelemetry.UpdateDetected
+### SoftwareUpdateClientTelemetry.CheckForUpdates
 
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
 
 The following fields are available:
 
+- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults**  Indicates if the scan allowed using cached results.
 - **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **WUDeviceID**  The unique device ID controlled by the software distribution client
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-
-
-### SoftwareUpdateClientTelemetry.SLSDiscovery
-
-This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
-
-The following fields are available:
-
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **HResult**  Indicates the result code of the event (success, cancellation, failure code HResult)
-- **IsBackground**  Indicates whether the SLS discovery event took place in the foreground or background
-- **NextExpirationTime**  Indicates when the SLS cab expires
-- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **SusClientId**  The unique device ID controlled by the software distribution client
-- **UrlPath**  Path to the SLS cab that was downloaded
-- **WUAVersion**  The version number of the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.Commit
-
-This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
 - **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
 - **BiosReleaseDate**  The release date of the device BIOS.
 - **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BranchReadinessLevel**  The servicing branch configured on the device.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
 - **DeviceModel**  What is the device model.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  State of call
-- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver""."
-- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
-- **RevisionNumber**  Unique revision number of Update
-- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled**  Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
+- **PausedUpdates**  A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
 - **SystemBIOSMajorRelease**  Major version of the BIOS.
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **UpdateId**  Unique Update ID
-- **WUDeviceID**  UniqueDeviceID
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle
-- **FlightId**  The specific id of the flight the device is getting
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
-
-The following fields are available:
-
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
-- **FileId**  A hash that uniquely identifies a file
-- **FileName**  Name of the downloaded file
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
-- **EventType**  "Possible values are ""Child"", ""Bundle"", ""Relase"" or ""Driver"""
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion**  The version number of the software distribution client
-- **FlightId**  The unique identifier for each flight
-- **RevisionNumber**  Unique revision number of Update
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
-- **UpdateId**  Unique Update ID
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-
-This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
-
-The following fields are available:
-
-- **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode**  The secondary status code of the event.
-- **LeafCertId**  Integral ID from the FragmentSigning data for certificate that failed.
-- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **RevisionId**  The revision ID for a specific piece of content.
-- **RevisionNumber**  The revision number for a specific piece of content.
-- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
-- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
-- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
-- **StatusCode**  The status code of the event.
-- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
-- **UpdateId**  The update ID for a specific piece of content.
-- **TimestampTokenCertThumbprint**  "The thumbprint of the encoded timestamp token. "
-- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
-- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
-- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
-- **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
 ### SoftwareUpdateClientTelemetry.Download
 
-This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
 
 The following fields are available:
 
@@ -3253,19 +3458,15 @@ The following fields are available:
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
-- **ClientManagedByWSUSServer**  Indicates whether the client is managed by Windows Server Update Services (WSUS).
 - **ClientVersion**  The version number of the software distribution client.
 - **CurrentMobileOperator**  The mobile operator the device is currently connected to.
 - **DeviceModel**  What is the device model.
-- **DeviceOEM**  What OEM does this device belong to.
 - **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
 - **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
 - **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **Edition**  Indicates the edition of Windows being used.
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
 - **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
@@ -3279,22 +3480,19 @@ The following fields are available:
 - **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
 - **HostName**  The hostname URL the content is downloading from.
 - **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
-- **IsAOACDevice**  Is it Always On, Always Connected?
 - **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
 - **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
 - **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
 - **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
-- **NetworkRestrictionStatus**  "More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be ""metered."""
+- **NetworkRestrictionStatus**  More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
 - **PackageFullName**  The package name of the content.
 - **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **PlatformRole**  The PowerPlatformRole as defined on MSDN
 - **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
 - **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -3307,93 +3505,65 @@ The following fields are available:
 - **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
 - **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
 - **UpdateId**  An identifier associated with the specific piece of content.
+- **UpdateID**  An identifier associated with the specific piece of content.
 - **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
 - **UsedDO**  Whether the download used the delivery optimization service.
 - **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting**  Indicates the users' current updating settings.
 
 
-### SoftwareUpdateClientTelemetry.CheckForUpdates
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
 
-This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
 
 The following fields are available:
 
-- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
-- **AllowCachedResults**  Indicates if the scan allowed using cached results.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosName**  The name of the device BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **BIOSVendor**  The vendor of the BIOS.
-- **BiosVersion**  The version of the BIOS.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ClientVersion**  The version number of the software distribution client.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **DeviceModel**  What is the device model.
-- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
-- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **MSIError**  The last error that was encountered during a scan for updates.
-- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
-- **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
-- **Online**  Indicates if this was an online scan.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId**  A hash that uniquely identifies a file
+- **FileName**  Name of the downloaded file
+- **FlightId**  The unique identifier for each flight
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **ScanDurationInSeconds**  The number of seconds a scan took
-- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
-- **ServiceUrl**  The environment URL a device is configured to scan with
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **SyncType**  Describes the type of scan the event was
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
-- **BranchReadinessLevel**  The servicing branch configured on the device.
-- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
-- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
-- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
-- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
-- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
-- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
-- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
-- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **PausedUpdates**  A list of UpdateIds which that currently being paused.
-- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
-- **DriverSyncPassPerformed**  Were drivers scanned this time?
+- **RevisionNumber**  Unique revision number of Update
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId**  Unique Update ID
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+
+The following fields are available:
+
+- **BundleID**  Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
+- **BytesTotal**  Total bytes to transfer for this content
+- **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError**  Last (transient) error encountered by the active download
+- **DownloadFlags**  Flags indicating if power state is ignored
+- **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
+- **EventType**  Possible values are "Child", "Bundle", or "Driver"
+- **FlightId**  The unique identifier for each flight
+- **IsNetworkMetered**  Indicates whether Windows considered the current network to be ?metered"
+- **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
+- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV**  The previous correlation vector that was used by the client, before swapping with a new one
+- **ResumeCount**  Number of times this active download has resumed from a suspended state
+- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceID**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **SuspendCount**  Number of times this active download has entered a suspended state
+- **SuspendReason**  Last reason for why this active download entered a suspended state
+- **UpdateId**  Identifier associated with the specific piece of content
+- **WUDeviceID**  Unique device id controlled by the software distribution client
 
 
 ### SoftwareUpdateClientTelemetry.Install
@@ -3408,30 +3578,22 @@ The following fields are available:
 - **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle?
 - **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
 - **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod**  Was the download a full download or a partial download?
-- **ClientManagedByWSUSServer**  Is the client managed by Windows Server Update Services (WSUS)?
 - **ClientVersion**  The version number of the software distribution client.
 - **CSIErrorType**  The stage of CBS installation where it failed.
 - **CurrentMobileOperator**  Mobile operator that device is currently connected to.
 - **DeviceModel**  What is the device model.
-- **DeviceOEM**  What OEM does this device belong to.
-- **DownloadPriority**  The priority of the download activity.
-- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
 - **DriverPingBack**  Contains information about the previous driver and system state.
-- **Edition**  Indicates the edition of Windows being used.
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
 - **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
 - **ExtendedErrorCode**  The extended error code.
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause**  Are feature OS updates paused on the device?
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
 - **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
 - **FlightId**  The specific ID of the Windows Insider build the device is getting.
@@ -3440,27 +3602,23 @@ The following fields are available:
 - **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
 - **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **IsAOACDevice**  Is it Always On, Always Connected? (Mobile device usage model)
 - **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
 - **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
 - **IsFirmware**  Is this update a firmware update?
 - **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
 - **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
-- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
+- **IsWUfBEnabled**  Indicates whether Windows Update for Business is enabled on the device.
 - **MergedUpdate**  Was the OS update and a BSP update merged for installation?
 - **MsiAction**  The stage of MSI installation where it failed.
 - **MsiProductCode**  The unique identifier of the MSI installer.
 - **PackageFullName**  The package name of the content being installed.
 - **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **PlatformRole**  The PowerPlatformRole as defined on MSDN.
 - **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
 - **QualityUpdatePause**  Are quality OS updates paused on the device?
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
-- **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
 - **RevisionNumber**  The revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
@@ -3470,355 +3628,540 @@ The following fields are available:
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
 - **TransactionCode**  The ID which represents a given MSI installation
 - **UpdateId**  Unique update ID
+- **UpdateID**  An identifier associated with the specific piece of content.
 - **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
 - **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting**  Indicates the user's current updating settings.
 
 
-### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+### SoftwareUpdateClientTelemetry.UpdateDetected
 
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
 
 The following fields are available:
 
-- **BundleID**  Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
-- **BytesTotal**  Total bytes to transfer for this content
-- **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
-- **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
-- **CurrentError**  Last (transient) error encountered by the active download
-- **DownloadFlags**  Flags indicating if power state is ignored
-- **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
-- **IsNetworkMetered**  "Indicates whether Windows considered the current network to be ?metered"""
-- **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
-- **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
-- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
-- **RelatedCV**  "The previous correlation vector that was used by the client, before swapping with a new one "
-- **ResumeCount**  Number of times this active download has resumed from a suspended state
-- **ServiceID**  "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
-- **SuspendCount**  Number of times this active download has entered a suspended state
-- **SuspendReason**  Last reason for why this active download entered a suspended state
-- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion**  The version number of the software distribution client
-- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver"""
-- **FlightId**  The unique identifier for each flight
-- **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
-- **UpdateId**  "Identifier associated with the specific piece of content "
-- **WUDeviceID**  "Unique device id controlled by the software distribution client "
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID**  The unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+
+The following fields are available:
+
+- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode**  The secondary status code of the event.
+- **LeafCertId**  Integral ID from the FragmentSigning data for certificate that failed.
+- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **RevisionId**  The revision ID for a specific piece of content.
+- **RevisionNumber**  The revision number for a specific piece of content.
+- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
+- **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode**  The status code of the event.
+- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
+- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId**  The update ID for a specific piece of content.
+- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
+
+
+## Update Assistant events
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
+
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+
+The following fields are available:
+
+- **ApplicabilityBlockedReason**  Blocked due to an applicability issue.
+- **BlockWuUpgrades**  The upgrade assistant is currently blocked.
+- **clientID**  An identification of the current release of Update Assistant.
+- **CloverTrail**  This device is Clovertrail.
+- **DeviceIsMdmManaged**  This device is MDM managed.
+- **IsNetworkAvailable**  If the device network is not available.
+- **IsNetworkMetered**  If network is metered.
+- **IsSccmManaged**  This device is SCCM managed.
+- **NewlyInstalledOs**  OS is newly installed quiet period.
+- **PausedByPolicy**  Updates are paused by policy.
+- **RecoveredFromRS3**  Previously recovered from RS3.
+- **RS1UninstallActive**  Blocked due to an active RS1 uninstall.
+- **RS3RollBacks**  Exceeded number of allowable RS3 rollbacks.
+- **triggerTaskSource**  Describe which task launches this instance.
+- **WsusManaged**  This device is WSUS managed.
+- **ZeroExhaust**  This device is zero exhaust.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
+
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+
+The following fields are available:
+
+- **calendarRun**  Indicates the calendar run task invoked the update assistant wrapper.
+- **clientID**  An identification of the current release of Update Assistant.
+- **denyReason**  All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
+
+Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of the Update Assistant Orchestrator failure.
+- **triggerTaskSource**  Describe which task launches this instance.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
+
+Event indicating One Settings was not queried by update assistant.
+
+The following fields are available:
+
+- **clientID**  An identification of the current release of Update Assistant.
+- **hResult**  Error code of One Settings query failure.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
+
+This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+
+The following fields are available:
+
+- **autoStartRunCount**  The auto start run count of Update Assistant.
+- **clientID**  The ID of the current release of Update Assistant.
+- **launchMode**  Indicates the type of launch performed.
+- **launchTypeReason**  A bitmask of all the reasons for type of launch.
+- **triggerTaskSource**  Indicates which task launches this instance.
+- **UALaunchRunCount**  Total number of times Update Assistant launched.
+
+
+### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
+
+The event sends basic info on whether the Windows 10 update notification has previously launched.
+
+The following fields are available:
+
+- **calendarRun**  Indicates the update assistant wrapper was started by the calendar run task.
+- **clientID**  ID of the current release of Update Assistant.
+- **restoreReason**  All the reasons for the restore.
+- **triggerTaskSource**  Indicates which task launches this instance.
 
 
 ## Update events
 
-### Update360Telemetry.UpdateAgentPostRebootResult
+### Update360Telemetry.UpdateAgentCommit
 
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current post reboot phase
-- **FlightId**  The unique identifier for each flight
-- **ObjectId**  Unique value for each Update Agent mode
-- **RelatedCV**  Correlation vector value generated from the latest USO scan
-- **Result**  Indicates the Hresult
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt
-- **UpdateId**  Unique ID for each update
-- **PostRebootResult**  Indicates the Hresult
-
-
-### Update360Telemetry.UpdateAgent_Initialize
-
-This event sends data during the initialize phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current initialize phase.
-- **FlightId**  Unique ID for each flight.
-- **FlightMetadata**  Contains the FlightId and the build being flighted.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **SessionId**  Unique value for each Update Agent mode attempt .
-- **UpdateId**  Unique ID for each update.
-- **Result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-
-
-### Update360Telemetry.UpdateAgent_DownloadRequest
-
-This event sends data during the download request phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current download request phase.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **PackageCountOptional**  Number of optional packages requested.
-- **PackageCountRequired**  Number of required packages requested.
-- **PackageCountTotal**  Total number of packages needed.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **PackageSizeCanonical**  Size of canonical packages in bytes
-- **PackageSizeDiff**  Size of diff packages in bytes
-- **PackageSizeExpress**  Size of express packages in bytes
-- **Result**  Result of the download request phase of update.
-- **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-- **PackageCountTotalCanonical**  Total number of canonical packages.
-- **PackageCountTotalDiff**  Total number of diff packages.
-- **PackageCountTotalExpress**  Total number of express packages.
-- **DeletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
-- **RangeRequestState**  Represents the state of the download range request.
-
-
-### Update360Telemetry.UpdateAgent_Install
-
-This event sends data during the install phase of updating Windows.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
 
 The following fields are available:
 
 - **ErrorCode**  The error code returned for the current install phase.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  Correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **Result**  "Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled "
 - **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
 - **UpdateId**  Unique ID for each update.
 
 
-### Update360Telemetry.UpdateAgent_ModeStart
+### Update360Telemetry.UpdateAgentDownloadRequest
 
-This event sends data for the start of each mode during the process of updating Windows.
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
 
 The following fields are available:
 
-- **Mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  The correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests**  Number of times a download was retried.
+- **ErrorCode**  The error code returned for the current download request phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
 - **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional**  # of optional packages requested.
+- **PackageCountRequired**  # of required packages requested.
+- **PackageCountTotal**  Total # of packages needed.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageExpressType**  Type of express package.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes.
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId**  Unique ID for each Update.
 
 
-### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+### Update360Telemetry.UpdateAgentExpand
 
-This event sends data during the launching of the setup box when updating Windows.
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
 
 The following fields are available:
 
-- **ObjectId**  Unique value for each Update Agent mode.
-- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
-- **RelatedCV**  Correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
+- **ElapsedTickCount**  Time taken for expand phase.
+- **EndFreeSpace**  Free space after expand phase.
+- **EndSandboxSize**  Sandbox size after expand phase.
+- **ErrorCode**  The error code returned for the current install phase.
 - **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **StartFreeSpace**  Free space before expand phase.
+- **StartSandboxSize**  Sandbox size after expand phase.
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PackageCount**  Number of packages that feel back to canonical.
+- **PackageList**  PackageIds which fell back to canonical.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
 - **UpdateId**  Unique ID for each update.
-- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
-- **SandboxSize**  The size of the sandbox folder on the device.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **ObjectId**  Correlation vector value generated from the latest USO scan.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  The result for the current install phase.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMerge
+
+The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current merge phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Related correlation vector value.
+- **Result**  Outcome of the merge phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation.
+
+The following fields are available:
+
+- **Applicable**  Indicates whether the mitigation is applicable for the current update.
+- **CommandCount**  The number of command operations in the mitigation entry.
+- **CustomCount**  The number of custom operations in the mitigation entry.
+- **FileCount**  The number of file operations in the mitigation entry.
+- **FlightId**  Unique identifier for each flight.
+- **Index**  The mitigation index of this particular mitigation.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **Name**  The friendly name of the mitigation.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **OperationIndex**  The mitigation operation index (in the event of a failure).
+- **OperationName**  The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount**  The number of registry operations in the mitigation entry.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId**  Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update.
+
+The following fields are available:
+
+- **Applicable**  The count of mitigations that were applicable to the system and scenario.
+- **Failed**  The count of mitigations that failed.
+- **FlightId**  Unique identifier for each flight.
+- **MitigationScenario**  The update scenario in which the mitigations were attempted.
+- **ObjectId**  The unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest USO scan.
+- **Result**  The HResult of this operation.
+- **ScenarioId**  The update agent scenario ID.
+- **SessionId**  Unique value for each update attempt.
+- **TimeDiff**  The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total**  Total number of mitigations that were available.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **Mode**  Indicates the mode that has started.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+- **Version**  Version of update
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current post reboot phase.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PostRebootResult**  Indicates the Hresult.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Indicates the Hresult
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+
+The following fields are available:
+
+- **ContainsExpressPackage**  Indicates whether the download package is express.
+- **FlightId**  Unique ID for each flight.
+- **FreeSpace**  Free space on OS partition.
+- **InstallCount**  Number of install attempts using the same sandbox.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **SandboxSize**  Size of the sandbox.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **SetupMode**  Mode of setup to be launched.
+- **UpdateId**  Unique ID for each update.
+- **UserSession**  Indicates whether install was invoked by user actions.
 
 
 ## Update notification events
 
 ### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
 
-This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **CampaignConfigVersion**  Configuration version of the current campaign.
+- **CampaignID**  ID of the currently running campaign.
+- **ConfigCatalogVersion**  Current catalog version of the update notification.
+- **ContentVersion**  Content version of the current update notification campaign.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign.
+- **GlobalEventCounter**  Client side counter that indicates the ordering of events sent by this user.
 - **key1**  Interaction data for the UI
-- **key10**  Interaction data for the UI
-- **key11**  Interaction data for the UI
-- **key12**  Interaction data for the UI
-- **key13**  Interaction data for the UI
-- **key14**  Interaction data for the UI
-- **key15**  Interaction data for the UI
-- **key16**  Interaction data for the UI
-- **key17**  Interaction data for the UI
-- **key18**  Interaction data for the UI
-- **key19**  Interaction data for the UI
+- **key10**  UI interaction data
+- **key11**  UI interaction data
+- **key12**  UI interaction data
+- **key13**  UI interaction data
+- **key14**  UI interaction data
+- **key15**  UI interaction data
+- **key16**  UI interaction data
+- **key17**  UI interaction data
+- **key18**  UI interaction data
+- **key19**  UI interaction data
 - **key2**  Interaction data for the UI
-- **key20**  Interaction data for the UI
+- **key20**  UI interaction data
 - **key21**  Interaction data for the UI
-- **key22**  Interaction data for the UI
-- **key23**  Interaction data for the UI
-- **key24**  Interaction data for the UI
-- **key25**  Interaction data for the UI
-- **key26**  Interaction data for the UI
-- **key27**  Interaction data for the UI
-- **key28**  Interaction data for the UI
-- **key29**  Interaction data for the UI
+- **key22**  UI interaction data
+- **key23**  UI interaction data
+- **key24**  UI interaction data
+- **key25**  UI interaction data
+- **key26**  UI interaction data
+- **key27**  UI interaction data
+- **key28**  UI interaction data
+- **key29**  UI interaction data
 - **key3**  Interaction data for the UI
-- **key30**  Interaction data for the UI
+- **key30**  UI interaction data
 - **key4**  Interaction data for the UI
-- **key5**  Interaction data for the UI
-- **key6**  Interaction data for the UI
+- **key5**  UI interaction data
+- **key6**  UI interaction data
 - **key7**  Interaction data for the UI
 - **key8**  Interaction data for the UI
-- **key9**  Interaction data for the UI
-- **PackageVersion**  Current package version of UNP
-- **schema**  Type of UI interaction
+- **key9**  UI interaction data
+- **PackageVersion**  Current package version of the update notification.
+- **schema**  UI interaction type.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
 
-This event is sent at the start of each campaign, to be used as a heartbeat
+This event is sent at the start of each campaign, to be used as a heartbeat.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Current campaign that is running on Update Notification Pipeline.
+- **ConfigCatalogVersion**  Current catalog version of Update Notification Pipeline.
+- **ContentVersion**  Content version for the current campaign on Update Notification Pipeline.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on Update Notification Pipeline.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current package version for Update Notification Pipeline.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
 
-This event indicates that the Campaign Manager is cleaning up the campaign content
+This event indicates that the Campaign Manager is cleaning up the campaign content.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  The current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  The current catalog version of the Update Notification Pipeline (UNP).
+- **ContentVersion**  Content version for the current campaign on UNP.
 - **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current UNP package version.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
 
-This event is sent when a campaign completion status query fails
+This event is sent when a campaign completion status query fails.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **hresult**  HRESULT of the failure.
+- **PackageVersion**  Current UNP package version.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
 
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current UNP package version.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
 
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure#N#
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Currently campaign that's running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **hresult**  HRESULT of the failure.
+- **PackageVersion**  Current UNP package version.
 
 
 ## Upgrade events
 
-### Setup360Telemetry.PreDownloadUX
+### FacilitatorTelemetry.DCATDownload
 
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous operating system.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
-- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the downlevel OS.
+- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  Windows Update client ID.
-
-
-### Setup360Telemetry.UnexpectedEvent
-
-This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.PreInstallQuiet
-
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  An ID that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
 
 
 ### Setup360Telemetry.Finalize
 
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -3827,19 +4170,40 @@ The following fields are available:
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  d
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+
+
 ### Setup360Telemetry.PostRebootInstall
 
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
@@ -3867,63 +4231,63 @@ The following fields are available:
 - **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
 
 
-### Setup360Telemetry.OsUninstall
+### Setup360Telemetry.PreDownloadUX
 
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **HostOSBuildNumber**  The build number of the previous operating system.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
 
 
-### Setup360Telemetry.Downlevel
+### Setup360Telemetry.PreInstallQuiet
 
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
-- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the downlevel OS.
-- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string that uniquely identifies a group of events.
-- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.PreInstallUX
 
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date.  Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
 
 The following fields are available:
 
@@ -3932,12 +4296,12 @@ The following fields are available:
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -3948,37 +4312,56 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
 
 The following fields are available:
 
+- **ClientId**  Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FieldName**  Retrieves the data point.
 - **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
 - **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
 - **ReportId**  Retrieves the report ID.
 - **ScenarioId**  Retrieves the deployment scenario.
 - **Value**  Retrieves the value associated with the corresponding FieldName.
-- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
 
 
-## Windows as a Service diagnostic events
+### Setup360Telemetry.Setup360DynamicUpdate
 
-### Microsoft.Windows.WaaSMedic.SummaryEvent
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
 
-This event provides the results from the WaaSMedic engine
+
+
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation.
+
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update.
+
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
 
 The following fields are available:
 
-- **detectionSummary**  Result of each detection that ran
-- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
-- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
-- **isManaged**  Indicates the device is managed for updates
-- **isWUConnected**  Indicates the device is connected to Windows Update
-- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
-- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
-- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client#N#
-- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client#N#
-- **versionString**  Installed version of the WaaSMedic engine
-- **hrEngineResult**  Indicates the WaaSMedic engine operation error codes
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
+## Windows as a Service diagnostic events
+
 ### Microsoft.Windows.WaaSMedic.Summary
 
 This event provides the results of the WaaSMedic diagnostic run
@@ -3986,39 +4369,45 @@ This event provides the results of the WaaSMedic diagnostic run
 The following fields are available:
 
 - **detectionSummary**  Result of each detection that ran
-- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **versionString**  Installed version of the WaaSMedic engine
 - **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
 - **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
 - **isManaged**  Indicates the device is managed for updates
 - **isWUConnected**  Indicates the device is connected to Windows Update
 - **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
 - **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
 - **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
 - **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
+- **versionString**  Installed version of the WaaSMedic engine
 
 
-## Windows Error Reporting events
+### Microsoft.Windows.WaaSMedic.SummaryEvent
 
-### Microsoft.Windows.WERVertical.OSCrash
-
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event provides the results from the WaaSMedic engine
 
 The following fields are available:
 
-- **BootId**  Uint32 identifying the boot number for this device.
-- **BugCheckCode**  "Uint64 ""bugcheck code"" that identifies a proximate cause of the bug check."
-- **BugCheckParameter1**  Uint64 parameter providing additional information.
-- **BugCheckParameter2**  Uint64 parameter providing additional information.
-- **BugCheckParameter3**  Uint64 parameter providing additional information.
-- **BugCheckParameter4**  Uint64 parameter providing additional information.
-- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
-- **DumpFileSize**  Size of the dump file
-- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
-- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **detectionSummary**  Result of each applicable detection that was run.
+- **featureAssessmentImpact**  WaaS Assessment impact for feature updates.
+- **hrEngineResult**  Indicates the WaaSMedic engine operation error codes
+- **insufficientSessions**  Device not eligible for diagnostics.
+- **isManaged**  Device is managed for updates.
+- **isWUConnected**  Device is connected to Windows Update.
+- **noMoreActions**  No more applicable diagnostics.
+- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates.
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment**  Relying on backup feature assessment.
+- **usingBackupQualityAssessment**  Relying on backup quality assessment.
+- **versionString**  Version of the WaaSMedic engine.
+
+
+## Windows Store events
+
+### Microsoft.Windows.Store.Partner.ReportApplication
+
+Report application event for Windows Store client.
 
 
-## Microsoft Store events
 
 ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
 
@@ -4032,281 +4421,30 @@ The following fields are available:
 - **CategoryId**  The Item Category ID.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed before this operation.
-- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Was this requested by a user?
 - **IsMandatory**  Was this a mandatory update?
 - **IsRemediation**  Was this a remediation install?
 - **IsRestore**  Is this automatically restoring a previously acquired product?
 - **IsUpdate**  Flag indicating if this is an update.
-- **IsWin32**  Flag indicating if this is a Win32 app (not used).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  The product family name of the product being installed.
 - **ProductId**  The identity of the package or packages being installed.
 - **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
-- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
-- **WUContentId**  The Windows Update content ID
+- **WUContentId**  Licensing identity of this package.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
 
-This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
-- **AttemptNumber**  The total number of attempts to acquire this product.
-- **BundleId**  The bundle ID
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  HResult code to show the result of the operation (success/failure).
-- **IntentPFNs**  Intent Product Family Name
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Did the user initiate the installation?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this happening after a device restore?
-- **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this is a Win32app.
-- **ParentBundledId**  The product's parent bundle ID.
-- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
-- **PFN**  Product Family Name of the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
-- **UpdateId**  The update ID (if this is an update)
-- **UserAttemptNumber**  The number of attempts by the user to acquire this product
-- **WUContentId**  The Windows Update content ID
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
 
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
 
-The following fields are available:
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
 
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
-- **AttemptNumber**  Number of retry attempts before it was canceled.
-- **BundleId**  The identity of the Windows Insider build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **DownloadSize**  The total size of the download.
-- **ExtendedHResult**  Any extended HResult error codes.
-- **HResult**  The result code of the last action performed.
-- **IntentPFNs**  Intent Product Family Name
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this initiated by the user?
-- **IsMandatory**  Is this a mandatory installation?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this a restore of a previously acquired product?
-- **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this is a Win32 app (unused).
-- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
-- **PFN**  The Product Family Name of the app being download.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The number of attempts by the system to download.
-- **UpdateId**  Update ID (if this is an update)
-- **UserAttemptNumber**  The number of attempts by the user to download.
-- **WUContentId**  The Windows Update content ID.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
-
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
-
-This event is sent after sending the inventory of the products installed to determine whether updates for those products are available.  It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
-
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **ExtendedHResult**  The extended HResult error code.
-- **HResult**  The result code of the last action performed.
-- **IntentPFNs**  Intent Product Family Name
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this an interactive installation?
-- **IsMandatory**  Is this a mandatory installation?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this automatically restoring a previously acquired product?
-- **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this a Win32 app (unused).
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  Product Family Name of the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UpdateId**  Update ID (if this is an update)
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
-
-This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IsApplicability**  Is this request to only check if there are any applicable packages to install?
-- **IsInteractive**  Is this user requested?
-- **IsOnline**  Is the request doing an online check?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IntentPFNs**  The licensing identity of this package.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this a Win32 app (unused).
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UpdateId**  Update ID (if this is an update)
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
-
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of system attempts.
-- **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  The licensing identity of this package.
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
-
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **BundleId**  The identity of the build associated with this product.
-- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SkuId**  Specific edition ID being installed.
-- **VolumePath**  The disk path of the installation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
-
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The Product Full Name.
-- **PreviousHResult**  The result code of the last action performed before this operation.
-- **PreviousInstallState**  Previous state before the installation or update was paused.
-- **ProductId**  The Store Product ID for the product being installed.
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  The licensing identity of this package.
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
-
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber**  The number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **PreviousHResult**  The previous HResult error code.
-- **PreviousInstallState**  Previous state before the installation was paused.
-- **ProductId**  The Store Product ID for the product being installed.
-- **RelatedCV**  Correlation Vector for the original install before it was resumed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  Intent Product Family Name
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **HResult**  The result code of the last action performed before this operation.
-- **IsUserRetry**  Did the user initiate the retry?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **PFamN**  The name of the product that is requested for update.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
@@ -4315,6 +4453,7 @@ This event is sent when an app update or installation is canceled while in inter
 
 The following fields are available:
 
+- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
 - **AttemptNumber**  Total number of installation attempts.
 - **BundleId**  The identity of the Windows Insider build that is associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
@@ -4333,34 +4472,12 @@ The following fields are available:
 - **RelatedCV**  Correlation Vector of a previous performed action on this product.
 - **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
 - **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
-- **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  Intent Product Family Name
-- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **CatalogId**  The Store Product ID for the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SkuId**  Specfic edition of the app being updated.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
-
-This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed.
+- **WUContentId**  The Windows Update content ID.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
 
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event is sent at the end of the installs or updates. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
 
 The following fields are available:
 
@@ -4372,39 +4489,334 @@ The following fields are available:
 - **SkuId**  Specific edition of the item being installed.
 
 
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber**  The total number of attempts to acquire this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  HResult code to show the result of the operation (success/failure).
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Did the user initiate the installation?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this happening after a device restore?
+- **IsUpdate**  Is this an update?
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
+- **UserAttemptNumber**  The number of attempts by the user to acquire this product
+- **WUContentId**  Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The identity of the Windows Insider build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **DownloadSize**  The total size of the download.
+- **ExtendedHResult**  Any extended HResult error codes.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this initiated by the user?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this a restore of a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
+- **PFN**  The Product Family Name of the app being download.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to download.
+- **UserAttemptNumber**  The number of attempts by the user to download.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available.  It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **ExtendedHResult**  The extended HResult error code.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this an interactive installation?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsApplicability**  Is this request to only check if there are any applicable packages to install?
+- **IsInteractive**  Is this user requested?
+- **IsOnline**  Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install.  Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of system attempts.
+- **WUContentId**  Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+FulfillmentComplete event is fired at the end of an app install or update. We use this to track the very end of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **FailedRetry**  Tells us if the retry for an install or update was successful or not.
+- **HResult**  Resulting HResult error/success code of this call
+- **PFN**  Package Family Name of the app that being installed or updated
+- **ProductId**  Product Id of the app that is being updated or installed
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+FulfillmentInitiate event is fired at the start of an app install or update.  We use this to track the very beginning of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **BundleId**  The identity of the build associated with this product.
+- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specific edition ID being installed.
+- **VolumePath**  The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The Product Full Name.
+- **PreviousHResult**  The result code of the last action performed before this operation.
+- **PreviousInstallState**  Previous state before the installation or update was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed either by a user or the system. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **IsUserRetry**  Did the user initiate the retry?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **PreviousHResult**  The previous HResult error code.
+- **PreviousInstallState**  Previous state before the installation was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  Licensing identity of this package.
+
+
 ### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
 
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed by a user and on install retries. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
 
 The following fields are available:
 
 - **ProductId**  The Store Product ID for the product being installed.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
 
-This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+This event is sent when searching for update packages to install. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
 
 The following fields are available:
 
-- **FailedRetry**  Was the installation or update retry successful?
-- **HResult**  The HResult code of the operation.
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
+- **CatalogId**  The Store Catalog ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specfic edition of the app being updated.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
 
-This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
+- **PFamN**  The name of the app that is requested for update.
 
 
 ## Windows Update Delivery Optimization events
 
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download being done in the background?
+- **bytesFromCacheServer**  Bytes received from a cache host.
+- **bytesFromCDN**  The number of bytes received from a CDN source.
+- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
+- **callerName**  Name of the API caller.
+- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId**  A random number used for device sampling.
+- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **errorCode**  The error code that was returned.
+- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **gCurMemoryStreamBytes**  Current usage for memory streaming.
+- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  Identifier for the Windows Update job.
+- **reasonCode**  Reason the action or event occurred.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the file download session.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Did the download use memory streaming?
+
+
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
 
 This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
@@ -4412,24 +4824,35 @@ This event describes when a download has completed with Delivery Optimization. I
 The following fields are available:
 
 - **background**  Is the download a background download?
+- **bytesFromCacheServer**  Bytes received from a cache host.
 - **bytesFromCDN**  The number of bytes received from a CDN source.
 - **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
 - **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLocalCache**  Bytes copied over from local (on disk) cache.
 - **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
 - **bytesRequested**  The total number of bytes requested for download.
+- **cacheServerConnectionCount**  Number of connections made to cache hosts.
+- **callerName**  Name of the API caller.
 - **cdnConnectionCount**  The total number of connections made to the CDN.
 - **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
 - **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
 - **cdnIp**  The IP address of the source CDN.
 - **clientTelId**  A random number used for device sampling.
+- **dataSourcesTotal**  Bytes received per source type, accumulated for the whole session.
 - **doErrorCode**  The Delivery Optimization error code that was returned.
 - **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
 - **downlinkUsageBps**  The download speed (in bytes per second).
 - **downloadMode**  The download mode used for this file download session.
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
 - **fileID**  The ID of the file being downloaded.
 - **fileSize**  The size of the file being downloaded.
+- **gCurMemoryStreamBytes**  Current usage for memory streaming.
+- **gMaxMemoryStreamBytes**  Maximum usage for memory streaming.
 - **groupConnectionCount**  The total number of connections made to peers in the same group.
 - **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  Identifier for the Windows Update job.
 - **lanConnectionCount**  The total number of connections made to peers in the same LAN.
 - **numPeers**  The total number of peers used for this download.
 - **restrictedUpload**  Is the upload restricted?
@@ -4439,8 +4862,6 @@ The following fields are available:
 - **updateID**  The ID of the update being downloaded.
 - **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
 - **uplinkUsageBps**  The upload speed (in bytes per second).
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn**  Is the device connected to a Virtual Private Network?
 - **usedMemoryStream**  Did the download use memory streaming?
 
 
@@ -4451,15 +4872,77 @@ This event represents a temporary suspension of a download with Delivery Optimiz
 The following fields are available:
 
 - **background**  Is the download a background download?
+- **callerName**  The name of the API caller.
 - **clientTelId**  A random number used for device sampling.
 - **errorCode**  The error code that was returned.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
 - **fileID**  The ID of the file being paused.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  Identifier for the Windows Update job.
 - **reasonCode**  The reason for pausing the download.
 - **scenarioID**  The ID of the scenario.
 - **sessionID**  The ID of the download session.
 - **updateID**  The ID of the update being paused.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Indicates whether the download is happening in the background.
+- **bytesRequested**  Number of bytes requested for the download.
+- **callerName**  Name of the API caller.
+- **cdnUrl**  The URL of the source CDN.
+- **clientTelId**  Random number used for device selection
+- **costFlags**  A set of flags representing network cost.
+- **deviceProfile**  Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll**  Random number used for determining if a client will use peering.
+- **doClientVersion**  The version of the Delivery Optimization client.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode**  The error code that was returned.
+- **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID**  The ID of the file being downloaded.
+- **filePath**  The path to where the downloaded file will be written.
+- **fileSize**  Total file size of the file that was downloaded.
+- **fileSizeCaller**  Value for total file size provided by our caller.
+- **groupID**  ID for the group.
+- **isVpn**  Indicates whether the device is connected to a Virtual Private Network.
+- **jobID**  The ID of the Windows Update job.
+- **minDiskSizeGB**  The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced**  Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy**  The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID**  The ID for this delivery optimization client.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID for the file download session.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Indicates whether the download used memory streaming.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnHeaders**  The HTTP headers returned by the CDN.
+- **cdnIp**  The IP address of the CDN.
+- **cdnUrl**  The URL of the CDN.
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code that was returned.
+- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn**  Is the device connected to a Virtual Private Network?
+- **fileID**  The ID of the file being downloaded.
+- **httpStatusCode**  The HTTP status code returned by the CDN.
+- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType**  The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset**  The byte offset within the file in the sent request.
+- **requestSize**  The size of the range requested from the CDN.
+- **responseSize**  The size of the range response received from the CDN.
+- **sessionID**  The ID of the download session.
 
 
 ### Microsoft.OSG.DU.DeliveryOptClient.JobError
@@ -4469,105 +4952,56 @@ This event represents a Windows Update job error. It allows for investigation of
 The following fields are available:
 
 - **clientTelId**  A random number used for device sampling.
+- **doErrorCode**  Error code returned for delivery optimization.
 - **errorCode**  The error code returned.
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
 - **fileID**  The ID of the file being downloaded.
 - **jobID**  The Windows Update job ID.
 
 
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download being done in the background?
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **clientTelId**  A random number used for device sampling.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the file download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-
-This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download a background download?
-- **cdnUrl**  The URL of the CDN.
-- **clientTelId**  A random number used for device sampling.
-- **deviceProfile**  Identifies the usage or form factor. Example: Desktop or Xbox
-- **diceRoll**  The dice roll value used in sampling events.
-- **doClientVersion**  The version of the Delivery Optimization client.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downloadMode**  The download mode used for this file download session.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **filePath**  The path where the file will be written.
-- **groupID**  ID for the group.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **jobID**  The ID of the Windows Update job.
-- **minDiskSizeGB**  The minimum disk size (in GB) required for Peering.
-- **minDiskSizePolicyEnforced**  Is the minimum disk size enforced via policy?
-- **minFileSizePolicy**  The minimum content file size policy to allow the download using Peering.
-- **peerID**  The ID for this Delivery Optimization client.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
-- **costFlags**  A set of flags representing network cost.
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **cdnIp**  The IP address of the CDN.
-- **cdnUrl**  The URL of the CDN.
-- **clientTelId**  A random number used for device sampling.
-- **errorCode**  The error code that was returned.
-- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
-- **httpStatusCode**  The HTTP status code returned by the CDN.
-- **sessionID**  The ID of the download session.
-- **cdnHeaders**  The HTTP headers returned by the CDN.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
-- **requestSize**  The size of the range requested from the CDN.
-- **responseSize**  The size of the range response received from the CDN.
-
-
 ## Windows Update events
 
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
 
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
 
 The following fields are available:
 
-- **flightId**  The unique identifier for each flight
-- **mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest scan
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  The unique GUID for each diagnostics session.
+- **relatedCV**  A correlation vector value generated from the latest USO scan.
+- **result**  Outcome of the initialization of the session.
+- **scenarioId**  Identifies the Update scenario.
+- **sessionId**  The unique value for each update session.
+- **updateId**  The unique identifier for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  Unique value for each Update Agent mode.
+- **packageCountOptional**  Number of optional packages requested.
+- **packageCountRequired**  Number of required packages requested.
+- **packageCountTotal**  Total number of packages needed.
+- **packageCountTotalCanonical**  Total number of canonical packages.
+- **packageCountTotalDiff**  Total number of diff packages.
+- **packageCountTotalExpress**  Total number of express packages.
+- **packageSizeCanonical**  Size of canonical packages in bytes.
+- **packageSizeDiff**  Size of diff packages in bytes.
+- **packageSizeExpress**  Size of express packages in bytes
+- **rangeRequestState**  Represents the state of the download range request.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the download request phase of update.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
@@ -4576,32 +5010,16 @@ This event sends data for initializing a new update session for the new device m
 
 The following fields are available:
 
-- **errorCode**  The error code returned for the current initialize phase
-- **flightId**  The unique identifier for each flight
-- **flightMetadata**  Contains the FlightId and the build being flighted
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest USO scan
-- **result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate#N#
-- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
-- **sessionId**  "Unique value for each Update Agent mode attempt "
-- **updateId**  Unique ID for each update
-
-
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
-
-The following fields are available:
-
-- **errorCode**  The error code returned for the current session initialization
-- **flightId**  The unique identifier for each flight
-- **objectId**  The unique GUID for each diagnostics session
-- **relatedCV**  A correlation vector value, generated from the latest USO scan
-- **result**  Outcome of the initialization of the session
-- **scenarioId**  Identifies the Update scenario
-- **sessionId**  The unique value for each update session
-- **updateId**  The unique identifier for each Update
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **flightMetadata**  Contains the FlightId and the build being flighted.
+- **objectId**  Unique value for each Update Agent mode.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
@@ -4620,252 +5038,143 @@ The following fields are available:
 - **updateId**  Unique ID for each update
 
 
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
 
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario. The update scenario is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
-- **errorCode**  The error code returned for the current session initialization
-- **flightId**  The unique identifier for each flight
-- **objectId**  Unique value for each Update Agent mode
-- **packageCountOptional**  Number of optional packages requested
-- **packageCountRequired**  Number of required packages requested
-- **packageCountTotal**  Total number of packages needed
-- **packageCountTotalCanonical**  Total number of canonical packages
-- **packageCountTotalDiff**  Total number of diff packages
-- **packageCountTotalExpress**  Total number of express packages
-- **packageSizeCanonical**  Size of canonical packages in bytes
-- **packageSizeDiff**  Size of diff packages in bytes
-- **packageSizeExpress**  Size of express packages in bytes
-- **rangeRequestState**  Represents the state of the download range request
-- **relatedCV**  Correlation vector value generated from the latest USO scan
-- **result**  Result of the download request phase of update
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
+- **flightId**  Unique ID for each flight.
+- **mode**  The mode that is starting.
+- **objectId**  Unique value for each diagnostics session.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **scenarioId**  Indicates the update scenario.
+- **sessionId**  Unique value for each update session.
+- **updateId**  Unique ID for each Update.
 
 
-### Microsoft.Windows.Update.Orchestrator.GameActive
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
 
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
 
 The following fields are available:
 
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **gameModeReason**  Name of the enabled GameMode process that prevented the device from restarting to complete an update
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
-
-This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
-
-The following fields are available:
-
-- **MigrationDurationInMilliseconds**  How long the DMF migration took (in milliseconds)
-- **MigrationEndTime**  A system timestamp of when the DMF migration completed.
-- **RevisionNumbers**  A collection of revision numbers for the updates associated with the DMF session.
-- **UpdateIds**  A collection of GUIDs for updates that are associated with the DMF session.
-- **WuClientId**  The GUID of the Windows Update client responsible for triggering the DMF migration
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
-
-This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
-
-The following fields are available:
-
-- **MigrationMicrosoftPhases**  Revision numbers for the updates that were installed.
-- **MigrationOEMPhases**  WU Update IDs for the updates that were installed.
-- **MigrationStartTime**  The timestamp representing the beginning of the DMF migration
-- **WuClientId**  The GUID of the Windows Update client invoking DMF
-- **RevisionNumbers**  A collection of the revision numbers associated with the UpdateIds.
-- **UpdateIds**  A collection of GUIDs identifying the upgrades that are running.
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
-
-This event sends DMF migrator data to help keep Windows up to date.
-
-The following fields are available:
-
-- **CurrentStep**  This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
-- **ErrorCode**  The result (as an HRESULT) of the migrator that just completed.
-- **MigratorId**  A GUID identifying the migrator that just completed.
-- **MigratorName**  The name of the migrator that just completed.
-- **RunDurationInSeconds**  The time it took for the migrator to complete.
-- **TotalSteps**  Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
-
-
-### Microsoft.Windows.Update.Orchestrator.Download
-
-This event sends launch data for a Windows Update download to help keep Windows up to date.
-
-The following fields are available:
-
-- **deferReason**  Reason for download not completing
-- **detectionDeferreason**  Reason for download not completing
-- **errorCode**  An error code represented as a hexadecimal value
-- **eventScenario**  End to end update session ID.
-- **flightID**  Unique update ID.
-- **interactive**  Identifies if session is user initiated.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **updateScenarioType**  The update session type.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **EventPublishedTime**  time that the event was generated
-- **revisionNumber**  Revision Number of the Update
-- **updateId**  Unique Update ID
-- **UpdateStatus**  Integer that describes Update state
-- **wuDeviceid**  Unique Device ID
-- **flightID**  Unique Update ID
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.Orchestrator.PostInstall
-
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
-
-The following fields are available:
-
-- **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **bundleId**  Update grouping ID.
-- **bundleRevisionnumber**  Bundle revision number.
-- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
-- **eventScenario**  End to end update session ID.
-- **flightID**  Unique update ID.
-- **sessionType**  Interactive vs. Background.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.RebootFailed
-
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
-
-The following fields are available:
-
-- **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **deferReason**  Reason for install not completing.
-- **EventPublishedTime**  The time that the reboot failure occurred.
-- **flightID**  Unique update ID.
-- **installRebootDeferreason**  Reason for reboot not occurring.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **updateScenarioType**  The update session type.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
-
-This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **configuredPoliciescount**  Policy Count
-- **policiesNamevaluesource**  Policy Name
-- **policyCacherefreshtime**  Refresh time
-- **updateInstalluxsetting**  This shows whether a user has set policies via UX option
-- **wuDeviceid**  Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
-
-This event sends data about whether an update required a reboot to help keep Windows up to date.
-
-The following fields are available:
-
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightID**  Unique update ID.
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-
-This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
-
-The following fields are available:
-
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise.
-- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **activeHoursApplicable**  Indicates whether an Active Hours policy is present on the device.
 - **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
-- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot.
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  Update ID of the update that is getting installed with this reboot.
+- **rebootOutsideOfActiveHours**  Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser**  Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState**  The current state of the restart.
+- **revisionNumber**  Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime**  Time of the scheduled restart.
+- **scheduledRebootTimeInUTC**  Time of the scheduled restart in Coordinated Universal Time.
+- **updateId**  ID of the update that is getting installed with this restart.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This event indicates that a device was unable to restart after an update.
+
+The following fields are available:
+
+- **errorCode**  The error code that was returned.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed.
+
+The following fields are available:
+
+- **eventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **filteredDeferReason**  Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **raisedDeferReason**  Indicates all potential reasons for postponing restart (such as user active, or low battery).
 - **wuDeviceid**  Unique device ID used by Windows Update.
-- **rebootState**  The state of the reboot.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Detection
 
-This event sends launch data for a Windows Update scan to help keep Windows up to date.
+This event indicates that a scan for a Windows Update occurred.
 
 The following fields are available:
 
 - **deferReason**  Reason why the device could not check for updates.
 - **detectionBlockreason**  Reason for detection not completing.
-- **detectionDeferreason**  A log of deferral reasons for every update state.
+- **detectionRetryMode**  Indicates whether we will try to scan again.
 - **errorCode**  The returned error code.
-- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID**  A unique update ID.
-- **interactive**  Identifies if session is User Initiated.
+- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session was user initiated.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
-- **updateScenarioType**  The update session type.
-- **wuDeviceid**  Unique device ID used by Windows Update.
+- **updateScenarioType**  Device ID
+- **wuDeviceid**  Device ID
 
 
-### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
 
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+This event indicates the reboot was postponed due to needing a display.
 
 The following fields are available:
 
-- **EventPublishedTime**  Time of the event.
+- **displayNeededReason**  Reason the display is needed.
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
 - **revisionNumber**  Revision number of the update.
 - **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightID**  Unique update ID
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
-### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
 
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+This event indicates that the update is no longer applicable to this device.
 
 The following fields are available:
 
-- **activeHoursApplicable**  Is the restart respecting Active Hours?
-- **rebootArgument**  The arguments that are passed to the OS for the restarted.
-- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
-- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
-- **rebootState**  The state of the restart.
-- **revisionNumber**  The revision number of the OS being updated.
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  The Windows Update device GUID.
-- **wuDeviceid**  The Windows Update device GUID.
-- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **EventPublishedTime**  Time when this event was generated.
+- **flightID**  The specific ID of the Windows Insider build.
+- **revisionNumber**  Update revision number.
+- **updateId**  Unique Windows Update ID.
+- **updateScenarioType**  Update session type.
+- **UpdateStatus**  Last status of update.
+- **UUPFallBackConfigured**  Indicates whether UUP fallback is configured.
+- **wuDeviceid**  Unique Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.GameActive
+
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
+
+The following fields are available:
+
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **gameModeReason**  Name of the enabled GameMode process that prevented the device from restarting to complete an update.
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### Microsoft.Windows.Update.Orchestrator.LowUptimes
+
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+
+The following fields are available:
+
+- **isLowUptimeMachine**  Is the machine considered low uptime or not.
+- **lowUptimeMinHours**  Current setting for the minimum number of hours needed to not be considered low uptime.
+- **lowUptimeQueryDays**  Current setting for the number of recent days to check for uptime.
+- **uptimeMinutes**  Number of minutes of uptime measured.
+- **wuDeviceid**  Unique device ID for Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated before the shutdown and commit operations.
+
+The following fields are available:
+
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
@@ -4877,148 +5186,56 @@ The following fields are available:
 - **UtcTime**  The Coordinated Universal Time that the restart was no longer needed.
 
 
-### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+### Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
 
-This event is sent when a toast notification is shown to the user about scheduling a device restart.
+This event is sent when the reboot can be deferred based on some reasons, before reboot attempts
 
 The following fields are available:
 
-- **UtcTime**  The Coordinated Universal Time when the toast notification was shown.
+- **Reason**  The reason sent which will cause the reboot to defer.
 
 
-### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
 
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+This event is fired the first time when the reboot is required.
+
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
+
+This event is sent when MUSE broker schedules a task
 
 The following fields are available:
 
-- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **wuDeviceid**  Device id on which the reboot is restored
+- **TaskArgument**  The arguments which the task is scheduled with
+- **TaskName**  Name of the task
 
 
-### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
 
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date
 
 The following fields are available:
 
-- **eventScenario**  End to end update session ID.
-- **revisionNumber**  Update revision number.
-- **systemNeededReason**  Reason ID
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
-
-This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
-
-The following fields are available:
-
-- **BspVersion**  The version of the BSP.
-- **CallerApplicationName**  The name of the USS scheduled task. Example UssScheduled or UssBoot
-- **ClientVersion**  The version of the client.
-- **CommercializationOperator**  The name of the operator.
-- **DetectionVersion**  The string returned from the GetDetectionVersion export of the downloaded detection DLL.
-- **DeviceName**  The name of the device.
-- **EventInstanceID**  The USS session ID.
-- **EventScenario**  The scenario of the event. Example: Started, Failed, or Succeeded
-- **OemName**  The name of the manufacturer.
-- **ServiceGuid**  The GUID of the service.
-- **StatusCode**  The HRESULT code of the operation.
-- **WUDeviceID**  The Windows Update device ID.
-
-
-### Microsoft.Windows.Update.Orchestrator.CommitFailed
-
-This events tracks when a device needs to restart after an update but did not.
-
-The following fields are available:
-
-- **errorCode**  The error code that was returned.
+- **activeHoursApplicable**  Is the restart respecting Active Hours?
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument**  The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState**  The state of the restart.
+- **revisionNumber**  The revision number of the OS being updated.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **scheduledRebootTimeInUTC**  Time of the scheduled restart, in Coordinated Universal Time.
+- **updateId**  The Windows Update device GUID.
 - **wuDeviceid**  The Windows Update device GUID.
 
 
-### Microsoft.Windows.Update.Orchestrator.Install
+## Winlogon events
 
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
 
-The following fields are available:
-
-- **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **deferReason**  Reason for install not completing.
-- **eventScenario**  End to end update session ID.
-- **interactive**  Identifies if session is user initiated.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightUpdate**  Flight update
-- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
-- **minutesToCommit**  The time it took to install updates.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **errorCode**  The error code reppresented by a hexadecimal value.
-- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
-- **flightID**  Unique update ID
-- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
+This event signals the completion of the setup process. It happens only once during the first logon.
 
 
-### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-
-This event is generated right before the shutdown and commit operations
-
-The following fields are available:
-
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
-### Microsoft.Windows.Update.Orchestrator.DeferRestart
-
-This event indicates that a restart required for installing updates was postponed
-
-The following fields are available:
-
-- **filteredDeferReason**  Indicates the raised, but ignorable, reasons that the USO didn't restart (for example, user active or low battery)
-- **raisedDeferReason**  Indicates the reason that the USO didn't restart. For example, user active or low battery
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-
-
-### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-
-Reboot postponed due to needing a display
-
-The following fields are available:
-
-- **displayNeededReason**  Reason the display is needed
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
-- **revisionNumber**  Revision number of the update
-- **updateId**  Update ID
-- **updateScenarioType**  The update session type
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
-
-The following fields are available:
-
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise
-- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action
-- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
-- **rebootState**  The state of the reboot
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  ID of the update that is getting installed with this reboot
-- **wuDeviceid**  Unique device ID used by Windows Update
-- **scheduledRebootTimeInUTC**  Time of the scheduled reboot in Coordinated Universal Time
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
similarity index 68%
rename from windows/privacy/basic-level-windows-diagnostic-events-and-fields.md
rename to windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 84da766a22..2f0e8fbb61 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,27 +1,26 @@
 ---
 description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
 title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry, diagnostic data
+keywords: privacy, telemetry
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
-ms.localizationpriority: high
+localizationpriority: high
 author: brianlic-msft
 ms.author: brianlic
-ms.date: 4/30/2018
+ms.date: 09/10/2018
 ---
 
 
 # Windows 10, version 1803 basic level Windows diagnostic events and fields
 
-
  **Applies to**
 
 - Windows 10, version 1803
 
 
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
 
 The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
 
@@ -33,227 +32,9 @@ You can learn more about Windows functional and diagnostic data through these ar
 - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
 - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
 - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
 
-
-
-## Common data extensions
-
-### Common Data Extensions.App
-
- 
-
-The following fields are available:
-
-- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId**  The userID as known by the application.
-- **env**  The environment from which the event was logged.
-- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-
-
-### Common Data Extensions.CS
-
- 
-
-The following fields are available:
-
-- **sig**  A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
- 
-
-The following fields are available:
-
-- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op**  Represents the ETW Op Code.
-- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
-- **flags**  Represents the bitmap that captures various Windows specific flags.
-- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets**  A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq**  Upload buffer sequence number in the format \:\
-- **mon**  Combined monitor and event sequence numbers in the format \:\
-- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-
-
-### Common Data Extensions.Device
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **name**  Represents the uniquely qualified name for the event.
-- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
-- **iKey**  Represents an ID for applications or other logical groupings of events.
-- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
-
-
-### Common Data Extensions.OS
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale**  Represents the locale of the operating system.
-- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-- **os**  Represents the operating system name.
-- **ver**  Represents the OS version, and its format is OS dependent.
-
-
-### Common Data Extensions.User
-
- 
-
-The following fields are available:
-
-- **ver**  Represents the major and minor version of the extension.
-- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
- 
-
-The following fields are available:
-
-- **nbf**  Not before time
-- **expId**  Expiration time
-- **sbx**  XBOX sandbox identifier
-- **dty**  XBOX device type
-- **did**  XBOX device ID
-- **xid**  A list of base10-encoded XBOX User IDs.
-- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType**  Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken**  Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName**  Represents the name of the file requesting elevation from low IL.
-- **elevationReason**  Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName**  Represents the name of the file requesting elevation from low IL.
-- **signatureState**  Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName**  Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine**  Represents the full command line arguments being used to elevate.
-- **Hash.Length**  Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash**  Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId**  Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags**  Represents the details about the elevation prompt for CEIP data.
-- **timeStamp**  Represents the time stamp on the file requesting elevation.
-- **fileVersionMS**  Represents the major version of the file requesting elevation.
-- **fileVersionLS**  Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType**  Indicates the object type that the event applies to.
-- **Action**  The change that was invoked on a device inventory object.
-- **inventoryId**  Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
-
-
 ## Appraiser events
 
 ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -262,143 +43,82 @@ This event lists the types of objects and how many of each exist on the client d
 
 The following fields are available:
 
-- **PCFP**  An ID for the system, calculated by hashing hardware identifiers. 
-- **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
-- **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
-- **SystemProcessorSse2**  The count of the number of this particular object type present on this device.
-- **SystemProcessorNx**  The count of the number of this particular object type present on this device.
-- **SystemWim**  The count of the number of this particular object type present on this device.
-- **SystemWlan**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
 - **DatasourceDevicePnp_RS1**  The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **InventorySystemBios**  The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **SystemMemory**  The count of the number of this particular object type present on this device.
-- **SystemProcessorPrefetchW**  The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_RS1**  The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
-- **DecisionSystemBios_RS1**  The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPassive_RS1**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPassive_RS1**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_RS1**  The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **DecisionDriverPackage_RS1**  The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
-- **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
-- **SystemWindowsActivationStatus**  The count of the number of this particular object type present on this device.
-- **SystemTouch**  The count of the number of this particular object type present on this device.
-- **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
-- **InventoryLanguagePack**  The count of InventoryLanguagePack objects present on this machine.
-- **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **DatasourceApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device. 
 - **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS1**  The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
 - **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
-- **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
-- **DecisionApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
 - **DataSourceMatchingInfoBlock_RS1**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS1**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS1**  The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS1**  The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
 - **DecisionMatchingInfoBlock_RS1**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS1**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
 - **DecisionMediaCenter_RS1**  The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS1**  The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack**  The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
+- **InventorySystemBios**  The count of the number of this particular object type present on this device.
+- **InventoryTest**  The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
+- **PCFP**  An ID for the system, calculated by hashing hardware identifiers.
+- **SystemMemory**  The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
+- **SystemProcessorNx**  The count of SystemProcessorNx objects present on this machine.
+- **SystemProcessorPrefetchW**  The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2**  The count of SystemProcessorSse2 objects present on this machine.
+- **SystemTouch**  The count of SystemTouch objects present on this machine.
+- **SystemWim**  The count of SystemWim objects present on this machine.
+- **SystemWindowsActivationStatus**  The count of SystemWindowsActivationStatus objects present on this machine.
+- **SystemWlan**  The count of SystemWlan objects present on this machine.
+- **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
-
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
+- **AvDisplayName**  If the app is an antivirus app, this is its display name.
+- **CompatModelIndex**  The compatibility prediction for this file.
+- **HasCitData**  Indicates whether the file is present in CIT data.
+- **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv**  Is the file an antivirus reporting EXE?
+- **ResolveAttempted**  This will always be an empty string when sent.
+- **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
 
 This event indicates that the DatasourceApplicationFile object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -408,6 +128,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -415,23 +137,26 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
 
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **ActiveNetworkConnection**  Is the device an active network device?
+- **ActiveNetworkConnection**  Indicates whether the device is an active network device.
 - **AppraiserVersion**  The version of the appraiser file generating the events.
-- **IsBootCritical**  Is the device boot critical?
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this device.
-- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver
-- **WuPopulatedFromId**  The expected up-level driver matching ID based on driver coverage from Windows Update
+- **IsBootCritical**  Indicates whether the device boot is critical.
+- **WuDriverCoverage**  Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
 
 This event indicates that the DatasourceDevicePnp object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -441,6 +166,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -448,7 +175,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
 
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -459,6 +188,8 @@ The following fields are available:
 
 This event indicates that the DatasourceDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -468,6 +199,107 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -477,16 +309,19 @@ The following fields are available:
 
 This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this BIOS.
 
 
 ### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
 
 This event indicates that the DatasourceSystemBios object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -496,6 +331,8 @@ The following fields are available:
 
 This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -505,11 +342,13 @@ The following fields are available:
 
 This event sends compatibility decision data about a file to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
 - **BlockAlreadyInbox**  The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication**  Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication**  Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
 - **DisplayGenericMessage**  Will be a generic message be shown for this file?
 - **HardBlock**  This file is blocked in the SDB.
 - **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
@@ -530,7 +369,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
 
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -541,6 +382,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -548,7 +391,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
 
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -574,6 +419,8 @@ The following fields are available:
 
 This event indicates that the DecisionDevicePnp object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -581,7 +428,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
 
-This event indicates that the DecisionDevicePnp object is no longer present.
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -590,7 +439,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
 
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -606,6 +457,8 @@ The following fields are available:
 
 This event indicates that the DecisionDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -615,6 +468,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -622,7 +477,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
 
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -639,6 +496,8 @@ The following fields are available:
 
 This event indicates that the DecisionMatchingInfoBlock object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -648,6 +507,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -657,6 +518,8 @@ The following fields are available:
 
 This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -668,6 +531,8 @@ The following fields are available:
 
 This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -677,6 +542,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -684,7 +551,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
 
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -699,6 +568,8 @@ The following fields are available:
 
 This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -706,7 +577,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
 
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -723,6 +596,8 @@ The following fields are available:
 
 This event indicates that the DecisionMediaCenter object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -732,6 +607,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -739,7 +616,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
 
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -752,6 +631,8 @@ The following fields are available:
 
 This event indicates that the DecisionSystemBios object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -761,6 +642,8 @@ The following fields are available:
 
 This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -782,12 +665,14 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
 
-This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **BinaryType**  A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
 - **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
@@ -807,6 +692,8 @@ The following fields are available:
 
 This event indicates that the InventoryApplicationFile object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -814,7 +701,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
 
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -823,19 +712,23 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
 
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **HasLanguagePack**  Does this device have 2 or more language packs?
-- **LanguagePackCount**  How many language packs are installed?
+- **HasLanguagePack**  Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount**  The number of language packs are installed.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
 
 This event indicates that the InventoryLanguagePack object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -845,6 +738,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -854,6 +749,8 @@ The following fields are available:
 
 This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
@@ -870,6 +767,8 @@ The following fields are available:
 
 This event indicates that the InventoryMediaCenter object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -879,6 +778,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -888,6 +789,8 @@ The following fields are available:
 
 This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -899,7 +802,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
 
-This event indicates that the InventorySystemBios object is no longer present. 
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -910,6 +815,8 @@ The following fields are available:
 
 This event indicates that a new set of InventorySystemBiosAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -919,6 +826,8 @@ The following fields are available:
 
 This event indicates that the InventoryUplevelDriverPackage object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -928,6 +837,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -935,7 +846,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.RunContext
 
-This event indicates what should be expected in the data payload. 
+This event indicates what should be expected in the data payload.
 
 The following fields are available:
 
@@ -951,6 +862,8 @@ The following fields are available:
 
 This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
@@ -967,6 +880,8 @@ The following fields are available:
 
 This event that the SystemMemory object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -976,6 +891,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemMemoryAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -985,6 +902,8 @@ The following fields are available:
 
 This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
@@ -994,7 +913,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
 
-This event indicates that the SystemProcessorCompareExchange object is no longer present. 
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1005,6 +926,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1014,6 +937,8 @@ The following fields are available:
 
 This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
@@ -1023,7 +948,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
 
-This event indicates that the SystemProcessorLahfSahf object is no longer present. 
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1034,6 +961,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1043,6 +972,8 @@ The following fields are available:
 
 This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1055,6 +986,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorNx object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1064,6 +997,8 @@ The following fields are available:
 
 This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1071,7 +1006,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
 
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1084,6 +1021,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorPrefetchW object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1093,6 +1032,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1100,7 +1041,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
 
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1113,6 +1056,8 @@ The following fields are available:
 
 This event indicates that the SystemProcessorSse2 object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1122,6 +1067,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemProcessorSse2Add events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1129,7 +1076,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemTouchAdd
 
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1140,7 +1089,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemTouchRemove
 
-This event indicates that the SystemTouch object is no longer present. 
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1151,6 +1102,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemTouchAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1158,7 +1111,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWimAdd
 
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1169,7 +1124,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWimRemove
 
-This event indicates that the SystemWim object is no longer present. 
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1180,6 +1137,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWimAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1187,7 +1146,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
 
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1200,6 +1161,8 @@ The following fields are available:
 
 This event indicates that the SystemWindowsActivationStatus object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1209,6 +1172,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1216,7 +1181,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.SystemWlanRemove
 
-This event indicates that the SystemWlan object is no longer present. 
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -1227,6 +1194,8 @@ The following fields are available:
 
 This event indicates that a new set of SystemWlanAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1234,7 +1203,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
 
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
 
 The following fields are available:
 
@@ -1242,7 +1211,7 @@ The following fields are available:
 - **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
 - **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **AuxFinal**  Obsolete, always set to false
+- **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
 - **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
@@ -1269,14 +1238,16 @@ The following fields are available:
 
 This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BlockingApplication**  Same as NeedsDismissAction
+- **BlockingApplication**  Same as NeedsDismissAction.
 - **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
 - **WmdrmApiResult**  Raw value of the API used to gather DRM state.
 - **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
-- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased
+- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased.
 - **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
 - **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
 - **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
@@ -1286,6 +1257,8 @@ The following fields are available:
 
 This event indicates that the Wmdrm object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1295,6 +1268,8 @@ The following fields are available:
 
 This event indicates that a new set of WmdrmAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
@@ -1304,10 +1279,18 @@ The following fields are available:
 
 ### Census.App
 
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+Provides information on IE and Census versions running on the device.
 
 The following fields are available:
 
+- **AppraiserEnterpriseErrorCode**  The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode**  The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp**  The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed**  Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp**  The start time of the last Appraiser run.
+- **AppraiserTaskEnabled**  Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode**  The Appraiser task exist code.
+- **AppraiserTaskLastRun**  The last runtime for the Appraiser task.
 - **CensusVersion**  The version of Census that generated the current data for this device.
 - **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
 
@@ -1341,6 +1324,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
 
 The following fields are available:
 
+- **AADDeviceId**  Azure Active Directory device ID.
 - **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
 - **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
 - **CDJType**  Represents the type of cloud domain joined for the machine.
@@ -1374,7 +1358,7 @@ The following fields are available:
 
 ### Census.Flighting
 
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1389,7 +1373,7 @@ The following fields are available:
 
 ### Census.Hardware
 
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -1397,6 +1381,7 @@ The following fields are available:
 - **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
 - **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
 - **D3DMaxFeatureLevel**  Supported Direct3D version.
+- **DeviceColor**  Indicates a color of the device.
 - **DeviceForm**  Indicates the form as per the device classification.
 - **DeviceName**  The device name that is set by the user.
 - **DigitizerSupport**  Is a digitizer supported?
@@ -1425,7 +1410,6 @@ The following fields are available:
 - **TelemetrySettingAuthority**  Determines who set the telemetry level, such as GP, MDM, or the user.
 - **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
 - **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
-- **DeviceColor**  Indicates a color of the device.
 
 
 ### Census.Memory
@@ -1470,7 +1454,7 @@ The following fields are available:
 - **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
 - **AssignedAccessStatus**  Kiosk configuration mode.
 - **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
-- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy. 
+- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy.
 - **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
 - **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
 - **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
@@ -1505,38 +1489,42 @@ The following fields are available:
 
 ### Census.Processor
 
-This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+Provides information on several important data points about Processor settings.
 
 The following fields are available:
 
 - **KvaShadow**  Microcode info of the processor.
 - **MMSettingOverride**  Microcode setting of the processor.
 - **MMSettingOverrideMask**  Microcode setting override of the processor.
-- **ProcessorArchitecture**  Processor architecture of the installed operating system. 
+- **PreviousUpdateRevision**  Previous microcode revision.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
 - **ProcessorClockSpeed**  Clock speed of the processor in MHz.
 - **ProcessorCores**  Number of logical cores in the processor.
 - **ProcessorIdentifier**  Processor Identifier of a manufacturer.
 - **ProcessorManufacturer**  Name of the processor manufacturer.
 - **ProcessorModel**  Name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
-- **ProcessorUpdateRevision**  Microcode revision.
-- **ProcessorUpdateStatus**  The status of the microcode update.
+- **ProcessorUpdateRevision**  Microcode revision
+- **ProcessorUpdateStatus**  Enum value that represents the processor microcode load status.
 - **SocketCount**  Count of CPU sockets.
 - **SpeculationControl**  If the system has enabled protections needed to validate the speculation control vulnerability.
 
 
 ### Census.Security
 
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+This event provides information on about security settings used to help keep Windows up to date and secure.
 
 The following fields are available:
 
-- **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard
+- **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard.
 - **CGRunning**  Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
-- **DGState**  This field summarizes Device Guard state
-- **HVCIRunning**  Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running
-- **RequiredSecurityProperties**  This field describes the required security properties to enable virtualization-based security
+- **DGState**  This field summarizes the Device Guard state.
+- **HVCIRunning**  Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
+- **IsSawGuest**  Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost**  Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties**  Describes the required security properties to enable virtualization-based security.
 - **SecureBootCapable**  Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **SModeState**  The Windows S mode trail state.
 - **VBSState**  Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation.  VBS has a tri-state that can be Disabled, Enabled, or Running.
 
 
@@ -1568,6 +1556,16 @@ The following fields are available:
 - **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
 
 
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
+
+
 ### Census.UserDisplay
 
 This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
@@ -1602,16 +1600,6 @@ The following fields are available:
 - **SpeechInputLanguages**  The Speech Input languages installed on the device.
 
 
-### Census.Userdefault
-
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
-
-The following fields are available:
-
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
-- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
-
-
 ### Census.VM
 
 This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
@@ -1650,11 +1638,11 @@ The following fields are available:
 - **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
 - **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
 - **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates
-- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
 - **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
 - **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState**  Retrieves WU setting to determine if updates are paused
+- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
 
 
@@ -1666,102 +1654,279 @@ The following fields are available:
 
 - **XboxConsolePreferredLanguage**  Retrieves the preferred language selected by the user on Xbox console.
 - **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
-- **XboxLiveDeviceId**  Retrieves the unique device id of the console.
-- **XboxLiveSandboxId**  Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxLiveDeviceId**  Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId**  Retrieves the developer sandbox ID if the device is internal to Microsoft.
 
 
-## Deployment events
+## Common data extensions
 
-### DeploymentTelemetry.Deployment_End
+### Common Data Extensions.app
 
-Event to indicate that a Deployment 360 API has completed. 
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
 
 The following fields are available:
 
-- **ClientId**  Client ID of user utilizing the D360 API
-- **ErrorCode**  Error code of action
-- **FlightId**  Flight being used
-- **Mode**  Phase in upgrade 
-- **RelatedCV**  CV of any other related events
-- **Result**  End result of action
+- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env**  The environment from which the event was logged.
+- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale**  The locale of the app.
+- **name**  The name of the app.
+- **userId**  The userID as known by the application.
+- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch**  An ID that's incremented for each SDK initialization.
+- **localId**  The device ID as known by the client.
+- **osVer**  The operating system version.
+- **seq**  An ID that's incremented for each event.
+- **type**  The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig**  A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass**  The device classification. For example, Desktop, Server, or Mobile.
+- **localId**  A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make**  Device manufacturer.
+- **model**  Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data**  Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app**  Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container**  Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs**  Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device**  Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os**  Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_receipts**  Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts).
+- **ext_sdk**  Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user**  Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc**  Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl**  Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey**  Represents an ID for applications or other logical groupings of events.
+- **name**  Represents the uniquely qualified name for the event.
+- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
+- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale**  Represents the locale of the operating system.
+- **name**  Represents the operating system name.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.receipts
+
+Represents various time information as provided by the client and helps for debugging purposes.
+
+The following fields are available:
+
+- **originalTime**  The original event time.
+- **uploadTime**  The time the event was uploaded.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch**  An ID that is incremented for each SDK initialization.
+- **installId**  An ID that's created during the initialization of the SDK for the first time.
+- **libVer**  The SDK version.
+- **seq**  An ID that is incremented for each event.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId**  This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale**  The language and region.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq**  Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **flags**  Represents the bitmap that captures various Windows specific flags.
+- **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op**  Represents the ETW Op Code.
+- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims**  Any additional claims whose short claim name hasn't been added to this structure.
+- **did**  XBOX device ID
+- **dty**  XBOX device type
+- **dvr**  The version of the operating system on the device.
+- **eid**  A unique ID that represents the developer entity.
+- **exp**  Expiration time
+- **ip**  The IP address of the client device.
+- **nbf**  Not before time
+- **pid**  A comma separated list of PUIDs listed as base10 numbers.
+- **sbx**  XBOX sandbox identifier
+- **sid**  The service instance ID.
+- **sty**  The service type.
+- **tid**  The XBOX Live title ID.
+- **tvr**  The XBOX Live title version.
+- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid**  A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action**  The change that was invoked on a device inventory object.
+- **inventoryId**  Device ID used for Compatibility testing
+- **objectInstanceId**  Object identity which is unique within the device scope.
+- **objectType**  Indicates the object type that the event applies to.
+- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+
+## Compatibility events
+
+### Microsoft.Windows.Compatibility.Apphelp.SdbFix
+
+Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
+
+The following fields are available:
+
+- **AppName**  Name of the application impacted by SDB.
+- **FixID**  SDB GUID.
+- **Flags**  List of flags applied.
+- **ImageName**  Name of file.
+
+
+## Deployment extensions
+
+### DeploymentTelemetry.Deployment_End
+
+This event indicates that a Deployment 360 API has completed.
+
+The following fields are available:
+
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **ErrorCode**  Error code of action.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Mode**  Phase in upgrade.
+- **RelatedCV**  The correction vector (CV) of any other related events
+- **Result**  End result of the action.
 
 
 ### DeploymentTelemetry.Deployment_Initialize
 
-Event to indicate that the Deployment 360 APIs have been initialized for use.
+This event indicates that the Deployment 360 APIs have been initialized for use.
 
 The following fields are available:
 
-- **ClientId**  Client ID of user utilizing the D360 API
-- **ErrorCode**  Error code of action
-- **FlightId**  Flight being used
-- **RelatedCV**  CV of any other related events
-- **Result**  Phase Setup is in
+- **ClientId**  Client ID of user utilizing the D360 API.
+- **ErrorCode**  Error code of the action.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **RelatedCV**  The correlation vector of any other related events.
+- **Result**  End result of the action.
 
 
 ### DeploymentTelemetry.Deployment_SetupBoxLaunch
 
-Event to indicate that the Deployment 360 APIs have launched Setup Box.
+This event indicates that the Deployment 360 APIs have launched Setup Box.
 
 The following fields are available:
 
-- **ClientId**  Client ID of user utilizing the D360 API
-- **FlightId**  Flight being used
-- **Quiet**  Whether Setup will run in quiet mode or in full
-- **RelatedCV**  CV of any other related events
-- **SetupMode**  Phase Setup is in 
+- **ClientId**  The client ID of the user utilizing the D360 API.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Quiet**  Whether Setup will run in quiet mode or full mode.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
+- **SetupMode**  The current setup phase.
 
 
 ### DeploymentTelemetry.Deployment_SetupBoxResult
 
-Event to indicate that the Deployment 360 APIs have received a return from Setup Box.
+This event indicates that the Deployment 360 APIs have received a return from Setup Box.
 
 The following fields are available:
 
-- **ClientId**  Client ID of user utilizing the D360 API
-- **ErrorCode**  Error code of action
-- **FlightId**  Flight being used
-- **Quiet**  Whether Setup will run in quiet mode or in full
-- **RelatedCV**  Correlation vector of any other related events
-- **SetupMode**  Phase that Setup is in
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **ErrorCode**  Error code of the action.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Quiet**  Indicates whether Setup will run in quiet mode or full mode.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
+- **SetupMode**  The current Setup phase.
 
 
 ### DeploymentTelemetry.Deployment_Start
 
-Event to indicate that a Deployment 360 API has been called.
+This event indicates that a Deployment 360 API has been called.
 
 The following fields are available:
 
-- **ClientId**  Client ID of user utilizing the D360 API
-- **FlightId**  Flight being used
-- **Mode**  Phase in upgrade 
-- **RelatedCV**  CV of any other related events
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Mode**  The current phase of the upgrade.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
 
 
 ## Diagnostic data events
 
-### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-
-Fired by UTC at state transitions to signal what data we are allowed to collect.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
-- **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
-- **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
-- **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
-- **CanCollectWindowsAnalyticsEvents**  True if we can collect Windows Analytics data, false otherwise.
-- **CanPerformDiagnosticEscalations**  True if we can perform diagnostic escalation collection, false otherwise.
-- **CanPerformTraceEscalations**  True if we can perform trace escalation collection, false otherwise.
-- **CanReportScenarios**  True if we can report scenario completions, false otherwise.
-- **PreviousPermissions**  Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
-
-
 ### TelClientSynthetic.AuthorizationInfo_Startup
 
-Fired by UTC at startup to signal what data we are allowed to collect.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
 
 The following fields are available:
 
@@ -1780,18 +1945,18 @@ The following fields are available:
 
 ### TelClientSynthetic.HeartBeat_5
 
-Fired by UTC as a heartbeat signal.
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
 
 The following fields are available:
 
 - **AgentConnectionErrorsCount**  Number of non-timeout errors associated with the host/agent channel.
-- **CensusExitCode**  Last exit code of Census task.
+- **CensusExitCode**  The last exit code of the Census task.
 - **CensusStartTime**  Time of last Census run.
 - **CensusTaskEnabled**  True if Census is enabled, false otherwise.
 - **CompressedBytesUploaded**  Number of compressed bytes uploaded.
 - **ConsumerDroppedCount**  Number of events dropped at consumer layer of telemetry client.
 - **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
-- **CriticalDataThrottleDroppedCount**  Number of critical data sampled events dropped due to�throttling.
+- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
 - **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event DB.
 - **DbCriticalDroppedCount**  Total number of dropped critical events in event DB.
 - **DbDroppedCount**  Number of events dropped due to DB fullness.
@@ -1802,6 +1967,9 @@ The following fields are available:
 - **EtwDroppedBufferCount**  Number of buffers dropped in the UTC ETW session.
 - **EtwDroppedCount**  Number of events dropped at ETW layer of telemetry client.
 - **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter**  Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter**  Number of times event DB was reset.
+- **EventStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
 - **EventSubStoreResetCounter**  Number of times event DB was reset.
 - **EventSubStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
 - **EventsUploaded**  Number of events uploaded.
@@ -1812,41 +1980,38 @@ The following fields are available:
 - **LastAgentConnectionError**  Last non-timeout error encountered in the host/agent channel.
 - **LastEventSizeOffender**  Event name of last event which exceeded max event size.
 - **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
-- **MaxActiveAgentConnectionCount**  Maximum number of active agents during this heartbeat timeframe.
+- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
 - **MaxInUseScenarioCounter**  Soft maximum number of scenarios loaded by UTC.
 - **PreviousHeartBeatTime**  Time of last heartbeat event (allows chaining of events).
 - **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
-- **SettingsHttpFailures**  Number of failures from contacting OneSettings service.
+- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
 - **ThrottledDroppedCount**  Number of events dropped due to throttling of noisy providers.
 - **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
-- **VortexFailuresTimeout**  Number of time out failures received from Vortex.
+- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
 - **VortexHttpAttempts**  Number of attempts to contact Vortex.
 - **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
 - **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
 - **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
 - **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
-- **EventStoreLifetimeResetCounter**  Number of times event DB was reset for the lifetime of UTC.
-- **EventStoreResetCounter**  Number of times event DB was reset.
-- **EventStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
 
 
 ### TelClientSynthetic.HeartBeat_Aria_5
 
-Telemetry client ARIA heartbeat event.
+This event is the telemetry client ARIA heartbeat.
 
 The following fields are available:
 
 - **CompressedBytesUploaded**  Number of compressed bytes uploaded.
 - **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
-- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event DB.
-- **DbCriticalDroppedCount**  Total number of dropped critical events in event DB.
-- **DbDroppedCount**  Number of events dropped at the DB layer.
-- **DbDroppedFailureCount**  Number of events dropped due to DB failures.
-- **DbDroppedFullCount**  Number of events dropped due to DB fullness.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event database.
+- **DbDroppedCount**  Number of events dropped at the database layer.
+- **DbDroppedFailureCount**  Number of events dropped due to database failures.
+- **DbDroppedFullCount**  Number of events dropped due to database being full.
 - **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
 - **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
-- **EventSubStoreResetCounter**  Number of times event DB was reset.
-- **EventSubStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
+- **EventSubStoreResetCounter**  Number of times event database was reset.
+- **EventSubStoreResetSizeSum**  Total size of event database across all resets reports in this instance.
 - **EventsUploaded**  Number of events uploaded.
 - **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
 - **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
@@ -1854,7 +2019,7 @@ The following fields are available:
 - **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
 - **PreviousHeartBeatTime**  The FILETIME of the previous heartbeat fire.
 - **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
-- **SettingsHttpFailures**  Number of failures from contacting OneSettings service. 
+- **SettingsHttpFailures**  Number of failures from contacting OneSettings service.
 - **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
 - **VortexFailuresTimeout**  Number of time out failures received from Vortex.
 - **VortexHttpAttempts**  Number of attempts to contact Vortex.
@@ -1864,21 +2029,11 @@ The following fields are available:
 - **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
 
 
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
-
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
-
-The following fields are available:
-
-- **PostUpgradeSettings**  The privacy settings after a feature update.
-- **PreUpgradeSettings**  The privacy settings before a feature update.
-
-
 ## Direct to update events
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
 
-Event to indicate that the Coordinator CheckApplicability call succeeded.
+This event  indicates that the Coordinator CheckApplicability call succeeded.
 
 The following fields are available:
 
@@ -1891,11 +2046,36 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinators CheckApplicability call.
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
 
 The following fields are available:
 
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 - **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
+
+This event indicates that the Coordinator Cleanup call succeeded.
+
+The following fields are available:
+
 - **CampaignID**  Campaign ID being run.
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
@@ -1904,20 +2084,20 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
 
-Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
 
 The following fields are available:
 
-- **hResult**  HRESULT of the failure.
 - **CampaignID**  Campaign ID being run.
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
 
-Event to indicate that the Coordinator Commit call succeeded.
+This event indicates that the Coordinator Commit call succeeded.
 
 The following fields are available:
 
@@ -1929,7 +2109,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
 
 The following fields are available:
 
@@ -1942,7 +2122,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
 
-Event to indicate that we have received an error in the DTU Coordinator Download call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
 
 The following fields are available:
 
@@ -1955,7 +2135,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
 
-Event to indicate that the Coordinator Download call succeeded.
+This event indicates that the Coordinator Download call succeeded.
 
 The following fields are available:
 
@@ -1967,7 +2147,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator HandleShutdown call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
 
 The following fields are available:
 
@@ -1980,7 +2160,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
 
-Event to indicate that the Coordinator HandleShutdown call succeeded.
+This event indicates that the Coordinator HandleShutdown call succeeded.
 
 The following fields are available:
 
@@ -1992,20 +2172,20 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
 
 The following fields are available:
 
-- **hResult**  HRESULT of the failure.
 - **CampaignID**  Campaign ID being run.
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
 
-Event to indicate that the Coordinator Initialize call succeeded.
+This event indicates that the Coordinator Initialize call succeeded.
 
 The following fields are available:
 
@@ -2017,7 +2197,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
 
 The following fields are available:
 
@@ -2030,7 +2210,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
 
-Event to indicate that we have received an error in the DTU Coordinator Install call that will be ignored. 
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
 
 The following fields are available:
 
@@ -2043,7 +2223,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
 
-Event to indicate that the Coordinator Install call succeeded. 
+This event indicates that the Coordinator Install call succeeded.
 
 The following fields are available:
 
@@ -2055,21 +2235,20 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
 
-Event to indicate Coordinator's progress callback has been called. 
+This event indicates that the Coordinator's progress callback has been called.
 
 The following fields are available:
 
-- **Current Deploy Phase's percentage completed**  Trigger which fired UXLauncher.
-- **DeployPhase**  Current Deploy Phase.
 - **CampaignID**  Campaign ID being run.
 - **ClientID**  Client ID being run.
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
+- **DeployPhase**  Current Deploy Phase.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadyGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator SetCommitReady call. 
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator SetCommitReady call.
 
 The following fields are available:
 
@@ -2082,19 +2261,19 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
 
-Event to indicate that the Coordinator SetCommitReady call succeeded. 
+This event indicates that the Coordinator SetCommitReady call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run.
-- **ClientID**  Client ID being run.
-- **CoordinatorVersion**  Coordinator version of DTU.
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
 - **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Coordinator WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call.
 
 The following fields are available:
 
@@ -2107,99 +2286,99 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
 
-Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **hResult**  HRESULT of the failure
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
 
-Event to indicate the user selected an option on the Reboot UI.
+This event indicates that the user selected an option on the Reboot UI.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **rebootUiSelection**  Selection on the Reboot UI
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **rebootUiSelection**  Selection on the Reboot UI.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
 
-Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicability call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call.
 
 The following fields are available:
 
-- **hResult**  HRESULT of the failure
 - **CampaignID**  Campaign ID being run
 - **ClientID**  Client ID being run
 - **CoordinatorVersion**  Coordinator version of DTU
 - **CV**  Correlation vector
 - **CV_new**  New correlation vector
+- **hResult**  HRESULT of the failure
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicabilityInternal call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
 
-Event to indicate that the Handler CheckApplicabilityInternal call succeeded.
+This event indicates that the Handler CheckApplicabilityInternal call succeeded.
 
 The following fields are available:
 
-- **ApplicabilityResult**  Result of CheckApplicability function
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **ApplicabilityResult**  The result of the applicability check.
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
 
-Event to indicate that the Handler CheckApplicability call succeeded.
+This event indicates that the Handler CheckApplicability call succeeded.
 
 The following fields are available:
 
-- **ApplicabilityResult**  Result of CheckApplicability function
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **CV_new**  New correlation vector
+- **ApplicabilityResult**  The result code indicating whether the update is applicable.
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler CheckIfCoordinatorMinApplicableVersion call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call.
 
 The following fields are available:
 
@@ -2212,47 +2391,47 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
 
-Event to indicate that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **CheckIfCoordinatorMinApplicableVersionResult**  Result of CheckIfCoordinatorMinApplicableVersion function
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult**  Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **CV_new**  New correlation vector
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
 
-Event to indicate that the Handler Commit call succeeded.
+This event indicates that the Handler Commit call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **CV_new**  New correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
 
-Event to indicate that the Handler Download and Extract cab returned a value indicating that the cab trying to be downloaded has already been downloaded.
+This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded.
 
 The following fields are available:
 
@@ -2264,199 +2443,215 @@ The following fields are available:
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
 
-Event to indicate that the Handler Download and Extract cab call failed.
+This event indicates that the Handler Download and Extract cab call failed.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **DownloadAndExtractCabFunction_failureReason**  Reason why the DownloadAndExtractCab function failed
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_failureReason**  Reason why the update download and extract process failed.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
 
-Event to indicate that the Handler Download and Extract cab call succeeded.
+This event indicates that the Handler Download and Extract cab call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
 
-Event to indicate that the Handler Download call succeeded.
+This event indicates that the Handler Download call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **DownloadAndExtractCabFunction_hResult**  HRESULT of the DownloadAndExtractCab function
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the download and extract.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
 
-Event to indicate that the Handler Initialize call succeeded.
+This event indicates that the Handler Initialize call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **DownloadAndExtractCabFunction_hResult**  HRESULT of the DownloadAndExtractCab function
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the download and extraction.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
-- **hResult**  HRESULT of the failure
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
 
-Event to indicate that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler SetCommitReady call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler SetCommitReady call.
 
 The following fields are available:
 
-- **hResult**  HRESULT of the failure
 - **CampaignID**  Campaign ID being run
 - **ClientID**  Client ID being run
 - **CoordinatorVersion**  Coordinator version of DTU
 - **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
 
-Event to indicate that the Handler SetCommitReady call succeeded.
+This event indicates that the Handler SetCommitReady call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
 
-Event to indicate that we have received an unexpected error in the DTU Handler WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
 
 The following fields are available:
 
-- **hResult**  HRESULT of the failure
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  The ID of the campaigning being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  The HRESULT of the failure.
 
 
 ### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
 
-Event to indicate that the Handler WaitForRebootUi call succeeded.
+This event indicates that the Handler WaitForRebootUi call succeeded.
 
 The following fields are available:
 
-- **CampaignID**  Campaign ID being run
-- **ClientID**  Client ID being run
-- **CoordinatorVersion**  Coordinator version of DTU
-- **CV**  Correlation vector
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
 
 
 ## Feature update events
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
 
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
 
 The following fields are available:
 
-- **failureReason**  Provides data about the uninstall initialization operation failure
-- **hr**  Provides the Win32 error code for the operation failure
+- **failureReason**  Provides data about the uninstall initialization operation failure.
+- **hr**  Provides the Win32 error code for the operation failure.
 
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
 
-Indicates that the uninstall was properly configured and that a system reboot was initiated
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
 
 
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
 
-This event sends basic metadata about the starting point of uninstalling a feature update which helps us ensure customers can safely revert to a well-known state if the update caused any problems. 
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
+
 
 
 ## Inventory events
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
 
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. 
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
 
 The following fields are available:
 
-- **DriverPackageExtended**  A count of driverpackageextended objects in cache
-- **FileSigningInfo**  A count of file signing objects in cache
-- **InventoryApplication**  A count of application objects in cache
-- **InventoryApplicationFile**  A count of application file objects in cache
-- **InventoryDeviceContainer**  A count of device container objects in cache
-- **InventoryDeviceInterface**  A count of PNP device interface objects in cache
-- **InventoryDeviceMediaClass**  A count of device media objects in cache
-- **InventoryDevicePnp**  A count of devicepnp objects in cache
+- **DeviceCensus**  A count of devicecensus objects in cache.
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache.
+- **FileSigningInfo**  A count of file signing objects in cache.
+- **InventoryApplication**  A count of application objects in cache.
+- **InventoryApplicationAppV**  A count of application AppV objects in cache.
+- **InventoryApplicationDriver**  A count of application driver objects in cache.
+- **InventoryApplicationFile**  A count of application file objects in cache.
+- **InventoryApplicationFramework**  A count of application framework objects in cache.
+- **InventoryApplicationShortcut**  A count of application shortcut objects in cache.
+- **InventoryDeviceContainer**  A count of device container objects in cache.
+- **InventoryDeviceInterface**  A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass**  A count of device media objects in cache.
+- **InventoryDevicePnp**  A count of device Plug and Play objects in cache.
 - **InventoryDeviceUsbHubClass**  A count of device usb objects in cache
-- **InventoryDriverBinary**  A count of driver binary objects in cache
-- **InventoryDriverPackage**  A count of device objects in cache
+- **InventoryDriverBinary**  A count of driver binary objects in cache.
+- **InventoryDriverPackage**  A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn**  A count of office add-in objects in cache.
+- **InventoryMiscellaneousOfficeAddInUsage**  A count of office add-in usage objects in cache.
+- **InventoryMiscellaneousOfficeIdentifiers**  A count of office identifier objects in cache.
+- **InventoryMiscellaneousOfficeIESettings**  A count of office IE settings objects in cache.
+- **InventoryMiscellaneousOfficeInsights**  A count of office insights objects in cache.
+- **InventoryMiscellaneousOfficeProducts**  A count of office products objects in cache.
+- **InventoryMiscellaneousOfficeSettings**  A count of office settings objects in cache.
+- **InventoryMiscellaneousOfficeVBA**  A count of office VBA objects in cache.
+- **InventoryMiscellaneousOfficeVBARuleViolations**  A count of office VBA rule violations objects in cache.
+- **InventoryMiscellaneousUUPInfo**  A count of UUP info objects in cache.
 
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
@@ -2473,24 +2668,26 @@ The following fields are available:
 
 This event sends basic metadata about an application on the system to help keep Windows up to date.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
 - **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
 - **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
 - **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
-- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
+- **InstallDateMsi**  The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
 - **InventoryVersion**  The version of the inventory file generating the events.
 - **Language**  The language code of the program.
 - **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
 - **MsiProductCode**  A GUID that describe the MSI Product.
-- **Name**  The name of the application
+- **Name**  The name of the application.
 - **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
 - **PackageFullName**  The package full name for a Store application.
 - **ProgramInstanceId**  A hash of the file IDs in an app.
 - **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
 - **RootDirPath**  The path to the root directory where the program was installed.
-- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
+- **Source**  How the program was installed (for example, ARP, MSI, Appx).
 - **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
 - **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
 - **Version**  The version number of the program.
@@ -2498,28 +2695,34 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
 
-This event provides the basic metadata about the frameworks an application may depend on
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **FileId**  A hash that uniquely identifies a file
-- **Frameworks**  The list of frameworks this file depends on
-- **InventoryVersion**  The version of the inventory file generating the events
+- **FileId**  A hash that uniquely identifies a file.
+- **Frameworks**  The list of frameworks this file depends on.
+- **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
 
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
+- **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
 
 This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2529,6 +2732,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryApplicationAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2536,7 +2741,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
 
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -2550,7 +2757,7 @@ The following fields are available:
 - **IsNetworked**  Is this a networked device?
 - **IsPaired**  Does the device container require pairing?
 - **Manufacturer**  The manufacturer name for the device container.
-- **ModelId**  A model GUID.
+- **ModelId**  A unique model ID.
 - **ModelName**  The model name.
 - **ModelNumber**  The model number for the device container.
 - **PrimaryCategory**  The primary category for the device container.
@@ -2560,6 +2767,8 @@ The following fields are available:
 
 This event indicates that the InventoryDeviceContainer object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2569,6 +2778,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2578,6 +2789,8 @@ The following fields are available:
 
 This event retrieves information about what sensor interfaces are available on the device.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
@@ -2606,6 +2819,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2613,7 +2828,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
 
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -2626,6 +2843,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2633,7 +2852,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
 
-This event represents the basic metadata about a PNP device and its associated driver
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -2650,7 +2871,7 @@ The following fields are available:
 - **DriverVerDate**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
 - **DriverVerVersion**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
 - **Enumerator**  The date of the driver loaded for the device.
-- **HWID**  The version of the driver loaded for the device. 
+- **HWID**  The version of the driver loaded for the device.
 - **Inf**  The bus that enumerated the device.
 - **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
 - **InventoryVersion**  List of hardware ids for the device.
@@ -2672,6 +2893,8 @@ The following fields are available:
 
 This event indicates that the InventoryDevicePnpRemove object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2681,6 +2904,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2688,27 +2913,33 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
 
-This event sends basic metadata about the USB hubs on the device
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
-- **TotalUserConnectablePorts**  Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **TotalUserConnectablePorts**  Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
 
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
+- **InventoryVersion**  The version of the inventory file generating the events.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
 
-This event provides the basic metadata about driver binaries running on the system
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -2727,7 +2958,7 @@ The following fields are available:
 - **InventoryVersion**  The version of the inventory file generating the events.
 - **Product**  The product name that is included in the driver file.
 - **ProductVersion**  The product version that is included in the driver file.
-- **Service**  The device service name
+- **Service**  The name of the service that is installed for the device.
 - **WdfVersion**  The Windows Driver Framework version.
 
 
@@ -2735,6 +2966,8 @@ The following fields are available:
 
 This event indicates that the InventoryDriverBinary object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2744,6 +2977,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2751,7 +2986,9 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
 
-This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
@@ -2771,6 +3008,8 @@ The following fields are available:
 
 This event indicates that the InventoryDriverPackageRemove object is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2780,6 +3019,8 @@ The following fields are available:
 
 This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events.
@@ -2789,22 +3030,32 @@ The following fields are available:
 
 Provides data on the installed Office Add-ins
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
+- **AddinCLSID**  The CLSID for the Office addin
 - **AddInCLSID**  CLSID key for the office addin
 - **AddInId**  Office addin ID
+- **AddinType**  The type of the Office addin.
 - **BinFileTimestamp**  Timestamp of the Office addin
 - **BinFileVersion**  Version of the Office addin
 - **Description**  Office addin description
 - **FileId**  FileId of the Office addin
+- **FileSize**  File size of the Office addin
 - **FriendlyName**  Friendly name for office addin
 - **FullPath**  Unexpanded path to the office addin
+- **InventoryVersion**  The version of the inventory binary generating the events.
 - **LoadBehavior**  Uint32 that describes the load behavior
 - **LoadTime**  Load time for the office addin
 - **OfficeApplication**  The office application for this addin
 - **OfficeArchitecture**  Architecture of the addin
 - **OfficeVersion**  The office version for this addin
 - **OutlookCrashingAddin**  Boolean that indicates if crashes have been found for this addin
+- **ProductCompany**  The name of the company associated with the Office addin
+- **ProductName**  The product name associated with the Office addin
+- **ProductVersion**  The version associated with the Office addin
+- **ProgramId**  The unique program identifier of the Office addin
 - **Provider**  Name of the provider for this addin
 
 
@@ -2812,20 +3063,59 @@ The following fields are available:
 
 Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
 
 This event indicates that a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+Provides data on the Office identifiers
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **OAudienceData**  Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId**  Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID**  Identifier for the Office SQM Machine
+- **OPlatform**  Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId**  Unique GUID representing the Microsoft O365 Tenant
+- **OVersion**  Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID**  Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
 
-This event includes the Office-related Internet Explorer features
+Office-related Internet Explorer features
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
+- **InventoryVersion**  The version of the inventory binary generating the events.
 - **OIeFeatureAddon**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
 - **OIeMachineLockdown**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
 - **OIeMimeHandling**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
@@ -2847,62 +3137,55 @@ The following fields are available:
 
 Diagnostic event to indicate a new sync is being generated for this object type.
 
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-
-This event provides data on the Office identifiers
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **OAudienceData**  Sub-identifier for Microsoft Office release management, identifying the pilot group for a device  
-- **OAudienceId**  Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
-- **OMID**  Identifier for the Office SQM Machine
-- **OPlatform**  Whether the installed Microsoft Office product is 32-bit or 64-bit
-- **OTenantId**  Unique GUID representing the Microsoft O365 Tenant 
-- **OVersion**  Installed version of Microsoft Office. For example, 16.0.8602.1000
-- **OWowMID**  Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-
-Diagnostic event to indicate a new sync is being generated for this object type.
-
+- **InventoryVersion**  The version of the inventory binary generating the events.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
 
 This event provides insight data on the installed Office products
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **OfficeApplication**  The name of the Office application.
 - **OfficeArchitecture**  The bitness of the Office application.
 - **OfficeVersion**  The version of the Office application.
-- **Value**  The insights collected about this entity. 
+- **Value**  The insights collected about this entity.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
 
 Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
 
 This diagnostic event indicates that a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
 
-This event list all installed Office products
+Describes Office Products installed
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
+- **InventoryVersion**  The version of the inventory binary generating the events.
 - **OC2rApps**  A GUID the describes the Office Click-To-Run apps
-- **OC2rSkus**  Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus 
-- **OMsiApps**  Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word 
+- **OC2rSkus**  Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps**  Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
 - **OProductCodes**  A GUID that describes the Office MSI products
 
 
@@ -2910,16 +3193,24 @@ The following fields are available:
 
 Diagnostic event to indicate a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
 
 This event describes various Office settings
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **BrowserFlags**  Browser flags for Office-related products
 - **ExchangeProviderFlags**  Provider policies for Office Exchange
+- **InventoryVersion**  The version of the inventory binary generating the events.
 - **SharedComputerLicensing**  Office shared computer licensing policies
 
 
@@ -2927,12 +3218,19 @@ The following fields are available:
 
 Diagnostic event to indicate a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
 
 This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **Design**  Count of files with design issues found
@@ -2962,12 +3260,16 @@ The following fields are available:
 
 Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
 
 This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **Count**  Count of total Microsoft Office VBA rule violations
@@ -2977,24 +3279,35 @@ The following fields are available:
 
 Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
 
 This event indicates that a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
 
 Diagnostic event to indicate a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
 
 Provides data on Unified Update Platform (UUP) products and what version they are at.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 The following fields are available:
 
 - **Identifier**  UUP identifier
@@ -3008,12 +3321,16 @@ The following fields are available:
 
 Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
 
 Diagnostic event to indicate a new sync is being generated for this object type.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.Indicators.Checksum
@@ -3028,402 +3345,97 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 The following fields are available:
 
-- **IndicatorValue**  The indicator value
+- **IndicatorValue**  The indicator value.
 
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
 
 This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
 
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
 
 This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
 
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
 
-## Microsoft Store events
 
-### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+## Kernel events
 
-This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
 
 The following fields are available:
 
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  Number of retry attempts before it was canceled.
-- **BundleId**  The Item Bundle ID.
-- **CategoryId**  The Item Category ID.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed before this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Was this requested by a user?
-- **IsMandatory**  Was this a mandatory update?
-- **IsRemediation**  Was this a remediation install?
-- **IsRestore**  Is this automatically restoring a previously acquired product?
-- **IsUpdate**  Flag indicating if this is an update.
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The product family name of the product being installed.
-- **ProductId**  The identity of the package or packages being installed.
-- **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
-- **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
-- **WUContentId**  The Windows Update content ID
+- **BytesRead**  The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten**  The total number of bytes written to or written by the OS upon system startup.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
 
-This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
-
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
-
-This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
-
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
-
-This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+OS information collected during Boot, used to evaluate the success of the upgrade process.
 
 The following fields are available:
 
-- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
-- **AttemptNumber**  Total number of installation attempts.
-- **BundleId**  The identity of the Windows Insider build that is associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Was this requested by a user?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this an automatic restore of a previously acquired product?
-- **IsUpdate**  Is this a product update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of all packages to be downloaded and installed.
-- **PreviousHResult**  The previous HResult code.
-- **PreviousInstallState**  Previous installation state before it was canceled.
-- **ProductId**  The name of the package or packages requested for installation.
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
-- **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
-- **WUContentId**  The Windows Update content ID
+- **BootApplicationId**  This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount**  The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence**  The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy**  Identifies the applicable Boot Status Policy.
+- **BootType**  Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp**  Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied**  Flag indicating that a reason for system reset was provided by firmware.
+- **IO**  Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded**  Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded**  Flag indicating whether the last shutdown was successful.
+- **MaxAbove4GbFreeRange**  This field describes the largest memory range available above 4Gb.
+- **MaxBelow4GbFreeRange**  This field describes the largest memory range available below 4Gb.
+- **MeasuredLaunchPrepared**  This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement).
+- **MenuPolicy**  Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled**  Indicates whether recovery is enabled.
+- **SecureLaunchPrepared**  This field indicates if DRTM was prepared during boot.
+- **UserInputTime**  The amount of time the loader application spent waiting for user input.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+### Microsoft.Windows.Kernel.Power.OSStateChange
 
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event indicates an OS state change.
 
 The following fields are available:
 
-- **CatalogId**  The Store Product ID of the app being installed.
-- **HResult**  HResult code of the action being performed.
-- **IsBundle**  Is this a bundle?
-- **PackageFamilyName**  The name of the package being installed.
-- **ProductId**  The Store Product ID of the product being installed.
-- **SkuId**  Specific edition of the item being installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
-
-This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
-- **AttemptNumber**  The total number of attempts to acquire this product.
-- **BundleId**  The bundle ID
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  HResult code to show the result of the operation (success/failure).
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Did the user initiate the installation?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this happening after a device restore?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
-- **PFN**  Product Family Name of the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
-- **UserAttemptNumber**  The number of attempts by the user to acquire this product
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
-
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
-- **AttemptNumber**  Number of retry attempts before it was canceled.
-- **BundleId**  The identity of the Windows Insider build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **DownloadSize**  The total size of the download.
-- **ExtendedHResult**  Any extended HResult error codes.
-- **HResult**  The result code of the last action performed.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this initiated by the user?
-- **IsMandatory**  Is this a mandatory installation?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this a restore of a previously acquired product?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
-- **PFN**  The Product Family Name of the app being download.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The number of attempts by the system to download.
-- **UserAttemptNumber**  The number of attempts by the user to download.
-- **WUContentId**  The Windows Update content ID.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
-
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
-
-This event is sent after sending the inventory of the products installed to determine whether updates for those products are available.  It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
-
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **ExtendedHResult**  The extended HResult error code.
-- **HResult**  The result code of the last action performed.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this an interactive installation?
-- **IsMandatory**  Is this a mandatory installation?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this automatically restoring a previously acquired product?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  Product Family Name of the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
-
-This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IsApplicability**  Is this request to only check if there are any applicable packages to install?
-- **IsInteractive**  Is this user requested?
-- **IsOnline**  Is the request doing an online check?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
-
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of system attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
-
-This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult**  The result code of the last action performed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
-
-The FulfillmentComplete event is fired at the end of an app install or update.  We use this to track the very end of the install/update process.  StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
-
-The following fields are available:
-
-- **CatalogId**  The CatalogId is the name of the product catalog from which this app was chosen.
-- **FailedRetry**  Was the installation or update retry successful?
-- **HResult**  The HResult code of the operation.
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
-
-The FulfillmentInitiate event is fired at the start of an app install or update.  We use this to track the very beginning of the install/update process.  StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
-
-The following fields are available:
-
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
-- **CatalogId**  The CatalogId is the name of the product catalog from which this app was chosen.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
-
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **BundleId**  The identity of the build associated with this product.
-- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SkuId**  Specific edition ID being installed.
-- **VolumePath**  The disk path of the installation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
-
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The total number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The Product Full Name.
-- **PreviousHResult**  The result code of the last action performed before this operation.
-- **PreviousInstallState**  Previous state before the installation or update was paused.
-- **ProductId**  The Store Product ID for the product being installed.
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
-
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **AttemptNumber**  The number of retry attempts before it was canceled.
-- **BundleId**  The identity of the build associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **HResult**  The result code of the last action performed before this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Is this user requested?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this restoring previously acquired content?
-- **IsUpdate**  Is this an update?
-- **IsUserRetry**  Did the user initiate the retry?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of the package or packages requested for install.
-- **PreviousHResult**  The previous HResult error code.
-- **PreviousInstallState**  Previous state before the installation was paused.
-- **ProductId**  The Store Product ID for the product being installed.
-- **RelatedCV**  Correlation Vector for the original install before it was resumed.
-- **SystemAttemptNumber**  The total number of system attempts.
-- **UserAttemptNumber**  The total number of user attempts.
-- **WUContentId**  The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
-
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ProductId**  The Store Product ID for the product being installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **CatalogId**  The Store Product ID for the product being installed.
-- **ProductId**  The Store Product ID for the product being installed.
-- **SkuId**  Specfic edition of the app being updated.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **PFamN**  The name of the product that is requested for update.
+- **AcPowerOnline**  If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
+- **ActualTransitions**  The number of transitions between operating system states since the last system boot
+- **BatteryCapacity**  Maximum battery capacity in mWh
+- **BatteryCharge**  Current battery charge as a percentage of total capacity
+- **BatteryDischarging**  Flag indicating whether the battery is discharging or charging
+- **BootId**  Total boot count since the operating system was installed
+- **BootTimeUTC**  Date and time of a particular boot event (identified by BootId)
+- **EnergyChangeV2**  A snapshot value in mWh reflecting a change in power usage
+- **EnergyChangeV2Flags**  Flags for disambiguating EnergyChangeV2 context
+- **EventSequence**  Indicates the sequence order for this event instance, relative to previous instances of OSStateChange events that have occurred since boot
+- **LastStateTransition**  ID of the last operating system state transition
+- **LastStateTransitionSub**  ID of the last operating system sub-state transition
+- **StateDurationMS**  Number of milliseconds spent in the last operating system state
+- **StateTransition**  ID of the operating system state the system is transitioning to
+- **StateTransitionSub**  ID of the operating system sub-state the system is transitioning to
+- **TotalDurationMS**  Total time (in milliseconds) spent in all states since the last boot
+- **TotalUptimeMS**  Total time (in milliseconds) the device was in Up or Running states since the last boot
+- **TransitionsToOn**  Number of transitions to the Powered On state since the last boot
+- **UptimeDeltaMS**  Total time (in milliseconds) added to Uptime since the last event
 
 
 ## Privacy consent logging events
@@ -3446,13 +3458,29 @@ Event tells us effectiveness of new privacy experience.
 
 The following fields are available:
 
-- **isAdmin**  Whether the current user is an administrator or not
+- **isAdmin**  whether the person who is logging in is an admin
 - **isLaunching**  Whether or not the privacy consent experience will be launched
-- **isSilentElevation**  Whether the current user has enabled silent elevation
-- **privacyConsentState**  The current state of the privacy consent experience
+- **isSilentElevation**  whether the user has most restrictive UAC controls
+- **privacyConsentState**  whether the user has completed privacy experience
 - **userRegionCode**  The current user's region setting
 
 
+## Sediment events
+
+### Microsoft.Windows.Sediment.OSRSS.UrlState
+
+This event indicates the state the Operating System Remediation System Service (OSRSS)  is in while attempting a download from the URL.
+
+The following fields are available:
+
+- **Id**  A number identifying the URL.
+- **ServiceVersionMajor**  Version information for the component.
+- **ServiceVersionMinor**  Version information for the component.
+- **StateData**  State-specific data, such as the attempt number for the download.
+- **StateNumber**  A number identifying the current state of the URL (for example, found, downloading, extracted).
+- **Time**  System timestamp when the event was started.
+
+
 ## Setup events
 
 ### SetupPlatformTel.SetupPlatformTelEvent
@@ -3477,7 +3505,7 @@ The following fields are available:
 - **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
 - **deleteState**  Whether the attempted deletion of the user account was successful.
 - **userSid**  The security identifier of the account.
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
 
 
 ### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -3486,9 +3514,59 @@ Activity for run of the Transient Account Manager that determines if any user ac
 
 The following fields are available:
 
-- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
 - **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The function where the failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext**  The call context stack where failure occurred.
+- **currentContextId**  The ID of the current call context where the failure occurred.
+- **currentContextMessage**  The message of the current call context where the failure occurred.
+- **currentContextName**  The name of the current call context where the failure occurred.
+- **failureCount**  The number of failures for this failure ID.
+- **failureId**  The ID of the failure that occurred.
+- **failureType**  The type of the failure that occurred.
+- **fileName**  The file name where the failure occurred.
+- **function**  The function where the failure occurred.
+- **hresult**  The HResult of the overall activity.
+- **lineNumber**  The line number where the failure occurred.
+- **message**  The message of the failure that occurred.
+- **module**  The module where the failure occurred.
+- **originatingContextId**  The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage**  The message of the originating call context that resulted in the failure.
+- **originatingContextName**  The name of the originating call context that resulted in the failure.
+- **threadId**  The ID of the thread on which the activity is executing.
 
 
 ## SIH events
@@ -3546,37 +3624,6 @@ The following fields are available:
 
 - **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
 - **AllowCachedResults**  Indicates if the scan allowed using cached results.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **DriverSyncPassPerformed**  Were drivers scanned this time?
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
-- **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
-- **Online**  Indicates if this was an online scan.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **ScanDurationInSeconds**  The number of seconds a scan took
-- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
-- **ServiceUrl**  The environment URL a device is configured to scan with
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **SyncType**  Describes the type of scan the event was
-- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
 - **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
 - **BiosFamily**  The family of the BIOS (Basic Input Output System).
 - **BiosName**  The name of the device BIOS.
@@ -3585,40 +3632,71 @@ The following fields are available:
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
 - **BranchReadinessLevel**  The servicing branch configured on the device.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
 - **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
 - **DeferredUpdates**  Update IDs which are currently being deferred until a later time
 - **DeviceModel**  What is the device model.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
 - **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
 - **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
 - **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled**  Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
 - **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
 - **PausedUpdates**  A list of UpdateIds which that currently being paused.
 - **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
 - **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
 - **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
 - **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
 - **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
 - **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
 - **SystemBIOSMajorRelease**  Major version of the BIOS.
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
 - **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **IsWUfBFederatedScanDisabled**  Indicates if Windows Update for Business federated scan is disabled on the device.
-- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
-- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
-- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
-- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
-- **MSIError**  The last error that was encountered during a scan for updates.
-- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
 
 
 ### SoftwareUpdateClientTelemetry.Commit
@@ -3633,31 +3711,31 @@ The following fields are available:
 - **BiosSKUNumber**  Device SKU as defined in the system BIOS
 - **BIOSVendor**  Vendor of the system BIOS
 - **BiosVersion**  Version of the system BIOS
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.  
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle  
-- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client 
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
 - **ClientVersion**  Version number of the software distribution client
-- **DeviceModel**  Device model as defined in the system bios 
+- **DeviceModel**  Device model as defined in the system bios
 - **EventInstanceID**  A globally unique identifier for event instance
 - **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
 - **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver".
-- **FlightId**  The specific id of the flight the device is getting  
-- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)  
+- **FlightId**  The specific id of the flight the device is getting
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
 - **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
-- **SystemBIOSMajorRelease**  Major release version of the system bios 
-- **SystemBIOSMinorRelease**  Minor release version of the system bios 
-- **UpdateId**  Identifier associated with the specific piece of content 
-- **WUDeviceID**  Unique device id controlled by the software distribution client 
+- **SystemBIOSMajorRelease**  Major release version of the system bios
+- **SystemBIOSMinorRelease**  Minor release version of the system bios
+- **UpdateId**  Identifier associated with the specific piece of content
+- **WUDeviceID**  Unique device id controlled by the software distribution client
 
 
 ### SoftwareUpdateClientTelemetry.Download
 
-Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+Download process event for target update on Windows Update client. See EventScenario field for specifics (started/failed/succeeded).
 
 The following fields are available:
 
-- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **ActiveDownloadTime**  Number of seconds the update was actively being downloaded.
 - **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
 - **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
 - **BiosFamily**  The family of the BIOS (Basic Input Output System).
@@ -3666,19 +3744,20 @@ The following fields are available:
 - **BiosSKUNumber**  The sku number of the device BIOS.
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
-- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
+- **BundleBytesDownloaded**  Number of bytes downloaded for the specific content bundle.
 - **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle previously failed to download.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
-- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **BytesDownloaded**  Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
 - **ClientVersion**  The version number of the software distribution client.
 - **CurrentMobileOperator**  The mobile operator the device is currently connected to.
 - **DeviceModel**  What is the device model.
 - **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
 - **EventInstanceID**  A globally unique identifier for event instance.
 - **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
@@ -3686,7 +3765,7 @@ The following fields are available:
 - **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
 - **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
+- **FlightId**  The specific ID of the flight (pre-release build) the device is getting.
 - **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
 - **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
 - **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
@@ -3703,10 +3782,10 @@ The following fields are available:
 - **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
 - **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
 - **RegulationReason**  The reason that the update is regulated
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
 - **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
 - **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid**  An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
 - **ShippingMobileOperator**  The mobile operator that a device shipped on.
 - **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -3722,7 +3801,6 @@ The following fields are available:
 - **UsedDO**  Whether the download used the delivery optimization service.
 - **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
 
 
 ### SoftwareUpdateClientTelemetry.DownloadCheckpoint
@@ -3755,7 +3833,7 @@ The following fields are available:
 
 - **BytesTotal**  Total bytes to transfer for this content
 - **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
-- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client 
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
 - **ClientVersion**  The version number of the software distribution client
 - **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
 - **CurrentError**  Last (transient) error encountered by the active download
@@ -3770,11 +3848,11 @@ The following fields are available:
 - **RelatedCV**  The previous correlation vector that was used by the client, before swapping with a new one
 - **ResumeCount**  Number of times this active download has resumed from a suspended state
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) 
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
 - **SuspendCount**  Number of times this active download has entered a suspended state
 - **SuspendReason**  Last reason for why this active download entered a suspended state
-- **UpdateId**  Identifier associated with the specific piece of content 
-- **WUDeviceID**  Unique device id controlled by the software distribution client  
+- **UpdateId**  Identifier associated with the specific piece of content
+- **WUDeviceID**  Unique device id controlled by the software distribution client
 
 
 ### SoftwareUpdateClientTelemetry.Install
@@ -3790,43 +3868,43 @@ The following fields are available:
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
 - **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle previously failed to install.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **ClientVersion**  The version number of the software distribution client.
 - **CSIErrorType**  The stage of CBS installation where it failed.
-- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
-- **DeviceModel**  What is the device model.
+- **CurrentMobileOperator**  The mobile operator to which the device is currently connected.
+- **DeviceModel**  The device model.
 - **DriverPingBack**  Contains information about the previous driver and system state.
 - **EventInstanceID**  A globally unique identifier for event instance.
 - **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
 - **ExtendedErrorCode**  The extended error code.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause**  Are feature OS updates paused on the device?
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
 - **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
 - **FlightId**  The specific ID of the Windows Insider build the device is getting.
 - **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
-- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HandlerType**  Indicates what kind of content is being installed (for example, app, driver, Windows update).
 - **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
 - **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
-- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
-- **IsFirmware**  Is this update a firmware update?
-- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
-- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
-- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
-- **MergedUpdate**  Was the OS update and a BSP update merged for installation?
+- **IsDependentSet**  Indicates whether the driver is part of a larger System Hardware/Firmware update.
+- **IsFinalOutcomeEvent**  Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware**  Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot**  Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled**  Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates whether Windows Update for Business is enabled on the device.
+- **MergedUpdate**  Indicates whether the OS update and a BSP update merged for installation.
 - **MsiAction**  The stage of MSI installation where it failed.
 - **MsiProductCode**  The unique identifier of the MSI installer.
 - **PackageFullName**  The package name of the content being installed.
 - **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **QualityUpdatePause**  Are quality OS updates paused on the device?
+- **ProcessName**  The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
+- **RepeatFailFlag**  Indicates whether this specific piece of content previously failed to install.
 - **RevisionNumber**  The revision number of this specific piece of content.
 - **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
 - **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
@@ -3836,8 +3914,8 @@ The following fields are available:
 - **SystemBIOSMinorRelease**  Minor version of the BIOS.
 - **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
 - **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TransactionCode**  The ID which represents a given MSI installation
-- **UpdateId**  Unique update ID
+- **TransactionCode**  The ID that represents a given MSI installation.
+- **UpdateId**  Unique update ID.
 - **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
 - **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -3849,13 +3927,13 @@ This event sends data about an AppX app that has been updated from the Microsoft
 
 The following fields are available:
 
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
-- **WUDeviceID**  The unique device ID controlled by the software distribution client
+- **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID**  The unique device ID controlled by the software distribution client.
 
 
 ### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
@@ -3864,145 +3942,150 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether
 
 The following fields are available:
 
+- **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
 - **EndpointUrl**  URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
 - **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough. 
-- **LeafCertId**  Integral id from the FragmentSigning data for certificate which failed. 
-- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce 
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId**  Integral id from the FragmentSigning data for certificate which failed.
+- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
 - **MetadataSignature**  Base64 string of the signature associated with the update metadata (specified by revision id)
+- **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
 - **RevisionId**  Identifies the revision of this specific piece of content
 - **RevisionNumber**  Identifies the revision number of this specific piece of content
 - **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
-- **SHA256OfLeafCertPublicKey**  Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. 
+- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfLeafCertPublicKey**  Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
 - **SHA256OfTimestampToken**  Base64 string of hash of the timestamp token blob
 - **SignatureAlgorithm**  Hash algorithm for the metadata signature
 - **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
-- **TimestampTokenId**  Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. 
-- **UpdateId**  Identifier associated with the specific piece of content 
-- **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable. 
-- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token. 
+- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
+- **TimestampTokenId**  Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **UpdateId**  Identifier associated with the specific piece of content
 - **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
-- **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
-- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
 
 
 ## Update events
 
 ### Update360Telemetry.UpdateAgentCommit
 
-This event collects information regarding the commit phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. 
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current install phase. 
-- **FlightId**  Unique ID for each flight. 
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **Result**  Outcome of the install phase of the update. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt. 
-- **UpdateId**  Unique ID for each update. 
-
-
-### Update360Telemetry.UpdateAgentDownloadRequest
-
-  The UpdateAgent_DownloadRequest event sends data for the download request phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to PC and Mobile.
-
-The following fields are available:
-
-- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted. 
-- **ErrorCode**  The error code returned for the current download request phase.
-- **FlightId**  Unique ID for each flight.
-- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360)
-- **PackageCountOptional**  Number of optional packages requested. 
-- **PackageCountRequired**  Number of required packages requested.
-- **PackageCountTotal**  Total number of packages needed. 
-- **PackageCountTotalCanonical**  Total number of canonical packages.
-- **PackageCountTotalDiff**  Total number of diff packages. 
-- **PackageCountTotalExpress**  Total number of express packages.
-- **PackageSizeCanonical**  Size of canonical packages in bytes.
-- **PackageSizeDiff**  Size of diff packages in bytes. 
-- **PackageSizeExpress**  Size of express packages in bytes.
-- **RangeRequestState**  Indicates the range request type used. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **Result**  Outcome of the download request phase of update.
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases)
-- **UpdateId**  Unique ID for each update.
-- **PackageExpressType**  Type of express package.
-
-
-### Update360Telemetry.UpdateAgentExpand
-
-  This event collects information regarding the expansion phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. 
-
-The following fields are available:
-
-- **ElapsedTickCount**  Time taken for expand phase. 
-- **EndFreeSpace**  Free space after expand phase. 
-- **EndSandboxSize**  Sandbox size after expand phase. 
-- **ErrorCode**  The error code returned for the current install phase. 
-- **FlightId**  Unique ID for each flight. 
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt. 
-- **StartFreeSpace**  Free space before expand phase. 
-- **StartSandboxSize**  Sandbox size after expand phase. 
-- **UpdateId**  Unique ID for each update. 
-
-
-### Update360Telemetry.UpdateAgentFellBackToCanonical
-
-This event collects information when express could not be used and we fall back to canonical during the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. 
-
-The following fields are available:
-
-- **FlightId**  Unique ID for each flight. 
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **PackageCount**  Number of packages that feel back to canonical. 
-- **PackageList**  PackageIds which fell back to canonical. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt. 
-- **UpdateId**  Unique ID for each update. 
-
-
-### Update360Telemetry.UpdateAgentInitialize
-
-  The UpdateAgentInitialize event sends data for the initialize phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile. 
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current install phase.  
-- **FlightId**  Unique ID for each flight. 
-- **FlightMetadata**  Contains the FlightId and the build being flighted. 
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **Result**  Outcome of the install phase of the update. 
-- **ScenarioId**  Indicates the update scenario.  
-- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).  
-- **SessionId**  Unique value for each update attempt.  
-- **UpdateId**  Unique ID for each update. 
-
-
-### Update360Telemetry.UpdateAgentInstall
-
-The UpdateAgentInstall event sends data for the install phase of updating Windows. 
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
 
 The following fields are available:
 
 - **ErrorCode**  The error code returned for the current install phase.
-- **FlightId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360). 
-- **ObjectId**  Correlation vector value generated from the latest USO scan. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+
+The following fields are available:
+
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests**  Number of times a download was retried.
+- **ErrorCode**  The error code returned for the current download request phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId**  Unique ID for each flight.
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional**  Number of optional packages requested.
+- **PackageCountRequired**  Number of required packages requested.
+- **PackageCountTotal**  Total number of packages needed.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageExpressType**  Type of express package.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes.
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ElapsedTickCount**  Time taken for expand phase.
+- **EndFreeSpace**  Free space after expand phase.
+- **EndSandboxSize**  Sandbox size after expand phase.
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **StartFreeSpace**  Free space before expand phase.
+- **StartSandboxSize**  Sandbox size after expand phase.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PackageCount**  Number of packages that feel back to canonical.
+- **PackageList**  PackageIds which fell back to canonical.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **ExtensionName**  Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult**  Indicates a non-fatal error from a plugin.
+- **ObjectId**  Correlation vector value generated from the latest USO scan.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
 - **Result**  The result for the current install phase.
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt. 
-- **UpdateId**  Unique ID for each update. 
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update.
 
 
 ### Update360Telemetry.UpdateAgentMerge
@@ -4011,85 +4094,85 @@ The UpdateAgentMerge event sends data on the merge phase when updating Windows.
 
 The following fields are available:
 
-- **ErrorCode**  The error code returned for the current merge phase. 
+- **ErrorCode**  The error code returned for the current merge phase.
 - **FlightId**  Unique ID for each flight.
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **RelatedCV**  Related correlation vector value. 
-- **Result**  Outcome of the merge phase of the update. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each attempt. 
-- **UpdateId**  Unique ID for each update. 
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Related correlation vector value.
+- **Result**  Outcome of the merge phase of the update.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each attempt.
+- **UpdateId**  Unique ID for each update.
 
 
 ### Update360Telemetry.UpdateAgentModeStart
 
-The UpdateAgentModeStart event sends data for the start of each mode during the process of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile.
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
 
 The following fields are available:
 
-- **FlightId**  Unique ID for each flight. 
-- **Mode**  Indicates the mode that has started. 
+- **FlightId**  Unique ID for each flight.
+- **Mode**  Indicates the mode that has started.
 - **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
 - **UpdateId**  Unique ID for each update.
 - **Version**  Version of update
 
 
 ### Update360Telemetry.UpdateAgentPostRebootResult
 
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
 
 The following fields are available:
 
-- **ErrorCode**  The error code returned for the current post reboot phase
-- **FlightId**  The unique identifier for each flight
-- **ObjectId**  Unique value for each Update Agent mode
-- **PostRebootResult**  Indicates the Hresult
-- **RelatedCV**  Correlation vector value generated from the latest USO scan
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **ErrorCode**  The error code returned for the current post reboot phase.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PostRebootResult**  Indicates the Hresult.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
 - **SessionId**  Unique value for each update attempt.
-- **UpdateId**  Unique ID for each update
+- **UpdateId**  Unique ID for each update.
 
 
 ### Update360Telemetry.UpdateAgentSetupBoxLaunch
 
-The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new UUP (Unified Update Plaform) scenario. This event is only applicable to PCs. 
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
 
 The following fields are available:
 
-- **FlightId**  Unique ID for each flight. 
-- **FreeSpace**  Free space on OS partition. 
-- **InstallCount**  Number of install attempts using the same sandbox. 
-- **ObjectId**  Unique value for each Update Agent mode. 
-- **Quiet**  Indicates whether setup is running in quiet mode. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **SandboxSize**  Size of the sandbox. 
-- **ScenarioId**  Indicates the update scenario. 
-- **SessionId**  Unique value for each update attempt.  
-- **SetupMode**  Mode of setup to be launched. 
-- **UpdateId**  Unique ID for each Update.  
-- **UserSession**  Indicates whether install was invoked by user actions. 
 - **ContainsExpressPackage**  Indicates whether the download package is express.
+- **FlightId**  Unique ID for each flight.
+- **FreeSpace**  Free space on OS partition.
+- **InstallCount**  Number of install attempts using the same sandbox.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **SandboxSize**  Size of the sandbox.
+- **ScenarioId**  Indicates the update scenario.
+- **SessionId**  Unique value for each update attempt.
+- **SetupMode**  Mode of setup to be launched.
+- **UpdateId**  Unique ID for each update.
+- **UserSession**  Indicates whether install was invoked by user actions.
 
 
 ## Update notification events
 
 ### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
 
-Event to indicate that Javascript is reporting a schema and a set of values for critical telemetry.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Config version of current campaign
-- **CampaignID**  Currently running campaign on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version of the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user
-- **key1**  UI interaction data
+- **CampaignConfigVersion**  Configuration version of the current campaign.
+- **CampaignID**  ID of the currently running campaign.
+- **ConfigCatalogVersion**  Current catalog version of the update notification.
+- **ContentVersion**  Content version of the current update notification campaign.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign.
+- **GlobalEventCounter**  Client side counter that indicates the ordering of events sent by this user.
+- **key1**  Interaction data for the UI
 - **key10**  UI interaction data
 - **key11**  UI interaction data
 - **key12**  UI interaction data
@@ -4098,18 +4181,9 @@ The following fields are available:
 - **key15**  UI interaction data
 - **key16**  UI interaction data
 - **key17**  UI interaction data
-- **key2**  UI interaction data
-- **key3**  UI interaction data
-- **key4**  UI interaction data
-- **key5**  UI interaction data
-- **key6**  UI interaction data
-- **key7**  Interaction data for the UI
-- **key8**  Interaction data for the UI
-- **key9**  UI interaction data
-- **PackageVersion**  Current package version of UNP
-- **schema**  UI interaction type
 - **key18**  UI interaction data
 - **key19**  UI interaction data
+- **key2**  Interaction data for the UI
 - **key20**  UI interaction data
 - **key21**  Interaction data for the UI
 - **key22**  UI interaction data
@@ -4118,120 +4192,156 @@ The following fields are available:
 - **key25**  UI interaction data
 - **key26**  UI interaction data
 - **key27**  UI interaction data
-- **key28**  Interaction data for the UI
+- **key28**  UI interaction data
 - **key29**  UI interaction data
+- **key3**  Interaction data for the UI
 - **key30**  UI interaction data
+- **key4**  Interaction data for the UI
+- **key5**  UI interaction data
+- **key6**  UI interaction data
+- **key7**  Interaction data for the UI
+- **key8**  Interaction data for the UI
+- **key9**  UI interaction data
+- **PackageVersion**  Current package version of the update notification.
+- **schema**  UI interaction type.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
 
-This event is sent at the start of each campaign, to be used as a heartbeat
+This event is sent at the start of each campaign, to be used as a heartbeat.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Current campaign that is running on Update Notification Pipeline.
+- **ConfigCatalogVersion**  Current catalog version of Update Notification Pipeline.
+- **ContentVersion**  Content version for the current campaign on Update Notification Pipeline.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on Update Notification Pipeline.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current package version for Update Notification Pipeline.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
 
-This event indicates that the Campaign Manager is cleaning up the campaign content
+This event indicates that the Campaign Manager is cleaning up the campaign content.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  The current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  The current catalog version of the Update Notification Pipeline (UNP).
+- **ContentVersion**  Content version for the current campaign on UNP.
 - **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current UNP package version.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
 
-This event is sent when a campaign completion status query fails
+This event is sent when a campaign completion status query fails.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **hresult**  HRESULT of the failure.
+- **PackageVersion**  Current UNP package version.
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion**  Current UNP package version.
 
 
 ### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
 
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
 
 The following fields are available:
 
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure 
-- **PackageVersion**  Current UNP package version
+- **CampaignConfigVersion**  Configuration version for the current campaign.
+- **CampaignID**  Currently campaign that's running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion**  Current catalog version of UNP.
+- **ContentVersion**  Content version for the current campaign on UNP.
+- **CV**  Correlation vector.
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user.
+- **hresult**  HRESULT of the failure.
+- **PackageVersion**  Current UNP package version.
 
 
 ## Upgrade events
 
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **DownloadSize**  Download size of payload.
+- **ElapsedTime**  Time taken to download payload.
+- **MediaFallbackUsed**  Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode**  Result returned by the Facilitator DCAT call.
+- **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **Type**  Type of package that was downloaded.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+The following fields are available:
+
+- **DCATUrl**  The Delivery Catalog (DCAT) URL we send the request to.
+- **DownloadRequestAttributes**  The attributes we send to DCAT.
+- **ResultCode**  The result returned from the initialization of Facilitator with the URL/attributes.
+- **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **Version**  Version of Facilitator.
+
+
 ### Setup360Telemetry.Downlevel
 
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
 - **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the downlevel OS.
 - **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended**  More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string that uniquely identifies a group of events.
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  An ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ### Setup360Telemetry.Finalize
 
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -4241,45 +4351,46 @@ The following fields are available:
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.OsUninstall
 
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ### Setup360Telemetry.PostRebootInstall
 
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
@@ -4292,7 +4403,6 @@ The following fields are available:
 - **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ### Setup360Telemetry.PreDownloadQuiet
@@ -4305,82 +4415,82 @@ The following fields are available:
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
 
 
 ### Setup360Telemetry.PreDownloadUX
 
-This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS.  Specifically the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
-- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 
 
 ### Setup360Telemetry.PreInstallQuiet
 
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ### Setup360Telemetry.PreInstallUX
 
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date.  Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
 
 The following fields are available:
 
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ### Setup360Telemetry.Setup360
@@ -4389,13 +4499,29 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
 
 The following fields are available:
 
+- **ClientId**  Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FieldName**  Retrieves the data point.
 - **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
 - **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
 - **ReportId**  Retrieves the report ID.
 - **ScenarioId**  Retrieves the deployment scenario.
 - **Value**  Retrieves the value associated with the corresponding FieldName.
-- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
+- **Operation**  Facilitator’s last known operation (scan, download, etc.).
+- **ReportId**  ID for tying together events stream side.
+- **ResultCode**  Result returned by setup for the entire operation.
+- **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **TargetBranch**  Branch of the target OS.
+- **TargetBuild**  Build of the target OS.
 
 
 ### Setup360Telemetry.UnexpectedEvent
@@ -4405,19 +4531,19 @@ This event sends data indicating that the device has invoked the unexpected even
 The following fields are available:
 
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
 - **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **FlightData**  Unique value that identifies the flight.
 
 
 ## Windows as a Service diagnostic events
@@ -4428,116 +4554,505 @@ Result of the WaaSMedic operation.
 
 The following fields are available:
 
-- **detectionSummary**  Result of each applicable detection that was ran.
+- **detectionSummary**  Result of each applicable detection that was run.
 - **featureAssessmentImpact**  WaaS Assessment impact for feature updates.
 - **hrEngineResult**  Error code from the engine operation.
+- **insufficientSessions**  Device not eligible for diagnostics.
 - **isManaged**  Device is managed for updates.
 - **isWUConnected**  Device is connected to Windows Update.
 - **noMoreActions**  No more applicable diagnostics.
-- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates. 
-- **remediationSummary**  Result of each applicable resolution that was ran.
-- **usingBackupFeatureAssessment**  Relying on backup feature assessment. 
+- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates.
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment**  Relying on backup feature assessment.
 - **usingBackupQualityAssessment**  Relying on backup quality assessment.
-- **versionString**  Version of the WaaSMedic engine. 
 - **usingCachedFeatureAssessment**  WaaS Medic run did not get OS build age from the network on the previous run.
 - **usingCachedQualityAssessment**  WaaS Medic run did not get OS revision age from the network on the previous run.
-- **insufficientSessions**  Device not eligible for diagnostics.
+- **versionString**  Version of the WaaSMedic engine.
 
 
-## Windows Error Reporting events
-
 ## Windows Error Reporting MTT events
 
 ### Microsoft.Windows.WER.MTT.Denominator
 
-This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors to help keep Windows up to date.
+This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date.
 
 The following fields are available:
 
-- **Value**  Standard UTC emitted DP value structure
+- **Value**  Standard UTC emitted DP value structure See [Microsoft.Windows.WER.MTT.Value](#microsoftwindowswermttvalue).
+
+
+### Microsoft.Windows.WER.MTT.Value
+
+This event is used for differential privacy.
+
+The following fields are available:
+
+- **Algorithm**  Privacy protecting algorithm used for randomization.
+- **DPRange**  Maximum mean value range.
+- **DPValue**  Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate mean.
+- **Epsilon**  Constant used in algorithm for randomization.
+- **HistType**  Histogram type.
+- **PertProb**  Constant used in algorithm for randomization.
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The Item Bundle ID.
+- **CategoryId**  The Item Category ID.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
+- **IsMandatory**  Was this a mandatory update?
+- **IsRemediation**  Was this a remediation install?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Flag indicating if this is an update.
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The product family name of the product being installed.
+- **ProductId**  The identity of the package or packages being installed.
+- **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
+- **WUContentId**  Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
+- **AttemptNumber**  Total number of installation attempts.
+- **BundleId**  The identity of the Windows Insider build that is associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this an automatic restore of a previously acquired product?
+- **IsUpdate**  Is this a product update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of all packages to be downloaded and installed.
+- **PreviousHResult**  The previous HResult code.
+- **PreviousInstallState**  Previous installation state before it was canceled.
+- **ProductId**  The name of the package or packages requested for installation.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId**  The Store Product ID of the app being installed.
+- **HResult**  HResult code of the action being performed.
+- **IsBundle**  Is this a bundle?
+- **PackageFamilyName**  The name of the package being installed.
+- **ProductId**  The Store Product ID of the product being installed.
+- **SkuId**  Specific edition of the item being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber**  The total number of attempts to acquire this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  HResult code to show the result of the operation (success/failure).
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Did the user initiate the installation?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this happening after a device restore?
+- **IsUpdate**  Is this an update?
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
+- **UserAttemptNumber**  The number of attempts by the user to acquire this product
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The identity of the Windows Insider build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **DownloadSize**  The total size of the download.
+- **ExtendedHResult**  Any extended HResult error codes.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this initiated by the user?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this a restore of a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
+- **PFN**  The Product Family Name of the app being download.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to download.
+- **UserAttemptNumber**  The number of attempts by the user to download.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available.  It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **ExtendedHResult**  The extended HResult error code.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this an interactive installation?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsApplicability**  Is this request to only check if there are any applicable packages to install?
+- **IsInteractive**  Is this user requested?
+- **IsOnline**  Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of system attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId**  The name of the product catalog from which this app was chosen.
+- **FailedRetry**  Indicates whether the installation or update retry was successful.
+- **HResult**  The HResult code of the operation.
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId**  The name of the product catalog from which this app was chosen.
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId**  The identity of the build associated with this product.
+- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specific edition ID being installed.
+- **VolumePath**  The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The Product Full Name.
+- **PreviousHResult**  The result code of the last action performed before this operation.
+- **PreviousInstallState**  Previous state before the installation or update was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **IsUserRetry**  Did the user initiate the retry?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **PreviousHResult**  The previous HResult error code.
+- **PreviousInstallState**  Previous state before the installation was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId**  The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId**  The Store Catalog ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specfic edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN**  The name of the app that is requested for update.
 
 
 ## Windows Update CSP events
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
 
-The Execute Rollback Feature Failed event sends basic telemetry on the failure of the Feature Rollback. This functionality supports our feature by providing IT Admins the ability to see the operation failed, allowing them to do further triage of the device.
+This event sends basic telemetry on the failure of the Feature Rollback.
 
 The following fields are available:
 
-- **current**  Result of currency check
-- **dismOperationSucceeded**  Dism uninstall operation status
-- **hResult**  Failure Error code
-- **oSVersion**  Build number of the machine
-- **paused**  Machine's pause status
-- **rebootRequestSucceeded**  Reboot CSP call success status
-- **wUfBConnected**  Result of WUfB connection check
+- **current**  Result of currency check.
+- **dismOperationSucceeded**  Dism uninstall operation status.
+- **hResult**  Failure error code.
+- **oSVersion**  Build number of the device.
+- **paused**  Indicates whether the device is paused.
+- **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected**  Result of WUfB connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
 
-The Execute Rollback Feature Not Applicable event sends basic telemetry on the applicability of the Feature Rollback, to support the functionality of Feature Rollback. This event provides critical information for the feature because it will alert IT Admins that devices they are attempting to rollback Features updates are not applicable.
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device.
 
 The following fields are available:
 
-- **current**  Result of currency check
-- **dismOperationSucceeded**  Dism uninstall operation status
-- **oSVersion**  Build number of the machine
-- **paused**  Machine's pause status
-- **rebootRequestSucceeded**  Reboot CSP call success status
-- **wUfBConnected**  Result of WUfB connection check
+- **current**  Result of currency check.
+- **dismOperationSucceeded**  Dism uninstall operation status.
+- **oSVersion**  Build number of the device.
+- **paused**  Indicates whether the device is paused.
+- **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected**  Result of WUfB connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
 
-The Execute Rollback Feature Started event sends basic information on the start process to provide information that the Feature Rollback has started.
+This event sends basic information indicating that Feature Rollback has started.
 
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded
 
-The Execute Rollback Feature Succeed event sends basic telemetry on the success of the Rollback of the Feature updates. This functionality supports our feature by providing insights to IT Admins of the success of the Feature rollback.
+This event sends basic telemetry on the success of the rollback of feature updates.
 
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
 
-The Execute Rollback Quality Failed event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. This functionality supports our feature by providing IT Admins the ability to see the operation failed allowing them to do further triage of the device.
+This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds.
 
 The following fields are available:
 
-- **current**  Result of currency check
-- **dismOperationSucceeded**  Dism uninstall operation status
-- **hResult**  Failure Error code
-- **oSVersion**  Build number of the machine
-- **paused**  Machine's pause status
-- **rebootRequestSucceeded**  Reboot CSP call success status
-- **wUfBConnected**  Result of WUfB connection check
+- **current**  Result of currency check.
+- **dismOperationSucceeded**  Dism uninstall operation status.
+- **hResult**  Failure error code.
+- **oSVersion**  Build number of the device.
+- **paused**  Indicates whether the device is paused.
+- **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected**  Result of Windows Update for Business connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
 
-The Execute Rollback Quality Not Applicable event sends basic telemetry on the applicability of the Quality Rollback, to support the functionality of Quality Rollback. This event provides critical information for feature because it will alert IT Admins that devices they are attempting to rollback Quality updates are not applicable.
+This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback.
 
 The following fields are available:
 
-- **current**  Result of currency check
-- **dismOperationSucceeded**  Dism uninstall operation status
-- **oSVersion**  Build number of the machine
-- **paused**  Machine's pause status
-- **rebootRequestSucceeded**  Reboot CSP call success status
-- **wUfBConnected**  Result of WUfB connection check
+- **current**  Result of currency check.
+- **dismOperationSucceeded**  Dism uninstall operation status.
+- **oSVersion**  Build number of the device.
+- **paused**  Indicates whether the device is paused.
+- **rebootRequestSucceeded**  Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected**  Result of WUfB connection check.
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
 
-The Execute Rollback Quality Started event sends basic information on the start process to provide information that the Quality Rollback has started.
+This event indicates that the Quality Rollback process has started.
 
 
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
 
-The Execute Rollback Quality Succeed event sends basic telemetry on the success of the rollback of the Quality/LCU builds. This functionality supports our feature by providing insights to IT Admins of the success of the Quality rollback.
+This event sends basic telemetry on the success of the rollback of the Quality/LCU builds.
 
 
 
@@ -4549,37 +5064,37 @@ This event sends data describing the start of a new download to enable Delivery
 
 The following fields are available:
 
-- **background**  If the download is happening in the background
-- **bytesRequested**  Number of bytes requested for download.
-- **cdnUrl**  Url of the source CDN
-- **costFlags**  Network cost flags
-- **deviceProfile**  Identifies the usage or form factor (Desktop, Xbox, VM, etc)
-- **diceRoll**  Random number used for determining if a client will use peering
-- **doClientVersion**  Version of the Delivery Optimization client
-- **doErrorCode**  Delivery Optimization error code returned
-- **downloadMode**  DownloadMode used (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100)
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider: 0, GeoProvider: 1, GeoVerProvider: 2, CpProvider: 3, DiscoveryProvider: 4, RegistryProvider: 5, GroupPolicyProvider: 6, MdmProvider: 7, SettingsProvider: 8, InvalidProviderType: 9)
-- **errorCode**  Error code returned
-- **experimentId**  Used to correlate client/services calls that are part of the same test during A/B testing
-- **fileID**  ID of the File being downloaded
-- **filePath**  Path to where the downloaded file will be written
-- **fileSize**  Total filesize of the file that was downloaded
-- **fileSizeCaller**  Value for total file size provided by our caller
-- **groupID**  ID for the group
-- **isVpn** If the machine is connected to a Virtual Private Network 
-- **jobID**  Identifier for the Windows Update Job
-- **peerID**  ID for this Delivery Optimization client
-- **predefinedCallerName**  Name of the API caller
-- **sessionID**  ID for the file download session
-- **setConfigs**  ID of the update being downloaded
-- **updateID**  ID for the file download session
-- **usedMemoryStream**  If the download is using memory streaming in App downloads
-- **callerName**  Name of the API Caller
-- **minDiskSizeGB**  The minimum disk size policy set for the device to allow Peering with Delivery Optimization
-- **minDiskSizePolicyEnforced**  If there is an enforced mininum disk size requirement for peering
-- **minFileSizePolicy**  The minimum file size policy set for the device to allow Peering with Delivery Optimization
-- **scenarioID**  ID for the Scenario
-- **isEncrypted**  Whether the download is encrypted
+- **background**  Indicates whether the download is happening in the background.
+- **bytesRequested**  Number of bytes requested for the download.
+- **callerName**  Name of the API caller.
+- **cdnUrl**  The URL of the source CDN
+- **costFlags**  A set of flags representing network cost.
+- **deviceProfile**  Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll**  Random number used for determining if a client will use peering.
+- **doClientVersion**  The version of the Delivery Optimization client.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode**  The error code that was returned.
+- **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID**  The ID of the file being downloaded.
+- **filePath**  The path to where the downloaded file will be written.
+- **fileSize**  Total file size of the file that was downloaded.
+- **fileSizeCaller**  Value for total file size provided by our caller.
+- **groupID**  ID for the group.
+- **isEncrypted**  Indicates whether the download is encrypted.
+- **isVpn**  Indicates whether the device is connected to a Virtual Private Network.
+- **jobID**  The ID of the Windows Update job.
+- **minDiskSizeGB**  The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced**  Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy**  The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID**  The ID for this delivery optimization client.
+- **predefinedCallerName**  Name of the API caller.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID for the file download session.
+- **setConfigs**  A JSON representation of the configurations that have been set, and their sources.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Indicates whether the download used memory streaming.
 
 
 ## Windows Update events
@@ -4591,328 +5106,328 @@ This event collects information regarding the state of devices and drivers on th
 The following fields are available:
 
 - **activated**  Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount**  How many driver packages that could not be analyzed because errors were hit during the analysis.
-- **flightId**  Unique ID for each flight. 
-- **missingDriverCount**  How many driver packages that were delivered by the device manifest that are missing from the system.
-- **missingUpdateCount**  How many updates that were part of the device manifest that are missing from the system.
-- **objectId**  Unique value for each diagnostics session. 
-- **publishedCount**  How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
-- **relatedCV**  Correlation vector value generated from the latest USO scan. 
-- **scenarioId**  Indicates the update scenario. 
-- **sessionId**  Unique value for each update session. 
-- **summary**  A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **analysisErrorCount**  How many driver packages could not be analyzed because errors were hit during the analysis.
+- **flightId**  Unique ID for each flight.
+- **missingDriverCount**  How many driver packages that were delivered by the device manifest are missing from the system.
+- **missingUpdateCount**  How many updates that were part of the device manifest are missing from the system.
+- **objectId**  Unique value for each diagnostics session.
+- **publishedCount**  How many drivers packages that were delivered by the device manifest are published and available to be used on devices.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **scenarioId**  Indicates the update scenario.
+- **sessionId**  Unique value for each update session.
+- **summary**  A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
 - **summaryAppendError**  A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount**  How many devices are missing from the summary string due to there not being enough room in the string.
-- **truncatedDriverCount**  How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **truncatedDeviceCount**  How many devices are missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount**  How many driver packages are missing from the summary string because there is not enough room in the string.
 - **unpublishedCount**  How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
-- **updateId**  Unique ID for each Update. 
+- **updateId**  Unique ID for each update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
 
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **errorCode**  The error code returned for the current session initialization
-- **flightId**  The unique identifier for each flight
-- **objectId**  The unique GUID for each diagnostics session
-- **relatedCV**  A correlation vector value, generated from the latest USO scan
-- **result**  Outcome of the initialization of the session
-- **scenarioId**  Identifies the Update scenario
-- **sessionId**  The unique value for each update session
-- **updateId**  The unique identifier for each Update
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  The unique GUID for each diagnostics session.
+- **relatedCV**  A correlation vector value generated from the latest USO scan.
+- **result**  Outcome of the initialization of the session.
+- **scenarioId**  Identifies the Update scenario.
+- **sessionId**  The unique value for each update session.
+- **updateId**  The unique identifier for each Update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
 
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
-- **errorCode**  The error code returned for the current session initialization
-- **flightId**  The unique identifier for each flight
-- **objectId**  Unique value for each Update Agent mode
-- **packageCountOptional**  Number of optional packages requested
-- **packageCountRequired**  Number of required packages requested
-- **packageCountTotal**  Total number of packages needed
-- **packageCountTotalCanonical**  Total number of canonical packages
-- **packageCountTotalDiff**  Total number of diff packages
-- **packageCountTotalExpress**  Total number of express packages
-- **packageSizeCanonical**  Size of canonical packages in bytes
-- **packageSizeDiff**  Size of diff packages in bytes
-- **packageSizeExpress**  Size of express packages in bytes
-- **rangeRequestState**  Represents the state of the download range request
-- **relatedCV**  Correlation vector value generated from the latest USO scan
-- **result**  Result of the download request phase of update
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
+- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  Unique value for each Update Agent mode.
+- **packageCountOptional**  Number of optional packages requested.
+- **packageCountRequired**  Number of required packages requested.
+- **packageCountTotal**  Total number of packages needed.
+- **packageCountTotalCanonical**  Total number of canonical packages.
+- **packageCountTotalDiff**  Total number of diff packages.
+- **packageCountTotalExpress**  Total number of express packages.
+- **packageSizeCanonical**  Size of canonical packages in bytes.
+- **packageSizeDiff**  Size of diff packages in bytes.
+- **packageSizeExpress**  Size of express packages in bytes.
+- **rangeRequestState**  Represents the state of the download range request.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the download request phase of update.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
 
-This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **errorCode**  The error code returned for the current initialize phase
-- **flightId**  The unique identifier for each flight
-- **flightMetadata**  Contains the FlightId and the build being flighted
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest USO scan
-- **result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate 
-- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
-- **sessionId**  Unique value for each Update Agent mode attempt 
-- **updateId**  Unique ID for each update
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **flightMetadata**  Contains the FlightId and the build being flighted.
+- **objectId**  Unique value for each Update Agent mode.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
 
-This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **errorCode**  The error code returned for the current install phase
-- **flightId**  The unique identifier for each flight
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest scan
-- **result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
+- **errorCode**  The error code returned for the current install phase.
+- **flightId**  Unique ID for each flight.
+- **objectId**  Unique value for each diagnostics session.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Outcome of the install phase of the update.
+- **scenarioId**  Indicates the update scenario.
+- **sessionId**  Unique value for each update session.
+- **updateId**  Unique ID for each Update.
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
 
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **flightId**  The unique identifier for each flight
-- **mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest scan
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
+- **flightId**  Unique ID for each flight.
+- **mode**  The mode that is starting.
+- **objectId**  Unique value for each diagnostics session.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **scenarioId**  Indicates the update scenario.
+- **sessionId**  Unique value for each update session.
+- **updateId**  Unique ID for each Update.
 
 
 ### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
 
-Dialog notification about to be displayed to user.
+This event indicates that a notification dialog box is about to be displayed to user.
 
 The following fields are available:
 
-- **AcceptAutoModeLimit**  Maximum number of days for a device to automatically enter Auto Reboot mode 
-- **AutoToAutoFailedLimit**  Maximum number of days for Auto Reboot mode to fail before RebootFailed dialog will be shown 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **EngagedModeLimit**  Number of days to switch between DTE dialogs 
-- **EnterAutoModeLimit**  Maximum number of days for a device to enter Auto Reboot mode 
-- **ETag**  OneSettings versioning value 
-- **IsForcedEnabled**  Is Forced Reboot mode enabled for this device?
-- **IsUltimateForcedEnabled**  Is Ultimate Forced Reboot mode enabled for this device?
-- **NotificationUxState**  Which dialog is shown (ENUM)?
-- **NotificationUxStateString**  Which dialog is shown (string mapping)?
-- **RebootUxState**  Engaged/Auto/Forced/UltimateForced 
-- **RebootUxStateString**  Engaged/Auto/Forced/UltimateForced 
-- **RebootVersion**  Version of DTE 
-- **SkipToAutoModeLimit**  The minimum length of time to pass in reboot pending before a machine can be put into auto mode
-- **UpdateId**  The ID of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UtcTime**  The Coordinated Universal Time when the dialog notification will be displayed.
-- **DaysSinceRebootRequired**  Number of days since reboot was required.
+- **AcceptAutoModeLimit**  The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit**  The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DaysSinceRebootRequired**  Number of days since restart was required.
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **EngagedModeLimit**  The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit**  The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag**  OneSettings versioning value.
+- **IsForcedEnabled**  Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled**  Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState**  Indicates which dialog box is shown.
+- **NotificationUxStateString**  Indicates which dialog box is shown.
+- **RebootUxState**  Indicates  the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString**  Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion**  Version of DTE.
+- **SkipToAutoModeLimit**  The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UtcTime**  The time the dialog box notification will be displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
 
-Enhanced Engaged reboot accept auto dialog was displayed.
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Local time of the device sending the event 
-- **ETag**  OneSettings ETag 
-- **ExitCode**  Dialog exit code - user response 
-- **RebootVersion**  Reboot flow version 
-- **UpdateId**  Id of pending update 
-- **UpdateRevision**  Revision number of the pending update 
-- **UserResponseString**  User response to the reboot dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose on this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
 
-Enhanced Engaged reboot first reminder dialog was displayed.
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The id of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
 
-Enhanced Engaged reboot forced precursor dialog was displayed.
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The id of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
 
-Enhanced Engaged forced warning dialog was displayed.
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The id of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
 
-Enhanced Engaged reboot reboot failed dialog was displayed.
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Dialog exit code - user response
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The ID of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The local time of the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
 
-Enhanced Engaged reboot reboot imminent dialog was displayed.
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed..
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The ID of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  Time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+- **UtcTime**  The time that dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
 
-Enhanced Engaged reboot second reminder dialog was displayed.
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The ID of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
 
-Enhanced Engaged reboot third reminder dialog was displayed.
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
 
 The following fields are available:
 
-- **DeviceLocalTime**  Time of dialog shown on local device 
-- **ETag**  OneSettings versioning value 
-- **ExitCode**  Indicates how users exited the dialog 
-- **RebootVersion**  Version of DTE 
-- **UpdateId**  The ID of the update that is pending reboot to finish installation 
-- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
-- **UserResponseString**  The option that user chose on this dialog 
-- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime**  The time the dialog box was shown on the local device.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that the user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
 
 
 ### Microsoft.Windows.Update.NotificationUx.RebootScheduled
 
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
 
 The following fields are available:
 
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise
-- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action
-- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
-- **rebootState**  The state of the reboot
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **scheduledRebootTimeInUTC**  Time of the scheduled reboot in Coordinated Universal Time
-- **updateId**  ID of the update that is getting installed with this reboot
-- **wuDeviceid**  Unique device ID used by Windows Update
-- **IsEnhancedEngagedReboot**  Whether this is an Enhanced Engaged reboot
+- **activeHoursApplicable**  Indicates whether an Active Hours policy is present on the device.
+- **IsEnhancedEngagedReboot**  Indicates whether this is an Enhanced Engaged reboot.
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours**  Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser**  Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState**  The current state of the restart.
+- **revisionNumber**  Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime**  Time of the scheduled restart.
+- **scheduledRebootTimeInUTC**  Time of the scheduled restart in Coordinated Universal Time.
+- **updateId**  ID of the update that is getting installed with this restart.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
 
-A policy is present that may restrict update activity to outside of active hours.
+This event indicates a policy is present that may restrict update activity to outside of active hours.
 
 The following fields are available:
 
-- **activeHoursEnd**  The end of the active hours window
-- **activeHoursStart**  The start of the active hours window
-- **wuDeviceid**  Device ID
+- **activeHoursEnd**  The end of the active hours window.
+- **activeHoursStart**  The start of the active hours window.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
 
-Update activity blocked due to active hours being currently active.
+This event indicates that update activity was blocked because it is within the active hours window.
 
 The following fields are available:
 
-- **blockReason**  The current state of the update process
-- **updatePhase**  The current state of the update process
-- **wuDeviceid**  Device ID
-- **activeHoursEnd**  The end of the active hours window
-- **activeHoursStart**  The start of the active hours window
+- **activeHoursEnd**  The end of the active hours window.
+- **activeHoursStart**  The start of the active hours window.
+- **blockReason**  Reason for stopping the update activity.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
 
-Update activity blocked due to low battery level.
+This event indicates that Windows Update activity was blocked due to low battery level.
 
 The following fields are available:
 
-- **batteryLevel**  The current battery charge capacitity
-- **batteryLevelThreshold**  The battery capacity threshold to stop update activity
-- **blockReason**  The current state of the update process
-- **updatePhase**  The current state of the update process
-- **wuDeviceid**  Device ID
+- **batteryLevel**  The current battery charge capacity.
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity.
+- **blockReason**  Reason for stopping Windows Update activity.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  Device ID.
 
 
 ### Microsoft.Windows.Update.Orchestrator.CommitFailed
 
-This events tracks when a device needs to restart after an update but did not.
+This event indicates that a device was unable to restart after an update.
 
 The following fields are available:
 
@@ -4920,89 +5435,60 @@ The following fields are available:
 - **wuDeviceid**  The Windows Update device GUID.
 
 
-### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
-
-Event to indicate that DTU completed installation of the ESD, when WU was already Pending Commit of the feature update.
-
-The following fields are available:
-
-- **wuDeviceid**  Device ID used by WU 
-
-
-### Microsoft.Windows.Update.Orchestrator.DTUEnabled
-
-Inbox DTU functionality enabled.
-
-The following fields are available:
-
-- **wuDeviceid**  Device ID.
-
-
-### Microsoft.Windows.Update.Orchestrator.DTUInitiated
-
-Inbox DTU functionality intiated.
-
-The following fields are available:
-
-- **dtuErrorCode**  Return code from creating the DTU Com Server.
-- **isDtuApplicable**  Determination of whether DTU is applicable to the machine it is running on.
-- **wuDeviceid**  Return code from creating the DTU Com Server.
-
-
 ### Microsoft.Windows.Update.Orchestrator.DeferRestart
 
-Indicates that a restart required for installing updates was postponed.
+This event indicates that a restart required for installing updates was postponed.
 
 The following fields are available:
 
-- **displayNeededReason**  Semicolon-separated list of reasons reported for display needed
-- **eventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc
-- **filteredDeferReason**  The raised reason that the USO did not restart (e.g. user active, low battery) that were ignorable
-- **gameModeReason**  Name of the executable that caused the game mode state check to trigger.
-- **ignoredReason**  Semicolon-separated list of reasons that were intentionally ignored.
-- **revisionNumber**  Update ID revision number
-- **systemNeededReason**  Semicolon-separated list of reasons reported for system needed.
-- **updateId**  Update ID
-- **updateScenarioType**  Update session type
-- **wuDeviceid**  Windows Update Device GUID
-- **raisedDeferReason**  The reason that the USO did not restart (e.g. user active, low battery)
+- **displayNeededReason**  List of reasons for needing display.
+- **eventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **filteredDeferReason**  Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **gameModeReason**  Name of the executable that caused the game mode state check to start.
+- **ignoredReason**  List of reasons that were intentionally ignored.
+- **raisedDeferReason**  Indicates all potential reasons for postponing restart (such as user active, or low battery).
+- **revisionNumber**  Update ID revision number.
+- **systemNeededReason**  List of reasons why system is needed.
+- **updateId**  Update ID.
+- **updateScenarioType**  Update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Detection
 
-A scan for an update occurred.
+This event indicates that a scan for a Windows Update occurred.
 
 The following fields are available:
 
-- **detectionBlockingPolicy**  State of update action
-- **detectionBlockreason**  Reason for detection not completing.
-- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **interactive**  Identifies if session is User Initiated.
-- **scanTriggerSource**  Source of the triggered scan.
-- **updateScenarioType**  The update session type.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **detectionRetryMode**  If we retry to scan
-- **errorCode**  The returned error code.
-- **deferReason**  Reason for postponing detection 
-- **flightID**  Flight info 
-- **revisionNumber**  Update version 
-- **updateId**  Update ID - GUID 
+- **deferReason**  Reason why the device could not check for updates.
+- **detectionBlockingPolicy**  State of update action.
+- **detectionBlockreason**  Reason for blocking detection
+- **detectionRetryMode**  Indicates whether we will try to scan again.
+- **errorCode**  Error info
+- **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session was user initiated.
 - **networkStatus**  Error info
+- **revisionNumber**  Update revision number.
+- **scanTriggerSource**  Source of the triggered scan.
+- **updateId**  Update ID.
+- **updateScenarioType**  Source of the triggered scan
+- **wuDeviceid**  Device ID
 
 
 ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
 
-Reboot postponed due to needing a display
+This event indicates the reboot was postponed due to needing a display.
 
 The following fields are available:
 
-- **displayNeededReason**  Reason the display is needed
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
-- **revisionNumber**  Revision number of the update
-- **updateId**  Update ID
-- **updateScenarioType**  The update session type
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
+- **displayNeededReason**  Reason the display is needed.
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
 - **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
@@ -5012,83 +5498,112 @@ This event sends launch data for a Windows Update download to help keep Windows
 
 The following fields are available:
 
-- **deferReason**  Reason for download not completing
-- **errorCode**  An error code represented as a hexadecimal value
-- **eventScenario**  End to end update session ID.
-- **flightID**  Unique update ID.
-- **interactive**  Identifies if session is user initiated.
+- **deferReason**  Reason for download not completing.
+- **errorCode**  An error code represented as a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the session is user initiated.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
-### Microsoft.Windows.Update.Orchestrator.Escalation
+### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
 
-Event sent when USO takes an Escalation action on device.
+This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
 
 The following fields are available:
 
-- **configVersion**  Escalation config version on device 
-- **escalationAction**  Indicate the specific escalation action that took place on device
-- **updateClassificationGUID**  GUID of the update the device is offered
-- **updateId**  ID of the update the device is offered
-- **wuDeviceid**  Device ID used by WU
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUEnabled
+
+This event indicates that Inbox DTU functionality was enabled.
+
+The following fields are available:
+
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUInitiated
+
+This event indicates that Inbox DTU functionality was intiated.
+
+The following fields are available:
+
+- **dtuErrorCode**  Return code from creating the DTU Com Server.
+- **isDtuApplicable**  Determination of whether DTU is applicable to the machine it is running on.
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Escalation
+
+This event is sent when USO takes an Escalation action on a device.
+
+The following fields are available:
+
+- **configVersion**  Escalation config version on device.
+- **escalationAction**  Indicate the specific escalation action that took place on device.
+- **updateClassificationGUID**  GUID of the update the device is offered.
+- **updateId**  ID of the update the device is offered.
+- **wuDeviceid**  Device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
 
-Event sent during update scan, download, install. Indicates that the device is at risk of being out-of-date.
+This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date.
 
 The following fields are available:
 
-- **configVersion**  Escalation config version on device
-- **downloadElapsedTime**  How long since the download is required on device
-- **downloadRiskLevel**  At-risk level of download phase
-- **installElapsedTime**  How long since the install is required on device
-- **installRiskLevel**  At-risk level of install phase
-- **isSediment**  WaaSmedic's assessment of whether is device is at risk or not
-- **scanElapsedTime**  How long since the scan is required on device
-- **scanRiskLevel**  At-risk level of scan phase
-- **wuDeviceid**  Device id used by WU
+- **configVersion**  Escalation config version on device .
+- **downloadElapsedTime**  Indicates how long since the download is required on device.
+- **downloadRiskLevel**  At-risk level of download phase.
+- **installElapsedTime**  Indicates how long since the install is required on device.
+- **installRiskLevel**  The at-risk level of install phase.
+- **isSediment**  Assessment of whether is device is at risk.
+- **scanElapsedTime**  Indicates how long since the scan is required on device.
+- **scanRiskLevel**  At-risk level of the scan phase.
+- **wuDeviceid**  Device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.EscalationsRefreshFailed
 
-USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation config that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation config from OneSettings.
+USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation configuration that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation configuration from OneSettings.
 
 The following fields are available:
 
-- **configVersion**  Current escalation config version on device
-- **errorCode**  Error code for the refresh failure
-- **wuDeviceid**  Device ID used by WU
+- **configVersion**  Current escalation config version on device.
+- **errorCode**  Error code for the refresh failure.
+- **wuDeviceid**  Device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
 
-The Update is no longer Applicable to this device
+This event indicates that the update is no longer applicable to this device.
 
 The following fields are available:
 
-- **EventPublishedTime**  Flight specific info
-- **flightID**  Update ID revision number
-- **revisionNumber**  Update ID - GUID
-- **updateId**  Update session type
-- **updateScenarioType**  Last status of update
-- **UpdateStatus**  Is UUP fallback configured?
-- **UUPFallBackConfigured**  Windows Update Device GUID
-- **wuDeviceid**  Windows Update Device GUID
+- **EventPublishedTime**  Time when this event was generated
+- **flightID**  The specific ID of the Windows Insider build.
+- **revisionNumber**  Update revision number.
+- **updateId**  Unique Windows Update ID.
+- **updateScenarioType**  Update session type.
+- **UpdateStatus**  Last status of update.
+- **UUPFallBackConfigured**  Indicates whether UUP fallback is configured.
+- **wuDeviceid**  Unique Device ID.
 
 
 ### Microsoft.Windows.Update.Orchestrator.GameActive
 
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
 
 The following fields are available:
 
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **gameModeReason**  Name of the enabled GameMode process that prevented the device from restarting to complete an update
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **gameModeReason**  Name of the enabled GameMode process that prevented the device from restarting to complete an update.
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
 ### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
@@ -5099,12 +5614,12 @@ The following fields are available:
 
 - **EventPublishedTime**  Time of the event.
 - **flightID**  Unique update ID
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours**  Indicates whether the reboot was to occur outside of active hours.
 - **revisionNumber**  Revision number of the update.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated.
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
@@ -5116,82 +5631,82 @@ The following fields are available:
 
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
 - **deferReason**  Reason for install not completing.
-- **eventScenario**  End to end update session ID.
+- **errorCode**  The error code reppresented by a hexadecimal value.
+- **eventScenario**  End-to-end update session ID.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **flightUpdate**  Indicates whether the update is a Windows Insider build.
+- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
 - **interactive**  Identifies if session is user initiated.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **minutesToCommit**  The time it took to install updates.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
 - **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
 - **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightID**  Unique update ID
-- **flightUpdate**  Flight update
-- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
-- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
-- **minutesToCommit**  The time it took to install updates.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **errorCode**  The error code reppresented by a hexadecimal value.
-- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
 
 
 ### Microsoft.Windows.Update.Orchestrator.PostInstall
 
-Event sent after Update install completes.
+This event is sent after a Windows update install completes.
 
 The following fields are available:
 
-- **batteryLevel**  Battery level percentage  
-- **bundleId**  Update ID - GUID  
-- **bundleRevisionnumber**  Update ID revision number   
-- **errorCode**  Error value 
-- **eventScenario**  State of update action 
-- **sessionType**  Update session type 
-- **wuDeviceid**  Windows Update device GUID
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **bundleId**  Identifier associated with the specific content bundle.
+- **bundleRevisionnumber**  Identifies the revision number of the content bundle.
+- **errorCode**  The error code returned for the current phase.
+- **eventScenario**  State of update action.
 - **flightID**  The flight ID of the device
-- **updateScenarioType**  The scenario type of this update
+- **sessionType**  The Windows Update session type (Interactive or Background).
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
 
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. 
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
 
 The following fields are available:
 
-- **powermenuNewOptions**  The new options after the power menu changed 
-- **powermenuOldOptions**  The old options before the power menu changed 
-- **rebootPendingMinutes**  If the power menu changed because a reboot is pending due to a update, how long that reboot has been pending 
-- **wuDeviceid**  If the power menu changed because a reboot is pending due to a update, the device ID recorded by WU 
+- **powermenuNewOptions**  The new options after the power menu changed.
+- **powermenuOldOptions**  The old options before the power menu changed.
+- **rebootPendingMinutes**  If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **wuDeviceid**  The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
 
-This event is generated right before the shutdown and commit operations
+This event is generated before the shutdown and commit operations.
 
 The following fields are available:
 
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 
 
 ### Microsoft.Windows.Update.Orchestrator.Progress
 
-Event sent when the download of a update reaches a milestone change, such as network cost policy changed, a internal phase has completed, or a transient state has changed.
+This event is sent when the download of a update reaches a milestone change, such as a change in network cost policy, completion of an internal phase, or change in a transient state.
 
 The following fields are available:
 
-- **errorCode**  Error info
-- **flightID**  Flight info
-- **interactive**  Is USO session interactive or non-interactive?
-- **networkCostPolicy**  The current network cost policy on device
-- **revisionNumber**  Update ID revision number
-- **updateId**  Update ID - GUID
-- **updateScenarioType**  Update Session type
-- **updateState**  Subphase of the download
-- **UpdateStatus**  Subphase of the update
-- **wuDeviceid**  Device ID
+- **errorCode**  Error code returned.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Identifies whether the session is user initiated.
+- **networkCostPolicy**  The current network cost policy on device.
+- **revisionNumber**  Update ID revision number.
+- **updateId**  Unique ID for each update.
+- **updateScenarioType**  Update Session type.
+- **updateState**  Subphase of the download.
+- **UpdateStatus**  Subphase of the update.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.RebootFailed
 
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
 
 The following fields are available:
 
@@ -5199,7 +5714,7 @@ The following fields are available:
 - **deferReason**  Reason for install not completing.
 - **EventPublishedTime**  The time that the reboot failure occurred.
 - **flightID**  Unique update ID.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot was scheduled outside of active hours.
 - **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
@@ -5215,25 +5730,25 @@ This event sends data indicating that a reboot task is missing unexpectedly on a
 The following fields are available:
 
 - **RebootTaskRestoredTime**  Time at which this reboot task was restored.
-- **wuDeviceid**  Device id on which the reboot is restored
+- **wuDeviceid**  Device ID for the device on which the reboot is restored.
 
 
 ### Microsoft.Windows.Update.Orchestrator.ScanTriggered
 
-Indicates that Update Orchestrator has started a scan operation.
+This event indicates that Update Orchestrator has started a scan operation.
 
 The following fields are available:
 
-- **errorCode**  Error info
-- **eventScenario**  Indicates the purpose of sending this event
-- **interactive**  Whether or not the scan is interactive.
-- **isScanPastSla**  Has the SLA elapsed for scanning?
-- **isScanPastTriggerSla**  Has the SLA elapsed for triggering a scan?
-- **minutesOverScanSla**  How many minutes over the scan SLA is the scan?
-- **minutesOverScanTriggerSla**  How many minutes over the scan trigger SLA is the scan?
-- **scanTriggerSource**  What caused the scan?
-- **updateScenarioType**  The type of scenario we are in.
-- **wuDeviceid**  WU Device ID of the machine.
+- **errorCode**  The error code returned for the current scan operation.
+- **eventScenario**  Indicates the purpose of sending this event.
+- **interactive**  Indicates whether the scan is interactive.
+- **isScanPastSla**  Indicates whether the SLA has elapsed for scanning.
+- **isScanPastTriggerSla**  Indicates whether the SLA has elapsed for triggering a scan.
+- **minutesOverScanSla**  Indicates how many minutes the scan exceeded the scan SLA.
+- **minutesOverScanTriggerSla**  Indicates how many minutes the scan exceeded the scan trigger SLA.
+- **scanTriggerSource**  Indicates what caused the scan.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Orchestrator.SystemNeeded
@@ -5242,10 +5757,10 @@ This event sends data about why a device is unable to reboot, to help keep Windo
 
 The following fields are available:
 
-- **eventScenario**  End to end update session ID.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **eventScenario**  End-to-end update session ID.
+- **rebootOutsideOfActiveHours**  Indicates whether a reboot is scheduled outside of active hours.
 - **revisionNumber**  Update revision number.
-- **systemNeededReason**  Reason ID
+- **systemNeededReason**  List of apps or tasks that are preventing the system from restarting.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
 - **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
@@ -5254,26 +5769,26 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
 
-Update activity was stopped due to active hours starting.
+This event indicates that update activity was stopped due to active hours starting.
 
 The following fields are available:
 
-- **activeHoursEnd**  The end of the active hours window
-- **activeHoursStart**  The start of the active hours window
-- **updatePhase**  The current state of the update process
-- **wuDeviceid**  Device ID
+- **activeHoursEnd**  The end of the active hours window.
+- **activeHoursStart**  The start of the active hours window.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  The device identifier.
 
 
 ### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
 
-Update activity was stopped due to a low battery level.
+This event is sent when update activity was stopped due to a low battery level.
 
 The following fields are available:
 
-- **batteryLevel**  The current battery charge capacity
-- **batteryLevelThreshold**  The battery capacity threshold to stop update activity
-- **updatePhase**  The current state of the update process
-- **wuDeviceid**  Device ID
+- **batteryLevel**  The current battery charge capacity.
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  The device identifier.
 
 
 ### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
@@ -5282,10 +5797,10 @@ This event sends data on whether Update Management Policies were enabled on a de
 
 The following fields are available:
 
-- **configuredPoliciescount**  Policy Count
-- **policiesNamevaluesource**  Policy Name
-- **policyCacherefreshtime**  Refresh time
-- **updateInstalluxsetting**  This shows whether a user has set policies via UX option
+- **configuredPoliciescount**  Number of policies on the device.
+- **policiesNamevaluesource**  Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime**  Time when policy cache was refreshed.
+- **updateInstalluxsetting**  Indicates whether a user has set policies via a user experience option.
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
@@ -5295,8 +5810,8 @@ This event sends data about whether an update required a reboot to help keep Win
 
 The following fields are available:
 
-- **flightID**  Unique update ID.
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **flightID**  The specific ID of the Windows Insider build the device is getting.
+- **interactive**  Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
@@ -5324,21 +5839,21 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
 
-The RebootScheduled event sends basic information for scheduling a update related reboot to facilitate the flow of getting security updates and keeping Windows up to date. 
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
 
 The following fields are available:
 
-- **activeHoursApplicable**  Whether Active Hours applies. 
-- **rebootArgument**  The reboot arguments 
-- **rebootOutsideOfActiveHours**  If reboot was outside of Active Hours
-- **rebootScheduledByUser**  If the reboot was scheduled by the user, or the system. 
-- **rebootState**  Which state the reboot is in
-- **revisionNumber**  Revision number of the OS
-- **scheduledRebootTime**  Time the reboot was scheduled for. 
-- **scheduledRebootTimeInUTC**  Time the reboot was scheduled for in UTC
-- **updateId**  UpdateId to identify which update is being scheduled.
-- **wuDeviceid**  Unique DeviceID
-- **IsEnhancedEngagedReboot**  If Enhanced reboot was enabled.
+- **activeHoursApplicable**  Indicates whether Active Hours applies on this device.
+- **IsEnhancedEngagedReboot**  Indicates whether Enhanced reboot was enabled.
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState**  Current state of the reboot.
+- **revisionNumber**  Revision number of the OS.
+- **scheduledRebootTime**  Time scheduled for the reboot.
+- **scheduledRebootTimeInUTC**  Time scheduled for the reboot, in UTC.
+- **updateId**  Identifies which update is being scheduled.
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
@@ -5353,34 +5868,34 @@ This event is sent when MUSE broker schedules a task.
 
 The following fields are available:
 
-- **TaskArgument**  The arguments with which the task is scheduled. 
-- **TaskName**  Name of the task.
+- **TaskArgument**  The arguments which the task is scheduled with
+- **TaskName**  Name of the task
 
 
 ## Windows Update mitigation events
 
 ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
 
-This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. 
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
 
 The following fields are available:
 
-- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. 
-- **FlightId**  Unique identifier for each flight. 
-- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe. 
-- **MitigationScenario**  The update scenario in which the mitigation was executed. 
-- **MountedImageCount**  Number of mounted images. 
-- **MountedImageMatches**  Number of mounted images that were under %systemdrive%\$Windows.~BT. 
-- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. 
-- **MountedImagesRemoved**    Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. 
-- **MountedImagesSkipped**  Number of mounted images that were not under %systemdrive%\$Windows.~BT. 
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **Result**  HResult of this operation. 
-- **ScenarioId**  ID indicating the mitigation scenario. 
-- **ScenarioSupported**  Indicates whether the scenario was supported. 
-- **SessionId**  Unique value for each update attempt. 
-- **UpdateId**  Unique ID for each Update. 
-- **WuId**  Unique ID for the Windows Update client. 
+- **ClientId**  Unique identifier for each flight.
+- **FlightId**  Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId**  The update scenario in which the mitigation was executed.
+- **MitigationScenario**  Number of mounted images.
+- **MountedImageCount**  Number of mounted images that were under %systemdrive%\$Windows.~BT.
+- **MountedImageMatches**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
+- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
+- **MountedImagesRemoved**  Number of mounted images that were not under %systemdrive%\$Windows.~BT.
+- **MountedImagesSkipped**  Correlation vector value generated from the latest USO scan.
+- **RelatedCV**  HResult of this operation.
+- **Result**  ID indicating the mitigation scenario.
+- **ScenarioId**  Indicates whether the scenario was supported.
+- **ScenarioSupported**  Unique value for each update attempt.
+- **SessionId**  Unique ID for each Update.
+- **UpdateId**  Unique ID for the Windows Update client.
+- **WuId**  Unique ID for the Windows Update client.
 
 
 ### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
@@ -5389,19 +5904,19 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
 
 The following fields are available:
 
-- **ClientId**  Unique identifier for each flight. 
-- **FlightId**  Unique GUID that identifies each instances of setuphost.exe. 
-- **InstanceId**  The update scenario in which the mitigation was executed. 
-- **MitigationScenario**  Correlation vector value generated from the latest USO scan. 
-- **RelatedCV**  Number of reparse points that are corrupted but we failed to fix them.
-- **ReparsePointsFailed**  Number of reparse points that were corrupted and were fixed by this mitigation.
-- **ReparsePointsFixed**  Number of reparse points that are not corrupted and no action is required.
-- **ReparsePointsSkipped**  HResult of this operation.
-- **Result**  ID indicating the mitigation scenario.
-- **ScenarioId**  Indicates whether the scenario was supported.
-- **ScenarioSupported**  Unique value for each update attempt. 
-- **SessionId**  Unique ID for each Update. 
-- **UpdateId**  Unique ID for the Windows Update client.
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId**  Unique identifier for each flight.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed**  Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFixed**  Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped**  Number of reparse points that are not corrupted and no action is required.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each Update.
 - **WuId**  Unique ID for the Windows Update client.
 
 
@@ -5411,20 +5926,29 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda
 
 The following fields are available:
 
-- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. 
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **EditionIdUpdated**  Determine whether EditionId was changed.
-- **FlightId**  Unique identifier for each flight. 
-- **InstanceId**    Unique GUID that identifies each instances of setuphost.exe. 
-- **MitigationScenario**  The update scenario in which the mitigation was executed. 
+- **FlightId**  Unique identifier for each flight.
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario**  The update scenario in which the mitigation was executed.
 - **ProductEditionId**  Expected EditionId value based on GetProductInfo.
 - **ProductType**  Value returned by GetProductInfo.
 - **RegistryEditionId**  EditionId value in the registry.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
-- **Result**  HResult of this operation. 
-- **ScenarioId**  ID indicating the mitigation scenario. 
-- **ScenarioSupported**  Indicates whether the scenario was supported. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  HResult of this operation.
+- **ScenarioId**  ID indicating the mitigation scenario.
+- **ScenarioSupported**  Indicates whether the scenario was supported.
 - **SessionId**  Unique value for each update attempt.
-- **UpdateId**  Unique ID for each update. 
-- **WuId**  Unique ID for the Windows Update client. 
+- **UpdateId**  Unique ID for each update.
+- **WuId**  Unique ID for the Windows Update client.
+
+
+## Winlogon events
+
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
+
+This event signals the completion of the setup process. It happens only once during the first logon.
+
+
 
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
new file mode 100644
index 0000000000..634376dd9a
--- /dev/null
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -0,0 +1,4661 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
+---
+
+
+# Windows 10, version 1809 basic level Windows diagnostic events and fields
+
+ **Applies to**
+
+- Windows 10, version 1809
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
+
+
+## AppLocker events
+
+### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically
+
+Automatically closed activity for start/stop operations that aren't explicitly closed.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddParams
+
+Parameters passed to Add function of the AppLockerCSP Node.
+
+The following fields are available:
+
+- **child**  The child URI of the node to add.
+- **uri**  URI of the node relative to %SYSTEM32%/AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddStart
+
+Start of "Add" Operation for the AppLockerCSP Node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddStop
+
+End of "Add" Operation for AppLockerCSP Node.
+
+The following fields are available:
+
+- **hr**  The HRESULT returned by Add function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
+
+Result of the 'Rollback' operation in AppLockerCSP.
+
+The following fields are available:
+
+- **oldId**  Previous id for the CSP transaction.
+- **txId**  Current id for the CSP transaction.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearParams
+
+Parameters passed to the "Clear" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **uri**  The URI relative to the %SYSTEM32%\AppLocker folder.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearStart
+
+Start of the "Clear" operation for the AppLockerCSP Node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearStop
+
+End of the "Clear" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr**  HRESULT reported at the end of the 'Clear' function.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart
+
+Start of the "ConfigManagerNotification" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **NotifyState**  State sent by ConfigManager to AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop
+
+End of the "ConfigManagerNotification" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **hr**  HRESULT returned by the ConfigManagerNotification function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
+
+Parameters passed to the CreateNodeInstance function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **NodeId**  NodeId passed to CreateNodeInstance.
+- **nodeOps**  NodeOperations parameter passed to CreateNodeInstance.
+- **uri**  URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
+
+Start of the "CreateNodeInstance" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
+
+End of the "CreateNodeInstance" operation for the AppLockerCSP node
+
+The following fields are available:
+
+- **hr**  HRESULT returned by the CreateNodeInstance function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
+
+Parameters passed to the DeleteChild function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **child**  The child URI of the node to delete.
+- **uri**  URI relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
+
+Start of the "DeleteChild" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
+
+End of the "DeleteChild" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr**  HRESULT returned by the DeleteChild function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
+
+Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present.
+
+The following fields are available:
+
+- **uri**  URI relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
+
+Parameters passed to the GetChildNodeNames function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **uri**  URI relative to %SYSTEM32%/AppLocker for MDM node.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
+
+Start of the "GetChildNodeNames" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
+
+End of the "GetChildNodeNames" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **child[0]**  If function succeeded, the first child's name, else "NA".
+- **count**  If function succeeded, the number of child node names returned by the function, else 0.
+- **hr**  HRESULT returned by the GetChildNodeNames function of AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetLatestId
+
+The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID).
+
+The following fields are available:
+
+- **dirId**  The latest directory identifier found by GetLatestId.
+- **id**  The id returned by GetLatestId if id > 0 - otherwise the dirId parameter.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.HResultException
+
+HRESULT thrown by any arbitrary function in AppLockerCSP.
+
+The following fields are available:
+
+- **file**  File in the OS code base in which the exception occurs.
+- **function**  Function in the OS code base in which the exception occurs.
+- **hr**  HRESULT that is reported.
+- **line**  Line in the file in the OS code base in which the exception occurs.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueParams
+
+Parameters passed to the SetValue function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **dataLength**  Length of the value to set.
+- **uri**  The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueStart
+
+Start of the "SetValue" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueStop
+
+End of the "SetValue" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr**  HRESULT returned by the SetValue function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
+
+EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed.
+
+The following fields are available:
+
+- **uri**  URI for node relative to %SYSTEM32%/AppLocker.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS2**  An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS4**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH1**  The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH2**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS1**  The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDevicePnp_RS2**  The count of DatasourceApplicationFile objects present on this machine targeting the next release of Windows
+- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS4**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH1**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH2**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS1**  The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDriverPackage_RS2**  The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
+- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS4**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH1**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH2**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS1**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS2**  The count of DatasourceDevicePnp objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH2**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS1**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS2**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH2**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2**  The count of DatasourceDriverPackage objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH1**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH2**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS1**  The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS2**  The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS4**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH1**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS2**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS2**  The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows
+- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS1**  The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS2**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS1**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS2**  The count of DataSourceMatchingInfoPassive objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS1**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS2**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2**  The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS1**  The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS2**  The count of DatasourceSystemBios objects present on this machine targeting the next release of Windows
+- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS4**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS4Setup**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH2**  The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS1**  The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS2**  The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS4**  The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionSystemBios_RS4Setup**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_TH1**  The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_TH2**  The count of the number of this particular object type present on this device.
+- **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack**  The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
+- **InventorySystemBios**  The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
+- **PCFP**  The count of the number of this particular object type present on this device.
+- **SystemMemory**  The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
+- **SystemProcessorNx**  The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW**  The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2**  The count of the number of this particular object type present on this device.
+- **SystemTouch**  The count of the number of this particular object type present on this device.
+- **SystemWim**  The count of the number of this particular object type present on this device.
+- **SystemWindowsActivationStatus**  The count of the number of this particular object type present on this device.
+- **SystemWlan**  The count of the number of this particular object type present on this device.
+- **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS2**  The count of InventoryLanguagePack objects present on this machine.
+- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_RS4**  The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
+- **Wmdrm_RS4Setup**  The count of the number of this particular object type present on this device.
+- **Wmdrm_TH1**  The count of the number of this particular object type present on this device.
+- **Wmdrm_TH2**  The count of the number of this particular object type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
+- **AvDisplayName**  If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex**  The compatibility prediction for this file.
+- **HasCitData**  Indicates whether the file is present in CIT data.
+- **HasUpgradeExe**  Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv**  Is the file an anti-virus reporting EXE?
+- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **ActiveNetworkConnection**  Indicates whether the device is an active network device.
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **IsBootCritical**  Indicates whether the device boot is critical.
+- **WuDriverCoverage**  Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
+- **BlockAlreadyInbox**  The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication**  Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
+- **DisplayGenericMessage**  Will be a generic message be shown for this file?
+- **HardBlock**  This file is blocked in the SDB.
+- **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction**  The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade**  The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall**  The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate**  The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock**  The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate**  Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
+- **BlockingDevice**  Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
+- **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **DriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked**  Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked**  Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate**  Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **BlockingApplication**  Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage**  Will a generic message be shown for this block?
+- **NeedsUninstallAction**  Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication**  Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData**  Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData**  Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData**  Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **BlockingApplication**  Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed**  If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators**  Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse**  Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed**  Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock**  Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData**  The data in the registry value after the scan completed.
+- **OldData**  The previous data in the registry value before the scan ran.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **RegKey**  The registry key name for which a result is being sent.
+- **RegValue**  The registry value for which a result is being sent.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **AvDisplayName**  If the app is an antivirus app, this is its display name.
+- **AvProductState**  Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName**  The company name of the vendor who developed this file.
+- **FileId**  A hash that uniquely identifies a file.
+- **FileVersion**  The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe**  Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv**  Indicates whether the file an antivirus reporting EXE.
+- **LinkDate**  The date and time that this file was linked on.
+- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
+- **Name**  The name of the file that was inventoried.
+- **ProductName**  The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size**  The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **HasLanguagePack**  Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount**  The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **EverLaunched**  Has Windows Media Center ever been launched?
+- **HasConfiguredTv**  Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts**  Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders**  Are any folders configured for Windows  Media Center to watch?
+- **IsDefaultLauncher**  Is Windows Media Center the default app for opening music or video files?
+- **IsPaid**  Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported**  Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **biosDate**  The release date of the BIOS in UTC format.
+- **BiosDate**  The release date of the BIOS in UTC format.
+- **biosName**  The name field from Win32_BIOS.
+- **BiosName**  The name field from Win32_BIOS.
+- **manufacturer**  The manufacturer field from Win32_ComputerSystem.
+- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
+- **model**  The model field from Win32_ComputerSystem.
+- **Model**  The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BootCritical**  Is the driver package marked as boot critical?
+- **Build**  The build value from the driver package.
+- **CatalogFile**  The name of the catalog file within the driver package.
+- **Class**  The device class from the driver package.
+- **ClassGuid**  The device class unique ID from the driver package.
+- **Date**  The date from the driver package.
+- **Inbox**  Is the driver package of a driver that is included with Windows?
+- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider**  The provider of the driver package.
+- **PublishedName**  The name of the INF file after it was renamed.
+- **Revision**  The revision of the driver package.
+- **SignatureStatus**  Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor**  The major version of the driver package.
+- **VersionMinor**  The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated**  Was a memory requirement violated?
+- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram**  The amount of memory on the device.
+- **ramKB**  The amount of memory (in KB).
+- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB**  The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **CompareExchange128Support**  Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport**  Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **PrefetchWSupport**  Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport**  Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
+- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision**  Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
+- **WlanExists**  Does the device support WLAN at all?
+- **WlanModulePresent**  Are any WLAN modules present?
+- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal**  Obsolete, always set to false.
+- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InboxDataVersion**  The original version of the data files before retrieving any newer version.
+- **IndicatorsWritten**  Indicates if all relevant UEX indicators were successfully written or updated.
+- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult**  The hresult of the Appraiser telemetry run.
+- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull**  Obsolete, always set to false
+- **TelementrySent**  Indicates if telemetry was successfully sent.
+- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time**  The client time of the event.
+- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Same as NeedsDismissAction.
+- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+## Census events
+
+### Census.App
+
+Provides information on IE and Census versions running on the device
+
+The following fields are available:
+
+- **AppraiserEnterpriseErrorCode**  The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode**  The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp**  The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed**  Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp**  The start time of the last Appraiser run.
+- **AppraiserTaskEnabled**  Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode**  The Appraiser task exist code.
+- **AppraiserTaskLastRun**  The last runtime for the Appraiser task.
+- **CensusVersion**  The version of Census that generated the current data for this device.
+- **IEVersion**  IE version running on the device.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities**  Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent**  Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear.
+- **InternalBatteryCapacityDesign**  Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges**  Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **AADDeviceId**  Azure Active Directory device ID.
+- **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
+- **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType**  Represents the type of cloud domain joined for the machine.
+- **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
+- **ContainerType**  The type of container, such as process or virtual machine hosted.
+- **EnrollmentType**  Defines the type of MDM enrollment on the device.
+- **HashedDomain**  The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet**  Represents if the device can do device encryption.
+- **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined**  Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled**  Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
+- **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer**  Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate**  Represents the date the current firmware was released.
+- **FirmwareType**  Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion**  Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DeviceSampleRate**  The telemetry sample rate assigned to the device.
+- **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
+- **FlightIds**  A list of the different Windows Insider builds on this device.
+- **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled**  Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts**  Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK**  Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveMicCount**  The number of active microphones attached to the device.
+- **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel**  Supported Direct3D version.
+- **DeviceForm**  Indicates the form as per the device classification.
+- **DeviceName**  The device name that is set by the user.
+- **DigitizerSupport**  Is a digitizer supported?
+- **DUID**  The device unique ID.
+- **Gyroscope**  Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
+- **InventoryId**  The device ID used for compatibility testing.
+- **Magnetometer**  Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity**  Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
+- **OEMDigitalMarkerFileName**  The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName**  The device manufacturer name.  The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard**  The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion**  Differentiates between developer and retail devices.
+- **OEMModelName**  The device model name.
+- **OEMModelNumber**  The device model number.
+- **OEMModelSKU**  The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily**  The system family set on the device by an OEM.
+- **OEMModelSystemVersion**  The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier**  A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber**  The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer**  The friendly name of the phone manufacturer.
+- **PowerPlatformRole**  The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName**  The firmware manufacturer of the device.
+- **StudyID**  Used to identify retail and non-retail device.
+- **TelemetryLevel**  The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced**  The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority**  Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMManufacturerId**  The ID of the TPM manufacturer.
+- **TPMManufacturerVersion**  The version of the TPM manufacturer.
+- **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM**  Represents the physical memory (in MB).
+- **TotalVisibleMemory**  Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorBilling**  Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized**  Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **MobileOperatorNetwork0**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **NetworkAdapterGUID**  The GUID of the primary network adapter.
+- **NetworkCost**  Represents the network cost associated with a connection.
+- **SPN0**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+
+
+### Census.PrivacySettings
+
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values:  -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+
+The following fields are available:
+
+- **Activity**  Current state of the activity history setting.
+- **ActivityHistoryCloudSync**  Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection**  Current state of the activity history collection setting.
+- **AdvertisingId**  Current state of the advertising ID setting.
+- **AppDiagnostics**  Current state of the app diagnostics setting.
+- **Appointments**  Current state of the calendar setting.
+- **AppointmentsSystem**  Current state of the calendar setting.
+- **Bluetooth**  Current state of the Bluetooth capability setting.
+- **BluetoothSync**  Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess**  Current state of the broad file system access setting.
+- **CellularData**  Current state of the cellular data capability setting.
+- **Chat**  Current state of the chat setting.
+- **ChatSystem**  Current state of the chat setting.
+- **Contacts**  Current state of the contacts setting.
+- **ContactsSystem**  Current state of the Contacts setting.
+- **DocumentsLibrary**  Current state of the documents library setting.
+- **Email**  Current state of the email setting.
+- **EmailSystem**  Current state of the email setting.
+- **FindMyDevice**  Current state of the "find my device" setting.
+- **GazeInput**  Current state of the gaze input setting.
+- **HumanInterfaceDevice**  Current state of the human interface device setting.
+- **InkTypeImprovement**  Current state of the improve inking and typing setting.
+- **Location**  Current state of the location setting.
+- **LocationHistory**  Current state of the location history setting.
+- **LocationHistoryCloudSync**  Current state of the location history cloud sync setting.
+- **LocationHistoryOnTimeline**  Current state of the location history on timeline setting.
+- **Microphone**  Current state of the microphone setting.
+- **PhoneCall**  Current state of the phone call setting.
+- **PhoneCallHistory**  Current state of the call history setting.
+- **PhoneCallHistorySystem**  Current state of the call history setting.
+- **PicturesLibrary**  Current state of the pictures library setting.
+- **Radios**  Current state of the radios setting.
+- **SensorsCustom**  Current state of the custom sensor setting.
+- **SerialCommunication**  Current state of the serial communication setting.
+- **Sms**  Current state of the text messaging setting.
+- **SpeechPersonalization**  Current state of the speech services setting.
+- **USB**  Current state of the USB setting.
+- **UserAccountInformation**  Current state of the account information setting.
+- **UserDataTasks**  Current state of the tasks setting.
+- **UserDataTasksSystem**  Current state of the tasks setting.
+- **UserNotificationListener**  Current state of the notifications setting.
+- **VideosLibrary**  Current state of the videos library setting.
+- **Webcam**  Current state of the camera setting.
+- **WiFiDirect**  Current state of the Wi-Fi direct setting.
+
+
+### Census.Processor
+
+Provides information on several important data points about Processor settings
+
+The following fields are available:
+
+- **KvaShadow**  Microcode info of the processor.
+- **MMSettingOverride**  Microcode setting of the processor.
+- **MMSettingOverrideMask**  Microcode setting override of the processor.
+- **PreviousUpdateRevision**  Previous microcode revision
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed**  Clock speed of the processor in MHz.
+- **ProcessorCores**  Number of logical cores in the processor.
+- **ProcessorIdentifier**  Processor Identifier of a manufacturer.
+- **ProcessorManufacturer**  Name of the processor manufacturer.
+- **ProcessorModel**  Name of the processor model.
+- **ProcessorPhysicalCores**  Number of physical cores in the processor.
+- **ProcessorUpdateRevision**  Microcode revision
+- **ProcessorUpdateStatus**  Enum value that represents the processor microcode load status
+- **SocketCount**  Count of CPU sockets.
+- **SpeculationControl**  If the system has enabled protections needed to validate the speculation control vulnerability.
+
+
+### Census.Security
+
+This event provides information on about security settings used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard.
+- **CGRunning**  Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState**  This field summarizes the Device Guard state.
+- **HVCIRunning**  Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
+- **IsSawGuest**  Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost**  Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties**  Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable**  Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **SModeState**  The Windows S mode trail state.
+- **VBSState**  Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation.  VBS has a tri-state that can be Disabled, Enabled, or Running.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **AboveLockEnabled**  Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KeyVer**  Version information for the census speech event.
+- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged**  Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
+- **SpeechServicesValueSource**  Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity**  Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType**  Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
+- **VRAMDedicated**  Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage**  The current user Default App Language.
+- **DisplayLanguage**  The current user preferred Windows Display Language.
+- **HomeLocation**  The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages**  The Keyboard input languages installed on the device.
+- **SpeechInputLanguages**  The Speech Input languages installed on the device.
+
+
+### Census.UserPrivacySettings
+
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+
+The following fields are available:
+
+- **Activity**  Current state of the activity history setting.
+- **ActivityHistoryCloudSync**  Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection**  Current state of the activity history collection setting.
+- **AdvertisingId**  Current state of the advertising ID setting.
+- **AppDiagnostics**  Current state of the app diagnostics setting.
+- **Appointments**  Current state of the calendar setting.
+- **AppointmentsSystem**  Current state of the calendar setting.
+- **Bluetooth**  Current state of the Bluetooth capability setting.
+- **BluetoothSync**  Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess**  Current state of the broad file system access setting.
+- **CellularData**  Current state of the cellular data capability setting.
+- **Chat**  Current state of the chat setting.
+- **ChatSystem**  Current state of the chat setting.
+- **Contacts**  Current state of the contacts setting.
+- **ContactsSystem**  Current state of the contacts setting.
+- **DocumentsLibrary**  Current state of the documents library setting.
+- **Email**  Current state of the email setting.
+- **EmailSystem**  Current state of the email setting.
+- **GazeInput**  Current state of the gaze input setting.
+- **HumanInterfaceDevice**  Current state of the human interface device setting.
+- **InkTypeImprovement**  Current state of the improve inking and typing setting.
+- **InkTypePersonalization**  Current state of the inking and typing personalization setting.
+- **Location**  Current state of the location setting.
+- **LocationHistory**  Current state of the location history setting.
+- **LocationHistoryCloudSync**  Current state of the location history cloud synchronization setting.
+- **LocationHistoryOnTimeline**  Current state of the location history on timeline setting.
+- **Microphone**  Current state of the microphone setting.
+- **PhoneCall**  Current state of the phone call setting.
+- **PhoneCallHistory**  Current state of the call history setting.
+- **PhoneCallHistorySystem**  Current state of the call history setting.
+- **PicturesLibrary**  Current state of the pictures library setting.
+- **Radios**  Current state of the radios setting.
+- **SensorsCustom**  Current state of the custom sensor setting.
+- **SerialCommunication**  Current state of the serial communication setting.
+- **Sms**  Current state of the text messaging setting.
+- **SpeechPersonalization**  Current state of the speech services setting.
+- **USB**  Current state of the USB setting.
+- **UserAccountInformation**  Current state of the account information setting.
+- **UserDataTasks**  Current state of the tasks setting.
+- **UserDataTasksSystem**  Current state of the tasks setting.
+- **UserNotificationListener**  Current state of the notifications setting.
+- **VideosLibrary**  Current state of the videos library setting.
+- **Webcam**  Current state of the camera setting.
+- **WiFiDirect**  Current state of the Wi-Fi direct setting.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CloudService**  Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent**  Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVDI**  Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus**  Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate**  Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate**  Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate**  Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate**  Is the device  on the latest security update?
+- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime**  The freshness of release information used to perform an assessment.
+- **OSRollbackCount**  The number of times feature updates have rolled back on the device.
+- **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
+- **OSWUAutoUpdateOptionsSource**  The source of auto update setting that appears in the OSWUAutoUpdateOptions field.  For example: Group Policy (GP), Mobile Device Management (MDM), and Default.
+- **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState**  Retrieves WU setting to determine if updates are paused.
+- **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage**  Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId**  Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId**  Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env**  The environment from which the event was logged.
+- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale**  The locale of the app.
+- **name**  The name of the app.
+- **userId**  The userID as known by the application.
+- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch**  An ID that's incremented for each SDK initialization.
+- **localId**  The device ID as known by the client.
+- **osVer**  The operating system version.
+- **seq**  An ID that's incremented for each event.
+- **type**  The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig**  A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass**  The device classification. For example, Desktop, Server, or Mobile.
+- **localId**  A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make**  Device manufacturer.
+- **model**  Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data**  Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app**  Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container**  Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs**  Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device**  Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os**  Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_receipts**  Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts).
+- **ext_sdk**  Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user**  Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc**  Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl**  Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey**  Represents an ID for applications or other logical groupings of events.
+- **name**  Represents the uniquely qualified name for the event.
+- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
+- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale**  Represents the locale of the operating system.
+- **name**  Represents the operating system name.
+- **ver**  Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.receipts
+
+Represents various time information as provided by the client and helps for debugging purposes.
+
+The following fields are available:
+
+- **originalTime**  The original event time.
+- **uploadTime**  The time the event was uploaded.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch**  An ID that is incremented for each SDK initialization.
+- **installId**  An ID that's created during the initialization of the SDK for the first time.
+- **libVer**  The SDK version.
+- **seq**  An ID that is incremented for each event.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId**  This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale**  The language and region.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq**  Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **flags**  Represents the bitmap that captures various Windows specific flags.
+- **mon**  Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op**  Represents the ETW Op Code.
+- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims**  Any additional claims whose short claim name hasn't been added to this structure.
+- **did**  XBOX device ID
+- **dty**  XBOX device type
+- **dvr**  The version of the operating system on the device.
+- **eid**  A unique ID that represents the developer entity.
+- **exp**  Expiration time
+- **ip**  The IP address of the client device.
+- **nbf**  Not before time
+- **pid**  A comma separated list of PUIDs listed as base10 numbers.
+- **sbx**  XBOX sandbox identifier
+- **sid**  The service instance ID.
+- **sty**  The service type.
+- **tid**  The XBOX Live title ID.
+- **tvr**  The XBOX Live title version.
+- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid**  A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action**  The change that was invoked on a device inventory object.
+- **inventoryId**  Device ID used for Compatibility testing
+- **objectInstanceId**  Object identity which is unique within the device scope.
+- **objectType**  Indicates the object type that the event applies to.
+- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features**  The list of feature packages that could not be updated.
+- **RetryID**  The ID identifying the retry attempt to update the listed packages.
+
+
+## Deployment extensions
+
+### DeploymentTelemetry.Deployment_End
+
+This event indicates that a Deployment 360 API has completed.
+
+The following fields are available:
+
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **ErrorCode**  Error code of action.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Mode**  Phase in upgrade.
+- **RelatedCV**  The correction vector (CV) of any other related events
+- **Result**  End result of the action.
+
+
+### DeploymentTelemetry.Deployment_SetupBoxLaunch
+
+This event indicates that the Deployment 360 APIs have launched Setup Box.
+
+The following fields are available:
+
+- **ClientId**  The client ID of the user utilizing the D360 API.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Quiet**  Whether Setup will run in quiet mode or full mode.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
+- **SetupMode**  The current setup phase.
+
+
+### DeploymentTelemetry.Deployment_SetupBoxResult
+
+This event indicates that the Deployment 360 APIs have received a return from Setup Box.
+
+The following fields are available:
+
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **ErrorCode**  Error code of the action.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Quiet**  Indicates whether Setup will run in quiet mode or full mode.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
+- **SetupMode**  The current Setup phase.
+
+
+### DeploymentTelemetry.Deployment_Start
+
+This event indicates that a Deployment 360 API has been called.
+
+The following fields are available:
+
+- **ClientId**  Client ID of the user utilizing the D360 API.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **Mode**  The current phase of the upgrade.
+- **RelatedCV**  The correlation vector (CV) of any other related events.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId**  BootId of the abnormal shutdown being reported by this event.
+- **AcDcStateAtLastShutdown**  Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown**  The last recorded battery level.
+- **BatteryPercentageAtLastShutdown**  The battery percentage at the last shutdown.
+- **CrashDumpEnabled**  Are crash dumps enabled?
+- **CumulativeCrashCount**  Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId**  BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController**  The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional**  Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch**  The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional**  Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied**  Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType**  ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset**  Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent**  Indicates whether hardware watchdog timer was present or not.
+- **LastBugCheckBootId**  bootId of the last captured crash.
+- **LastBugCheckCode**  Code that indicates the type of error.
+- **LastBugCheckContextFlags**  Additional crash dump settings.
+- **LastBugCheckOriginalDumpType**  The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings**  Other crash dump settings.
+- **LastBugCheckParameter1**  The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress**  Progress towards writing out the last crash dump.
+- **LastBugCheckVersion**  The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId**  BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected**  Identifies if the user was pressing and holding power button.
+- **OOBEInProgress**  Identifies if OOBE is running.
+- **OSSetupInProgress**  Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount**  How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount**  How many times has the power button been released?
+- **PowerButtonErrorCount**  Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId**  BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime**  Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId**  BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime**  Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase**  Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress**  Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage**  Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed**  Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType**  Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint**  Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource**  Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus**  Indicates whether the checkpoint information is valid.
+- **StaleBootStatData**  Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId**  BootId of the captured transition info.
+- **TransitionInfoCSCount**  l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason**  Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason**  Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress**  At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum**  The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp**  The date and time that the marker was last saved.
+- **TransitionInfoLidState**  Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp**  The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress**  At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn**  Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning**  At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress**  Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress**  Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId**  Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber**  Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType**  Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId**  If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount**  Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode**  The last exit code of the Census task.
+- **CensusStartTime**  Time of last Census run.
+- **CensusTaskEnabled**  True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded.
+- **ConsumerDroppedCount**  Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event DB.
+- **DbDroppedCount**  Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount**  Number of events dropped due to DB failures.
+- **DbDroppedFullCount**  Number of events dropped due to DB fullness.
+- **DecodingDroppedCount**  Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount**  Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount**  Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter**  Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter**  Number of times event DB was reset.
+- **EventStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
+- **EventsUploaded**  Number of events uploaded.
+- **Flags**  Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount**  Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
+- **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError**  Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender**  Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter**  Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime**  Time of last heartbeat event (allows chaining of events).
+- **RepeatedUploadFailureDropped**  Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount**  Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors**  List of top errors received from the upload endpoint.
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount**  Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.HeartBeat_Aria_5
+
+This event is the telemetry client ARIA heartbeat.
+
+The following fields are available:
+
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded.
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event database.
+- **DbDroppedCount**  Number of events dropped at the database layer.
+- **DbDroppedFailureCount**  Number of events dropped due to database failures.
+- **DbDroppedFullCount**  Number of events dropped due to database being full.
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter**  Number of times the event store has been reset.
+- **EventStoreResetCounter**  Number of times the event store has been reset during this heartbeat.
+- **EventStoreResetSizeSum**  Size of event store reset in bytes.
+- **EventsUploaded**  Number of events uploaded.
+- **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
+- **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastEventSizeOffender**  Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **PreviousHeartBeatTime**  The FILETIME of the previous heartbeat fire.
+- **RepeatedUploadFailureDropped**  Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  Number of failures from contacting OneSettings service.
+- **TopUploaderErrors**  List of top errors received from the upload endpoint.
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount**  Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout**  Number of time out failures received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.HeartBeat_Seville_5
+
+This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount**  Number of non-timeout errors associated with the host or agent channel.
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded.
+- **ConsumerDroppedCount**  Number of events dropped at consumer layer of the telemetry client.
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount**  Number of critical data sampled events dropped due to throttling.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event database.
+- **DailyUploadQuotaInBytes**  Daily upload quota for Sense in bytes (only in in-proc mode).
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event database.
+- **DbDroppedCount**  Number of events dropped due to database being full.
+- **DbDroppedFailureCount**  Number of events dropped due to database failures.
+- **DbDroppedFullCount**  Number of events dropped due to database being full.
+- **DecodingDroppedCount**  Number of events dropped due to decoding failures.
+- **DiskSizeInBytes**  Size of event store for Sense in bytes (only in in-proc mode).
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount**  Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session.
+- **EtwDroppedCount**  Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client.
+- **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter**  Number of times event the database was reset for the lifetime of the universal telemetry client (UTC).
+- **EventStoreResetCounter**  Number of times the event database was reset.
+- **EventStoreResetSizeSum**  Total size of the event database across all resets reports in this instance.
+- **EventsUploaded**  Number of events uploaded.
+- **Flags**  Flags indicating device state, such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount**  Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
+- **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError**  Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender**  Event name of last event which exceeded the maximum event size.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount**  Maximum number of active agents during this heartbeat timeframe.
+- **NormalUploadTimerMillis**  Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode).
+- **PreviousHeartBeatTime**  Time of last heartbeat event (allows chaining of events).
+- **RepeatedUploadFailureDropped**  Number of events lost due to repeated failed uploaded attempts.
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  Number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount**  Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors**  Top uploader errors, grouped by endpoint and error type.
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of the telemetry client.
+- **UploaderErrorCount**  Number of input for the TopUploaderErrors mode estimation.
+- **VortexFailuresTimeout**  Number of time out failures received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
+
+
+## Direct to update events
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
+
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
+
+This event indicates that the Coordinator Cleanup call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
+
+This event indicates that the Coordinator Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
+
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
+
+This event indicates that the Coordinator Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinate version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
+
+This event indicates that the Coordinator HandleShutdown call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
+
+This event indicates that the Coordinator Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
+
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
+
+This event indicates that the Coordinator Install call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
+
+This event indicates that the Coordinator's progress callback has been called.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **DeployPhase**  Current Deploy Phase.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
+
+This event indicates that the Coordinator SetCommitReady call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
+
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
+
+This event indicates that the user selected an option on the Reboot UI.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **rebootUiSelection**  Selection on the Reboot UI.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
+
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
+
+This event indicates that the Handler CheckApplicabilityInternal call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult**  The result of the applicability check.
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
+
+This event indicates that the Handler CheckApplicability call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult**  The result code indicating whether the update is applicable.
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
+
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult**  Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
+
+This event indicates that the Handler Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.run
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **CV_new**  New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
+
+This event indicates that the Handler Download and Extract cab call failed.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_failureReason**  Reason why the update download and extract process failed.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
+
+This event indicates that the Handler Download and Extract cab call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
+
+This event indicates that the Handler Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the download and extract.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
+
+This event indicates that the Handler Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the download and extraction.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
+
+This event indicates that the Coordinator Install call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the update campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
+
+This event indicates that the Handler SetCommitReady call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
+
+The following fields are available:
+
+- **CampaignID**  The ID of the campaigning being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+- **hResult**  The HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
+
+This event indicates that the Handler WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  ID of the campaign being run.
+- **ClientID**  ID of the client receiving the update.
+- **CoordinatorVersion**  Coordinator version of Direct to Update.
+- **CV**  Correlation vector.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **DeviceCensus**  A count of device census objects in cache.
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache.
+- **FileSigningInfo**  A count of file signing objects in cache.
+- **InventoryApplication**  A count of application objects in cache.
+- **InventoryApplicationAppV**  A count of application AppV objects in cache.
+- **InventoryApplicationDriver**  A count of application driver objects in cache
+- **InventoryApplicationFile**  A count of application file objects in cache.
+- **InventoryApplicationFramework**  A count of application framework objects in cache
+- **InventoryApplicationShortcut**  A count of application shortcut objects in cache
+- **InventoryDeviceContainer**  A count of device container objects in cache.
+- **InventoryDeviceInterface**  A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass**  A count of device media objects in cache.
+- **InventoryDevicePnp**  A count of device Plug and Play objects in cache.
+- **InventoryDeviceUsbHubClass**  A count of device usb objects in cache
+- **InventoryDriverBinary**  A count of driver binary objects in cache.
+- **InventoryDriverPackage**  A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn**  A count of office add-in objects in cache
+- **InventoryMiscellaneousOfficeAddInUsage**  A count of office add-in usage objects in cache.
+- **InventoryMiscellaneousOfficeIdentifiers**  A count of office identifier objects in cache
+- **InventoryMiscellaneousOfficeIESettings**  A count of office ie settings objects in cache
+- **InventoryMiscellaneousOfficeInsights**  A count of office insights objects in cache
+- **InventoryMiscellaneousOfficeProducts**  A count of office products objects in cache
+- **InventoryMiscellaneousOfficeSettings**  A count of office settings objects in cache
+- **InventoryMiscellaneousOfficeVBA**  A count of office vba objects in cache
+- **InventoryMiscellaneousOfficeVBARuleViolations**  A count of office vba rule violations objects in cache
+- **InventoryMiscellaneousUUPInfo**  A count of uup info objects in cache
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo
+
+Diagnostic data about the inventory cache.
+
+The following fields are available:
+
+- **CacheFileSize**  Size of the cache.
+- **InventoryVersion**  Inventory version of the cache.
+- **TempCacheCount**  Number of temp caches created.
+- **TempCacheDeletedCount**  Number of temp caches deleted.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv**  The version of the App inventory component.
+- **devinv**  The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
+- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
+- **InstallDateMsi**  The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Language**  The language code of the program.
+- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode**  A GUID that describe the MSI Product.
+- **Name**  The name of the application.
+- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
+- **PackageFullName**  The package full name for a Store application.
+- **ProgramInstanceId**  A hash of the file IDs in an app.
+- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath**  The path to the root directory where the program was installed.
+- **Source**  How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version**  The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory component
+- **ProgramIds**  The unique program identifier the driver is associated with
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId**  A hash that uniquely identifies a file.
+- **Frameworks**  The list of frameworks this file depends on.
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories**  A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod**  The discovery method for the device container.
+- **FriendlyName**  The name of the device container.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer**  Is the container the root device itself?
+- **IsNetworked**  Is this a networked device?
+- **IsPaired**  Does the device container require pairing?
+- **Manufacturer**  The manufacturer name for the device container.
+- **ModelId**  A unique model ID.
+- **ModelName**  The model name.
+- **ModelNumber**  The model number for the device container.
+- **PrimaryCategory**  The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
+- **AmbientLight**  Indicates if an Ambient Light sensor is found.
+- **Barometer**  Indicates if a Barometer sensor is found.
+- **Custom**  Indicates if a Custom sensor is found.
+- **EnergyMeter**  Indicates if an Energy sensor is found.
+- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector**  Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
+- **Humidity**  Indicates if a Humidity sensor is found.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
+- **Orientation**  Indicates if an Orientation sensor is found.
+- **Pedometer**  Indicates if a Pedometer sensor is found.
+- **Proximity**  Indicates if a Proximity sensor is found.
+- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
+- **Temperature**  Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
+- **Audio_RenderDriver**  The Audio device render driver endpoint.
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription**  The description of the device reported by the bux.
+- **Class**  The device setup class of the driver loaded for the device.
+- **ClassGuid**  The device class GUID from the driver package
+- **COMPID**  The device setup class guid of the driver loaded for the device.
+- **ContainerId**  The list of compat ids for the device.
+- **Description**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **DeviceState**  The device description.
+- **DriverId**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverName**  A unique identifier for the driver installed.
+- **DriverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage
+- **DriverVerDate**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverVerVersion**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Enumerator**  The date of the driver loaded for the device.
+- **HWID**  The version of the driver loaded for the device.
+- **Inf**  The bus that enumerated the device.
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion**  List of hardware ids for the device.
+- **LowerClassFilters**  Lower filter class drivers IDs installed for the device
+- **LowerFilters**  Lower filter drivers IDs installed for the device
+- **Manufacturer**  INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **MatchingID**  Device installation state.
+- **Model**  The version of the inventory binary generating the events.
+- **ParentId**  Lower filter class drivers IDs installed for the device.
+- **ProblemCode**  Lower filter drivers IDs installed for the device.
+- **Provider**  The device manufacturer.
+- **Service**  The device service name
+- **STACKID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **UpperClassFilters**  Upper filter drivers IDs installed for the device
+- **UpperFilters**  The device model.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **TotalUserConnectablePorts**  Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum**  The checksum of the driver file.
+- **DriverCompany**  The company name that developed the driver.
+- **DriverInBox**  Is the driver included with the operating system?
+- **DriverIsKernelMode**  Is it a kernel mode driver?
+- **DriverName**  The file name of the driver.
+- **DriverPackageStrongName**  The strong name of the driver package
+- **DriverSigned**  The strong name of the driver package
+- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
+- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion**  The version of the driver file.
+- **ImageSize**  The size of the driver file.
+- **Inf**  The name of the INF file.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Product**  The product name that is included in the driver file.
+- **ProductVersion**  The product version that is included in the driver file.
+- **Service**  The name of the service that is installed for the device.
+- **WdfVersion**  The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class**  The class name for the device driver.
+- **ClassGuid**  The class GUID for the device driver.
+- **Date**  The driver package date.
+- **Directory**  The path to the driver package.
+- **DriverInBox**  Is the driver included with the operating system?
+- **Inf**  The INF name of the driver package.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Provider**  The provider for the driver package.
+- **SubmissionId**  The HLK submission ID for the driver package.
+- **Version**  The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device.
+
+The following fields are available:
+
+- **AhaVersion**  The binary version of the App Health Analyzer tool.
+- **ApplicationErrors**  The count of application errors from the event log.
+- **Bitness**  The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level**  Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties**  Attribute used for aggregating all other attributes under this event type.
+- **Jar**  Flag to determine if an app has a Java JAR file dependency.
+- **Jre**  Flag to determine if an app has JRE framework dependency.
+- **Jre_version**  JRE versions an app has declared framework dependency for.
+- **Name**  Name of the application.
+- **NonDPIAware**  Flag to determine if an app is non-DPI aware.
+- **NumBinaries**  Count of all binaries (.sys,.dll,.ini) from application install location.
+- **RequiresAdmin**  Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2**  Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess**  Flag to determine if an app is based on UI features for accessibility.
+- **VB6**  Flag to determine if an app is based on VB6 framework.
+- **VB6v2**  Additional flag to determine if an app is based on VB6 framework.
+- **Version**  Version of the application.
+- **VersionCheck**  Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2**  Additional flag to determine if an app has a static dependency on OS version.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events.
+
+The following fields are available:
+
+- **AllowTelemetry**  Indicates the presence of the 'allowtelemetry' command line argument.
+- **CommandLineArgs**  Command line arguments passed when launching the App Health Analyzer executable.
+- **Enhanced**  Indicates the presence of the 'enhanced' command line argument.
+- **StartTime**  UTC date and time at which this event was sent.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+Provides data on the installed Office Add-ins.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AddinCLSID**  The CLSID for the Office add-in.
+- **AddInId**  Office add-in ID.
+- **AddinType**  Office add-in Type.
+- **BinFileTimestamp**  Timestamp of the Office add-in.
+- **BinFileVersion**  Version of the Office add-in.
+- **Description**  Office add-in description.
+- **FileId**  FileId of the Office add-in.
+- **FileSize**  File size of the Office add-in.
+- **FriendlyName**  Friendly name for office add-in.
+- **FullPath**  Unexpanded path to the office add-in.
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **LoadBehavior**  Uint32 that describes the load behavior.
+- **OfficeApplication**  The office application for this add-in.
+- **OfficeArchitecture**  Architecture of the add-in.
+- **OfficeVersion**  The office version for this add-in.
+- **OutlookCrashingAddin**  Boolean that indicates if crashes have been found for this add-in.
+- **ProductCompany**  The name of the company associated with the Office add-in.
+- **ProductName**  The product name associated with the Office add-in.
+- **ProductVersion**  The version associated with the Office add-in.
+- **ProgramId**  The unique program identifier of the Office add-in.
+- **Provider**  Name of the provider for this add-in.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+Provides data on the Office identifiers.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **OAudienceData**  Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId**  Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID**  Identifier for the Office SQM Machine
+- **OPlatform**  Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId**  Unique GUID representing the Microsoft O365 Tenant
+- **OVersion**  Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID**  Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+Provides data on Office-related Internet Explorer features.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **OIeFeatureAddon**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing**  Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall**  Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable**  Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind**  Flag indicating which Microsoft Office products have this setting enabled.  The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **OfficeApplication**  The name of the Office application.
+- **OfficeArchitecture**  The bitness of the Office application.
+- **OfficeVersion**  The version of the Office application.
+- **Value**  The insights collected about this entity.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+Describes Office Products installed.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **OC2rApps**  A GUID the describes the Office Click-To-Run apps
+- **OC2rSkus**  Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps**  Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
+- **OProductCodes**  A GUID that describes the Office MSI products
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BrowserFlags**  Browser flags for Office-related products.
+- **ExchangeProviderFlags**  Provider policies for Office Exchange.
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **SharedComputerLicensing**  Office shared computer licensing policies.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+Indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
+
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Design**  Count of files with design issues found.
+- **Design_x64**  Count of files with 64 bit design issues found.
+- **DuplicateVBA**  Count of files with duplicate VBA code.
+- **HasVBA**  Count of files with VBA code.
+- **Inaccessible**  Count of files that were inaccessible for scanning.
+- **InventoryVersion**  The version of the inventory binary generating the events.
+- **Issues**  Count of files with issues detected.
+- **Issues_x64**  Count of files with 64-bit issues detected.
+- **IssuesNone**  Count of files with no issues detected.
+- **IssuesNone_x64**  Count of files with no 64-bit issues detected.
+- **Locked**  Count of files that were locked, preventing scanning.
+- **NoVBA**  Count of files with no VBA inside.
+- **Protected**  Count of files that were password protected, preventing scanning.
+- **RemLimited**  Count of files that require limited remediation changes.
+- **RemLimited_x64**  Count of files that require limited remediation changes for 64-bit issues.
+- **RemSignificant**  Count of files that require significant remediation changes.
+- **RemSignificant_x64**  Count of files that require significant remediation changes for 64-bit issues.
+- **Score**  Overall compatibility score calculated for scanned content.
+- **Score_x64**  Overall 64-bit compatibility score calculated for scanned content.
+- **Total**  Total number of files scanned.
+- **Validation**  Count of files that require additional manual validation.
+- **Validation_x64**  Count of files that require additional manual validation for 64-bit issues.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Count**  Count of total Microsoft Office VBA rule violations
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Identifier**  UUP identifier
+- **LastActivatedVersion**  Last activated version
+- **PreviousVersion**  Previous version
+- **Source**  UUP source
+- **Version**  UUP version
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary**  A count of each operating system indicator.
+- **PCFP**  Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **IndicatorValue**  The indicator value.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+## Kernel events
+
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
+
+The following fields are available:
+
+- **BytesRead**  The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten**  The total number of bytes written to or written by the OS upon system startup.
+
+
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
+
+OS information collected during Boot, used to evaluate the success of the upgrade process.
+
+The following fields are available:
+
+- **BootApplicationId**  This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount**  The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence**  The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy**  Identifies the applicable Boot Status Policy.
+- **BootType**  Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp**  Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch**  Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional**  Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied**  Flag indicating that a reason for system reset was provided by firmware.
+- **IO**  Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded**  Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded**  Flag indicating whether the last shutdown was successful.
+- **MaxAbove4GbFreeRange**  This field describes the largest memory range available above 4Gb.
+- **MaxBelow4GbFreeRange**  This field describes the largest memory range available below 4Gb.
+- **MeasuredLaunchPrepared**  This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement).
+- **MeasuredLaunchResume**  This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation.
+- **MenuPolicy**  Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled**  Indicates whether recovery is enabled.
+- **SecureLaunchPrepared**  This field indicates if DRTM was prepared during boot.
+- **TcbLaunch**  Indicates whether the Trusted Computing Base was used during the boot flow.
+- **UserInputTime**  The amount of time the loader application spent waiting for user input.
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience.
+
+The following fields are available:
+
+- **presentationVersion**  Which display version of the privacy consent experience the user completed
+- **privacyConsentState**  The current state of the privacy consent experience
+- **settingsVersion**  Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason**  The exit reason of the privacy consent experience
+
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
+
+Event tells us effectiveness of new privacy experience.
+
+The following fields are available:
+
+- **isAdmin**  whether the person who is logging in is an admin
+- **isExistingUser**  whether the account existed in a downlevel OS
+- **isLaunching**  Whether or not the privacy consent experience will be launched
+- **isSilentElevation**  whether the user has most restrictive UAC controls
+- **privacyConsentState**  whether the user has completed privacy experience
+- **userRegionCode**  The current user's region setting
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
+
+The following fields are available:
+
+- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults**  Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BranchReadinessLevel**  The servicing branch configured on the device.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion**  The version number of the software distribution client.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
+- **DeviceModel**  What is the device model.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled**  Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
+- **PausedUpdates**  A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ScanProps**  This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
+
+The following fields are available:
+
+- **ActiveDownloadTime**  Number of seconds the update was actively being downloaded.
+- **AppXBlockHashFailures**  Indicates the number of blocks that failed hash validation during download of the app payload.
+- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **AppXScope**  Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - only the content required to launch the app is being downloaded; "AutomaticContentOnly" - only the optional [automatic] content for the app (the ones that can downloaded after the app has been launched) is being downloaded; "AllContent" - all content for the app, including the optional [automatic] content, is being downloaded.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleBytesDownloaded**  Number of bytes downloaded for the specific content bundle.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount**  Indicates whether this particular update bundle has previously failed.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle previously failed to download.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **BytesDownloaded**  Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
+- **CbsMethod**  The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: (1) express download method was used for download; (2) SelfContained download method was used for download indicating the update had no express content; (3) SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it; (4) SelfContained download method was used indicating that range requests are not supported; (5) SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present); (6) SelfContained download method was used indicating that self-contained download method was selected previously; (7) SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold.
+- **CDNCountryCode**  Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion**  The version number of the software distribution client.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **ConnectTime**  Indicates the cumulative sum (in seconds) of the time it took to establish the connection for all updates in an update bundle.
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadProps**  Indicates a bitmask for download operations indicating: (1) if an update was downloaded to a system volume (least significant bit i.e. bit 0); (2) if the update was from a channel other than the installed channel (bit 1); (3) if the update was for a product pinned by policy (bit 2); (4) if the deployment action for the update is uninstall (bit 3).
+- **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId**  The specific ID of the flight (pre-release build) the device is getting.
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **HostName**  The hostname URL the content is downloading from.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
+- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **NetworkCost**  A flag indicating the cost of the network used for downloading the update content. The values can be: 0x0 (Unkown); 0x1 (Network cost is unrestricted); 0x2 (Network cost is fixed); 0x4 (Network cost is variable); 0x10000 (Network cost over data limit); 0x20000 (Network cost congested); 0x40000 (Network cost roaming); 0x80000 (Network cost approaching data limit).
+- **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus**  More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **PackageFullName**  The package name of the content.
+- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **PostDnldTime**  Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **Reason**  A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
+- **RegulationReason**  The reason that the update is regulated
+- **RegulationResult**  The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
+- **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **SizeCalcTime**  Time taken (in seconds) to calculate the total download size of the payload.
+- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
+- **UpdateId**  An identifier associated with the specific piece of content.
+- **UpdateID**  An identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO**  Whether the download used the delivery optimization service.
+- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount**  Indicates whether this particular update bundle has previously failed.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle previously failed to install.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **ClientVersion**  The version number of the software distribution client.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **CSIErrorType**  The stage of CBS installation where it failed.
+- **CurrentMobileOperator**  The mobile operator to which the device is currently connected.
+- **DeviceModel**  The device model.
+- **DriverPingBack**  Contains information about the previous driver and system state.
+- **DriverRecoveryIds**  The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode**  The extended error code.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType**  Indicates what kind of content is being installed (for example, app, driver, Windows update).
+- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **InstallProps**  A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IsDependentSet**  Indicates whether the driver is part of a larger System Hardware/Firmware update.
+- **IsFinalOutcomeEvent**  Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware**  Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot**  Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled**  Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates whether Windows Update for Business is enabled on the device.
+- **MergedUpdate**  Indicates whether the OS update and a BSP update merged for installation.
+- **MsiAction**  The stage of MSI installation where it failed.
+- **MsiProductCode**  The unique identifier of the MSI installer.
+- **PackageFullName**  The package name of the content being installed.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
+- **RepeatFailFlag**  Indicates whether this specific piece of content previously failed to install.
+- **RevisionNumber**  The revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode**  The ID that represents a given MSI installation.
+- **UpdateId**  Unique update ID.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Revert
+
+Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded).
+
+The following fields are available:
+
+- **BundleId**  Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found.
+- **BundleRepeatFailCount**  Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion**  Version number of the software distribution client.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType**  Stage of CBS installation that failed.
+- **DriverPingBack**  Contains information about the previous driver and system state.
+- **DriverRecoveryIds**  The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **EventType**  Event type (Child, Bundle, Release, or Driver).
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber**  Indicates the build number of the flight.
+- **FlightId**  The specific ID of the flight the device is getting.
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent**  Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware**  Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot**  Indicates whether an initial success was a failure after a reboot.
+- **IsWUfBDualScanEnabled**  Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Flag indicating whether WU-for-Business is enabled on the device.
+- **MergedUpdate**  Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName**  Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount**  Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId**  The identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume**  Indicates whether the device's main system storage drive or an alternate storage drive was used.
+- **WUDeviceID**  Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.TaskRun
+
+Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed).
+
+The following fields are available:
+
+- **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion**  Version number of the software distribution client.
+- **CmdLineArgs**  Command line arguments passed in by the caller.
+- **EventInstanceID**  A globally unique identifier for the event instance.
+- **EventScenario**  Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID**  Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.Uninstall
+
+Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded).
+
+The following fields are available:
+
+- **BundleId**  The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount**  Indicates whether this particular update bundle previously failed.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CallerApplicationName**  Name of the application making the Windows Update request. Used to identify context of request.
+- **ClientVersion**  Version number of the software distribution client.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DriverPingBack**  Contains information about the previous driver and system state.
+- **DriverRecoveryIds**  The list of identifiers that could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of the event (a scan started, succeded, failed, etc.).
+- **EventType**  Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber**  Indicates the build number of the flight.
+- **FlightId**  The specific ID of the flight the device is getting.
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId**  If the download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent**  Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware**  Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot**  Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled**  Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Flag indicating whether WU-for-Business is enabled on the device.
+- **MergedUpdate**  Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName**  Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RelatedCV**  The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount**  Indicates whether this specific piece of content previously failed.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId**  Identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume**  Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID**  Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid**  An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.).
+- **WUDeviceID**  The unique device ID controlled by the software distribution client.
+
+
+## System Resource Usage Monitor events
+
+### Microsoft.Windows.Srum.Sdp.CpuUsage
+
+This event provides information on CPU usage.
+
+The following fields are available:
+
+- **UsageMax**  The maximum of hourly average CPU usage.
+- **UsageMean**  The mean of hourly average CPU usage.
+- **UsageMedian**  The median of hourly average CPU usage.
+- **UsageTwoHourMaxMean**  The mean of the maximum of every two hour of hourly average CPU usage.
+- **UsageTwoHourMedianMean**  The mean of the median of every two hour of hourly average CPU usage.
+
+
+### Microsoft.Windows.Srum.Sdp.NetworkUsage
+
+This event provides information on network usage.
+
+The following fields are available:
+
+- **AdapterGuid**  The unique ID of the adapter.
+- **BytesTotalMax**  The maximum of the hourly average bytes total.
+- **BytesTotalMean**  The mean of the hourly average bytes total.
+- **BytesTotalMedian**  The median of the hourly average bytes total.
+- **BytesTotalTwoHourMaxMean**  The mean of the maximum of every two hours of hourly average bytes total.
+- **BytesTotalTwoHourMedianMean**  The mean of the median of every two hour of hourly average bytes total.
+- **LinkSpeed**  The adapter link speed.
+
+
+## Upgrade events
+
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **DownloadSize**  Download size of payload.
+- **ElapsedTime**  Time taken to download payload.
+- **MediaFallbackUsed**  Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode**  Result returned by the Facilitator DCAT call.
+- **Scenario**  Dynamic update scenario (Image DU, or Setup DU).
+- **Type**  Type of package that was downloaded.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+The following fields are available:
+
+- **DCATUrl**  The Delivery Catalog (DCAT) URL we send the request to.
+- **DownloadRequestAttributes**  The attributes we send to DCAT.
+- **ResultCode**  The result returned from the initiation of Facilitator with the URL/attributes.
+- **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **Url**  The Delivery Catalog (DCAT) URL we send the request to.
+- **Version**  Version of Facilitator.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
+- **Operation**  Facilitator's last known operation (scan, download, etc.).
+- **ReportId**  ID for tying together events stream side.
+- **ResultCode**  Result returned by Setup for the entire operation.
+- **Scenario**  Dynamic Update scenario (Image DU, or Setup DU).
+- **ScenarioId**  Identifies the update scenario.
+- **TargetBranch**  Branch of the target OS.
+- **TargetBuild**  Build of the target OS.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+Result of the WaaSMedic operation.
+
+The following fields are available:
+
+- **callerApplication**  The name of the calling application.
+- **detectionSummary**  Result of each applicable detection that was run.
+- **featureAssessmentImpact**  WaaS Assessment impact for feature updates.
+- **hrEngineResult**  Error code from the engine operation.
+- **isInteractiveMode**  The user started a run of WaaSMedic.
+- **isManaged**  Device is managed for updates.
+- **isWUConnected**  Device is connected to Windows Update.
+- **noMoreActions**  No more applicable diagnostics.
+- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates.
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment**  Relying on backup feature assessment.
+- **usingBackupQualityAssessment**  Relying on backup quality assessment.
+- **usingCachedFeatureAssessment**  WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment**  WaaS Medic run did not get OS revision age from the network on the previous run.
+- **versionString**  Version of the WaaSMedic engine.
+- **waasMedicRunMode**  Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
+
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **activated**  Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount**  How many driver packages that could not be analyzed because errors were hit during the analysis.
+- **flightId**  Unique ID for each flight.
+- **missingDriverCount**  How many driver packages that were delivered by the device manifest that are missing from the system.
+- **missingUpdateCount**  How many updates that were part of the device manifest that are missing from the system.
+- **objectId**  Unique value for each diagnostics session.
+- **publishedCount**  How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **scenarioId**  Indicates the update scenario.
+- **sessionId**  Unique value for each update session.
+- **summary**  A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **summaryAppendError**  A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount**  How many devices are missing from the summary string due to there not being enough room in the string.
+- **truncatedDriverCount**  How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **unpublishedCount**  How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId**  Unique ID for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
+
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  The unique GUID for each diagnostics session.
+- **relatedCV**  A correlation vector value generated from the latest USO scan.
+- **result**  Outcome of the initialization of the session.
+- **scenarioId**  Identifies the Update scenario.
+- **sessionId**  The unique value for each update session.
+- **updateId**  The unique identifier for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  Unique value for each Update Agent mode.
+- **packageCountOptional**  Number of optional packages requested.
+- **packageCountRequired**  Number of required packages requested.
+- **packageCountTotal**  Total number of packages needed.
+- **packageCountTotalCanonical**  Total number of canonical packages.
+- **packageCountTotalDiff**  Total number of diff packages.
+- **packageCountTotalExpress**  Total number of express packages.
+- **packageSizeCanonical**  Size of canonical packages in bytes.
+- **packageSizeDiff**  Size of diff packages in bytes.
+- **packageSizeExpress**  Size of express packages in bytes.
+- **rangeRequestState**  Represents the state of the download range request.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the download request phase of update.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current session initialization.
+- **flightId**  The unique identifier for each flight.
+- **flightMetadata**  Contains the FlightId and the build being flighted.
+- **objectId**  Unique value for each Update Agent mode.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current install phase.
+- **flightId**  The unique identifier for each flight.
+- **objectId**  The unique identifier for each diagnostics session.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **result**  Outcome of the install phase of the update.
+- **scenarioId**  The unique identifier for the update scenario.
+- **sessionId**  The unique identifier for each update session.
+- **updateId**  The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId**  The unique identifier for each flight.
+- **mode**  The mode that is starting.
+- **objectId**  The unique value for each diagnostics session.
+- **relatedCV**  Correlation vector value generated from the latest USO scan.
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId**  Unique value for each Update Agent mode attempt.
+- **updateId**  Unique identifier for each update.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed..
+
+The following fields are available:
+
+- **DeviceLocalTime**  The local time on the device sending the event.
+- **ETag**  OneSettings versioning value.
+- **ExitCode**  Indicates how users exited the dialog box.
+- **RebootVersion**  Version of DTE.
+- **UpdateId**  The ID of the update that is pending restart to finish installation.
+- **UpdateRevision**  The revision of the update that is pending restart to finish installation.
+- **UserResponseString**  The option that user chose in this dialog box.
+- **UtcTime**  The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
+
+This event indicates that Windows Update activity was blocked due to low battery level.
+
+The following fields are available:
+
+- **batteryLevel**  The current battery charge capacity.
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
+
+This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
+
+The following fields are available:
+
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUEnabled
+
+This event indicates that Inbox DTU functionality was enabled.
+
+The following fields are available:
+
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUInitiated
+
+This event indicates that Inbox DTU functionality was intiated.
+
+The following fields are available:
+
+- **dtuErrorCode**  Return code from creating the DTU Com Server.
+- **isDtuApplicable**  Determination of whether DTU is applicable to the machine it is running on.
+- **wuDeviceid**  Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
+
+This event indicated that USO failed to add a trigger time to a task.
+
+The following fields are available:
+
+- **errorCode**  The Windows Update error code.
+- **wuDeviceid**  The Windows Update device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.StickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update.
+
+The following fields are available:
+
+- **updateId**  Identifier associated with the specific piece of content.
+- **wuDeviceid**  Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
+
+This event indicates that update activity was stopped due to active hours starting.
+
+The following fields are available:
+
+- **activeHoursEnd**  The end of the active hours window.
+- **activeHoursStart**  The start of the active hours window.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  The device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
+
+This event is sent when update activity was stopped due to a low battery level.
+
+The following fields are available:
+
+- **batteryLevel**  The current battery charge capacity.
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity.
+- **updatePhase**  The current state of the update process.
+- **wuDeviceid**  The device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.UnstickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update.
+
+The following fields are available:
+
+- **updateId**  Identifier associated with the specific piece of content.
+- **wuDeviceid**  Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
+
+This event is sent when MUSE broker schedules a task.
+
+The following fields are available:
+
+- **TaskArgument**  The arguments with which the task is scheduled.
+- **TaskName**  Name of the task.
+
+
+
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 17d45d542b..6436e38396 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -46,7 +46,7 @@ For Windows 10, we invite IT pros to join the [Windows Insider Program](http://
 
 Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
 
-The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. 
+The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts.
 
 ### What is Windows diagnostic data?
 Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
@@ -104,21 +104,21 @@ Sharing information with Microsoft helps make Windows and other products better,
 
 #### Upgrade Readiness
 
-Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. 
- 
-To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. 
+Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
 
-With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. 
+To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
+
+With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
 
 Use Upgrade Readiness to get:
 
 - A visual workflow that guides you from pilot to production
 - Detailed computer, driver, and application inventory
-- Powerful computer level search and drill-downs 
-- Guidance and insights into application and driver compatibility issues with suggested fixes 
+- Powerful computer level search and drill-downs
+- Guidance and insights into application and driver compatibility issues with suggested fixes
 - Data driven application rationalization tools
 - Application usage information, allowing targeted validation; workflow to track validation progress and decisions
-- Data export to commonly used software deployment tools 
+- Data export to commonly used software deployment tools
 
 The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
 
@@ -157,8 +157,8 @@ The following table defines the endpoints for other diagnostic data services:
 
 | Service | Endpoint |
 | - | - |
-| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
-| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
+| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
+| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
 | OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |
 
 ### Data use and access
@@ -167,7 +167,7 @@ The principle of least privileged access guides access to diagnostic data. Micro
 
 ### Retention
 
-Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. 
+Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history.
 
 ## Diagnostic data levels
 This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016.
@@ -190,7 +190,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th
 
 The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
 
-> [!NOTE]  
+> [!NOTE]
 > If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
 
 Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
@@ -201,12 +201,12 @@ The data gathered at this level includes:
 
 -   **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
 
-    > [!NOTE]  
-    > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+    > [!NOTE]
+    > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
 
 -   **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
 
-    > [!NOTE]  
+    > [!NOTE]
     > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender).
 
     Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates.
@@ -304,7 +304,7 @@ In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data t
 2.	Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM.
 
     a.	Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**.
-    
+
     -OR-
 
     b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**.
@@ -338,8 +338,8 @@ IT pros can use various methods, including Group Policy and Mobile Device Manage
 
 We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
 
-> [!IMPORTANT]  
-> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx).
+> [!IMPORTANT]
+> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](https://technet.microsoft.com/library/jj863580.aspx).
 
 You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on.
 
@@ -358,7 +358,7 @@ Use the appropriate value in the table below when you configure the management p
 | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
 | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
 
-   > [!NOTE] 
+   > [!NOTE]
    > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting.
 
 ### Use Group Policy to set the diagnostic data level
@@ -373,13 +373,13 @@ Use a Group Policy object to set your organization’s diagnostic data level.
 
 ### Use MDM to set the diagnostic data level
 
-Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
+Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy.
 
 ### Use Registry Editor to set the diagnostic data level
 
 Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
 
-1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
 
 2.  Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
 
@@ -401,15 +401,15 @@ For System Center 2016 Technical Preview, you can turn off System Center diagnos
 
 There are a few more settings that you can turn off that may send diagnostic data information:
 
--   To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
+-   To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/).
 
 -   Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**.
 
--   Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716).
+-   Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716).
 
 -   Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
 
-    > [!NOTE]  
+    > [!NOTE]
     > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
 ## Additional resources
@@ -440,6 +440,6 @@ TechNet
 
 Web Pages
 
-- [Privacy at Microsoft](http://privacy.microsoft.com)
+- [Privacy at Microsoft](https://privacy.microsoft.com)
+
 
- 
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 23b6540574..dc82af4768 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -61,6 +61,8 @@ The Diagnostic Data Viewer provides you with the following features to view and
 - **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. 
 
     Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
+    
+     ![View your diagnostic events](images/ddv-event-view.png)
 
 - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. 
 
@@ -69,10 +71,12 @@ The Diagnostic Data Viewer provides you with the following features to view and
 - **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
 
     Selecting a check box lets you filter between the diagnostic event categories.
+    
+     ![Filter your diagnostic event categories](images/ddv-event-view-filter.png)
 
-- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
+- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
 
-    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
+    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
 
 - **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
 
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 9d31869696..3f4c11004e 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -109,7 +109,6 @@ The following fields are available:
 
 - **isSystemManagedAccount:** Indicates if the user's account is System Managed
 - **isUnlockScenario:** Flag indicating whether the event is a Logon or an Unlock
-- **PartA_UserSid:** The security identifier of the user
 - **userType:** Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft Account; 4 = Azure Active Directory user
 
 ## Microsoft.Windows.LogonController.SignInFailure
@@ -251,3 +250,8 @@ The following fields are available:
 - **WindowFlags:** Flags denoting runtime properties of an app window
 - **WindowHeight:** Number of vertical pixels in the application window
 - **WindowWidth:** Number of horizontal pixels in the application window
+
+# Revisions to the diagnostic data events and fields
+
+## PartA_UserSid removed
+A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event.
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index 1e8232c373..90fc1a209c 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -151,10 +151,10 @@ The following table lists in what GDPR mode – controller or processor – Wind
 
 Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques.
 
-* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.   
+* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics.
 
 >[!NOTE]
->For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).  
+>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
 
 * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”.
 
@@ -247,4 +247,4 @@ Please visit our [GDPR section of the Microsoft Trust Center](https://www.micros
 
 #### Other resources
 
-* [Privacy at Microsoft](http://privacy.microsoft.com/)
\ No newline at end of file
+* [Privacy at Microsoft](https://privacy.microsoft.com/)
\ No newline at end of file
diff --git a/windows/privacy/images/ddv-data-viewing.png b/windows/privacy/images/ddv-data-viewing.png
index 88f45acf3b..b2f72cfc85 100644
Binary files a/windows/privacy/images/ddv-data-viewing.png and b/windows/privacy/images/ddv-data-viewing.png differ
diff --git a/windows/privacy/images/ddv-event-feedback.png b/windows/privacy/images/ddv-event-feedback.png
new file mode 100644
index 0000000000..61c1c15e99
Binary files /dev/null and b/windows/privacy/images/ddv-event-feedback.png differ
diff --git a/windows/privacy/images/ddv-event-view-basic.png b/windows/privacy/images/ddv-event-view-basic.png
new file mode 100644
index 0000000000..5668e13bec
Binary files /dev/null and b/windows/privacy/images/ddv-event-view-basic.png differ
diff --git a/windows/privacy/images/ddv-event-view-filter.png b/windows/privacy/images/ddv-event-view-filter.png
new file mode 100644
index 0000000000..addd53271d
Binary files /dev/null and b/windows/privacy/images/ddv-event-view-filter.png differ
diff --git a/windows/privacy/images/ddv-event-view.png b/windows/privacy/images/ddv-event-view.png
new file mode 100644
index 0000000000..264add2d9c
Binary files /dev/null and b/windows/privacy/images/ddv-event-view.png differ
diff --git a/windows/privacy/images/ddv-export.png b/windows/privacy/images/ddv-export.png
new file mode 100644
index 0000000000..25e62858db
Binary files /dev/null and b/windows/privacy/images/ddv-export.png differ
diff --git a/windows/privacy/images/ddv-settings-launch.png b/windows/privacy/images/ddv-settings-launch.png
index 4d4e26c382..dc105bfde3 100644
Binary files a/windows/privacy/images/ddv-settings-launch.png and b/windows/privacy/images/ddv-settings-launch.png differ
diff --git a/windows/privacy/images/ddv-settings-off.png b/windows/privacy/images/ddv-settings-off.png
index 12704b5e28..9c1e292e89 100644
Binary files a/windows/privacy/images/ddv-settings-off.png and b/windows/privacy/images/ddv-settings-off.png differ
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 379b8c9e13..7287abf932 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -13,7 +13,7 @@ ms.date: 06/05/2018
 ---
 
 # Manage connections from Windows operating system components to Microsoft services
- 
+
 **Applies to**
 
 -   Windows 10 Enterprise, version 1607 and newer
@@ -27,18 +27,18 @@ If you want to minimize connections from Windows to Microsoft services, or confi
 
 You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). 
-This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. 
-Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. 
-However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. 
-Make sure should you've chosen the right settings configuration for your environment before applying. 
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887).
+This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
+Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document.
+However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended.
+Make sure should you've chosen the right settings configuration for your environment before applying.
 You should not extract this package to the windows\\system32 folder because it will not apply correctly.
 
 >[!IMPORTANT]
 > As part of the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), MDM functionallity is disabled. If you manage devices through MDM, make sure [cloud notifications are enabled](#bkmk-priv-notifications).
 
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article. 
-It is recommended that you restart a device after making configuration changes to it. 
+Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
+It is recommended that you restart a device after making configuration changes to it.
 Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
 
 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@@ -90,7 +90,7 @@ Here's a list of changes that were made to this article for Windows 10, version
 
 The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
 
-### Settings for Windows 10 Enterprise edition 
+### Settings for Windows 10 Enterprise edition
 
 The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
 
@@ -100,7 +100,7 @@ The following table lists management options for each setting, beginning with Wi
 | Setting | UI | Group Policy | MDM policy | Registry | Command line |
 | - | :-: | :-: | :-: | :-: | :-: |
 | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | |
-| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | 
+| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | |
 | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | |
 | [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | |
@@ -208,11 +208,11 @@ Use the following sections for more information about how to configure each sett
 
 ### 1. Automatic Root Certificates Update
 
-The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available. 
-For more information, see [Automatic Root Certificates Update Configuration](https://technet.microsoft.com/library/cc733922.aspx). 
+The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is available.
+For more information, see [Automatic Root Certificates Update Configuration](https://technet.microsoft.com/library/cc733922.aspx).
 Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
 
-> [!CAUTION] 
+> [!CAUTION]
 > By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
 
 For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@@ -242,7 +242,7 @@ On Windows Server 2016 Nano Server:
 
 - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
 
->[!NOTE]  
+>[!NOTE]
 >CRL and OCSP network traffic is currently whitelisted and will still show up in network traces.  CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
 
 ### 2. Cortana and Search
@@ -274,7 +274,7 @@ You can also apply the Group Policies using the following registry keys:
 In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
 
 >[!IMPORTANT]
->These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. 
+>These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016.
 
 1.  Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
 
@@ -305,7 +305,7 @@ If your organization tests network traffic, do not use a network proxy as Window
 
 ### 2.2 Cortana and Search MDM policies
 
-For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
 | Policy                                               | Description                                                                                         |
 |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -325,8 +325,8 @@ You can prevent Windows from setting the time automatically.
 After that, configure the following:
 
 -   Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
-    
-    > [!NOTE]  
+
+    > [!NOTE]
     > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client**
 
     -or -
@@ -362,7 +362,7 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
 
 - Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\System\\EnableFontProviders** to 0 (zero).
 
-- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
     -   **false**. Font streaming is disabled.
 
@@ -370,18 +370,18 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later:
 
 If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1.
 
-> [!NOTE]  
+> [!NOTE]
 > After you apply this policy, you must restart the device for it to take effect.
 
 
 ### 7. Insider Preview builds
 
 The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
-This setting stops communication with the Windows Insider Preview service that checks for new builds. 
+This setting stops communication with the Windows Insider Preview service that checks for new builds.
 Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016.
 
 
-> [!NOTE]  
+> [!NOTE]
 > If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
 
 To turn off Insider Preview builds for a released version of Windows 10:
@@ -390,7 +390,7 @@ To turn off Insider Preview builds for a released version of Windows 10:
 
 To turn off Insider Preview builds for Windows 10:
 
-> [!NOTE]  
+> [!NOTE]
 > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
 
 -   Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**.
@@ -405,7 +405,7 @@ To turn off Insider Preview builds for Windows 10:
 
     -or-
 
--   Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+-   Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
     -   **0**. Users cannot make their devices available for downloading and installing preview software.
 
@@ -479,7 +479,7 @@ You can turn this off by:
 
 -  Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
 
-For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
+For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/library/dn761713.aspx).
 
 ### 9. Live Tiles
 
@@ -488,7 +488,7 @@ To turn off Live Tiles:
 -   Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
 
     -or-
-    
+
 -   Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one).
 
 In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
@@ -505,14 +505,14 @@ To turn off mail synchronization for Microsoft Accounts that are configured on a
 
     -or-
 
--   Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
+-   Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device.
 
 To turn off the Windows Mail app:
 
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
 
     -or-
-    
+
 -   Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero).
 
 ### 11. Microsoft Account
@@ -526,7 +526,7 @@ To prevent communication to the Microsoft Account cloud authentication service.
 - Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3.
 To disable the Microsoft Account Sign-In Assistant:
 
-- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
 
 - Change the Start REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to a value of **4**.
 
@@ -583,7 +583,7 @@ Alternatively, you can configure the Microsoft Group Policies using the followin
 
 ### 12.2 Microsoft Edge MDM policies
 
-The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+The following Microsoft Edge MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
 | Policy                                               | Description                                                                                         |
 |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -602,7 +602,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
 
 Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
 
-In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was [http://www.msftncsi.com](). 
+In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was [http://www.msftncsi.com]().
 
 You can turn off NCSI by doing one of the following:
 
@@ -610,7 +610,7 @@ You can turn off NCSI by doing one of the following:
 
 - In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
 
-> [!NOTE] 
+> [!NOTE]
 > After you apply this policy, you must restart the device for the policy setting to take effect.
 
 -or-
@@ -624,7 +624,7 @@ You can turn off the ability to download and update offline maps.
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
 
     -or-
-    
+
 -   Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero).
 
     -and-
@@ -647,7 +647,7 @@ To turn off OneDrive in your organization:
 
     -and-
 
--   Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one).    
+-   Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one).
 
 ### 16. Preinstalled apps
 
@@ -819,7 +819,7 @@ Use Settings > Privacy to configure some settings that may be important to yo
 
 To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**:
 
-> [!NOTE] 
+> [!NOTE]
 > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
 -   Turn off the feature in the UI.
@@ -856,7 +856,7 @@ To turn off **Let Windows track app launches to improve Start and search results
 
 To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
 
-> [!NOTE] 
+> [!NOTE]
 > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
 
 -   Turn off the feature in the UI.
@@ -887,7 +887,7 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
 
     -or-
 
--   Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
+-   Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
 
     -or-
 
@@ -907,16 +907,16 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros
 
 To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
 
-> [!NOTE] 
+> [!NOTE]
 > If the diagnostic data level is set to either **Basic** or **Security**, this is turned off automatically.
 
- 
+
 
 -   Turn off the feature in the UI.
 
     -or-
 
--   Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+-   Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
 
     -   **0**. Not allowed
 
@@ -964,7 +964,7 @@ To turn off **Location for this device**:
 
     -or-
 
--   Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+-   Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
     -   **0**. Turned off and the employee can't turn it back on.
 
@@ -972,8 +972,8 @@ To turn off **Location for this device**:
 
     -   **2**. Turned on and the employee can't turn it off.
 
-    > [!NOTE]   
-    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
+    > [!NOTE]
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
 
     -or-
 
@@ -1025,15 +1025,15 @@ To turn off **Let apps use my camera**:
 
     -or-
 
--   Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+-   Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
     -   **0**. Apps can't use the camera.
 
     -   **1**. Apps can use the camera.
 
     > [!NOTE]
-    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx).
-    
+    > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx).
+
    -or-
 
 -   Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where:
@@ -1067,7 +1067,7 @@ To turn off **Let apps use my microphone**:
     -   **0**. User in control
     -   **1**. Force allow
     -   **2**. Force deny
-    
+
     -or-
 
 -   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
@@ -1098,7 +1098,7 @@ To turn off notifications network usage:
 
     -   **0**. WNS notifications allowed
     -   **1**. No WNS notifications allowed
-    
+
 In the **Notifications** area, you can also choose which apps have access to notifications.
 
 To turn off **Let apps access my notifications**:
@@ -1127,7 +1127,7 @@ To turn off **Let apps access my notifications**:
 
 In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
 
-> [!NOTE] 
+> [!NOTE]
 > For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article.
 
 To turn off the functionality:
@@ -1178,7 +1178,7 @@ To turn off **Let apps access my name, picture, and other account info**:
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
 
     -   Set the **Select a setting** box to **Force Deny**.
-    
+
    -or-
 
 -    Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where:
@@ -1186,7 +1186,7 @@ To turn off **Let apps access my name, picture, and other account info**:
     -   **0**. User in control
     -   **1**. Force allow
     -   **2**. Force deny
-    
+
     -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@@ -1211,8 +1211,8 @@ To turn off **Choose apps that can access contacts**:
 
    -or-
 
--    Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:   
-  
+-    Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
+
      -   **0**. User in control
      -   **1**. Force allow
      -   **2**. Force deny
@@ -1242,7 +1242,7 @@ To turn off **Let apps access my calendar**:
     -   **0**. User in control
     -   **1**. Force allow
     -   **2**. Force deny
-    
+
    -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@@ -1346,7 +1346,7 @@ To turn off **Let apps make phone calls**:
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls**
 
     -   Set the **Select a setting** box to **Force Deny**.
-    
+
     -or-
 
 -    Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where:
@@ -1377,7 +1377,7 @@ To turn off **Let apps control radios**:
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
 
     -   Set the **Select a setting** box to **Force Deny**.
-    
+
     -or-
 
 -    Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where:
@@ -1409,13 +1409,13 @@ To turn off **Let apps automatically share and sync info with wireless devices t
 
     -or-
 
--    Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:   
+-    Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where:
 
       -   **0**. User in control
       -   **1**. Force allow
-      -   **2**. Force deny  
+      -   **2**. Force deny
+
 
-   
      -or-
 
 -   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@@ -1433,11 +1433,11 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
     -or-
 
 -    Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices
-), where:   
+), where:
 
         - **0**. User in control
         - **1**. Force allow
-        - **2**. Force deny  
+        - **2**. Force deny
 
 
 ### 17.16 Feedback & diagnostics
@@ -1446,10 +1446,10 @@ In the **Feedback & Diagnostics** area, you can choose how often you're asked fo
 
 To change how frequently **Windows should ask for my feedback**:
 
-> [!NOTE] 
+> [!NOTE]
 > Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
 
- 
+
 
 -   To change from **Automatically (Recommended)**, use the drop-down list in the UI.
 
@@ -1479,25 +1479,25 @@ To change how frequently **Windows should ask for my feedback**:
     | Once a day    | 864000000000                | 1                           |
     | Once a week   | 6048000000000               | 1                           |
 
-     
+
 To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
 
 -   Click either the **Basic** or **Full** options.
 
    -or-
 
--   Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. 
+-   Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment.
 
    -or-
 
--   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). 
+-   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level).
 
-> [!NOTE] 
+> [!NOTE]
 > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
 
    -or-
 
--   Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
+-   Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
 
     -   **0**. Maps to the **Security** level.
 
@@ -1538,7 +1538,7 @@ To turn off **Let apps run in the background**:
      -or-
 
 -   In **Background apps**, turn off the feature for each app.
-    
+
      -or-
 
 -   Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
@@ -1575,7 +1575,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion
     -   **0**. User in control
     -   **1**. Force allow
     -   **2**. Force deny
-    
+
    -or-
 
 -   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@@ -1633,7 +1633,7 @@ For Windows 10:
 
    -or-
 
--   Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
+-   Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
 
    -or-
 
@@ -1673,7 +1673,7 @@ You can control if your settings are synchronized:
 
     -or-
 
--   Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
+-   Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
 
     -or-
 
@@ -1689,9 +1689,9 @@ To turn off Messaging cloud sync:
 
 ### 21. Teredo
 
-You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
+You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
 
->[!NOTE]  
+>[!NOTE]
 >If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
 
 -   Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
@@ -1745,15 +1745,15 @@ You can disconnect from the Microsoft Antimalware Protection Service.
 
     -or-
 
--   For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+-   For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
     -or-
 
 -   Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero).
-    
+
     -and-
-    
-    From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** 
+
+    From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
 
 You can stop sending file samples back to Microsoft.
 
@@ -1815,13 +1815,13 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
 
 - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
 
-    > [!NOTE]  
+    > [!NOTE]
     > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
 
     -or-
 
 -   For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero).
-    
+
     -or-
 
 -   Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one).
@@ -1832,7 +1832,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
 
     -   **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**.
 
-        > [!NOTE]  
+        > [!NOTE]
         > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**.
 
     -   **Personalization** > **Start** > **Occasionally show suggestions in Start**.
@@ -1848,9 +1848,9 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
 
         -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
 
-        > [!NOTE] 
+        > [!NOTE]
         > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
-            
+
 
     -   **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
 
@@ -1868,9 +1868,9 @@ For more info, see [Windows Spotlight on the lock screen](/windows/configuration
 
 ### 26. Microsoft Store
 
-You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. 
-This will also turn off automatic app updates, and the Microsoft Store will be disabled. 
-In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. 
+You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded.
+This will also turn off automatic app updates, and the Microsoft Store will be disabled.
+In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
 On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
 
 -   Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
@@ -1923,7 +1923,7 @@ You can also set the **Download Mode** policy by creating a new REG\_DWORD regis
 
 ### 27.3 Delivery Optimization MDM policies
 
-The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
 
 | Policy                    | Description                                                                                         |
 |---------------------------|-----------------------------------------------------------------------------------------------------|
@@ -1997,4 +1997,4 @@ You can turn off automatic updates by doing one of the following. This is not re
 
     -   **5**. Turn off automatic updates.
 
-To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
+To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 1766427ef8..dd435f2d40 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -14,6 +14,7 @@ ms.date: 03/13/2018
 # Windows 10, version 1709 and newer diagnostic data for the Full level
 
 Applies to:
+- Windows 10, version 1809
 - Windows 10, version 1803
 - Windows 10, version 1709
 
@@ -24,17 +25,11 @@ In addition, this article provides references to equivalent definitions for the
 The data covered in this article is grouped into the following types:
 
 - Common data (diagnostic header information)
-
 - Device, Connectivity, and Configuration data
-
 - Product and Service Usage data
-
 - Product and Service Performance data
-
 - Software Setup and Inventory data
-
 - Browsing History data
-
 - Inking, Typing, and Speech Utterance data
 
 ## Common data
@@ -44,9 +39,23 @@ Most diagnostic events contain a header of common data. In each example, the inf
 Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
 
 ### Data Description for Common data type
-|Sub-type|Description and examples|
-|- |- |
-|Common Data|Information that is added to most diagnostic events, if relevant and available:
          • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
          • Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
          • Event collection time (8.2.3.2.2 Telemetry data)
          • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)
          • Xbox UserID (8.2.5 Account data)
          • Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
          • Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
          • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
          • Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
          • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
          • Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
          |
+
+#### Common data type
+
+Information that is added to most diagnostic events, if relevant and available:
+
+- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
+- Event collection time (8.2.3.2.2 Telemetry data)
+- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- Xbox UserID (8.2.5 Account data)
+- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
+- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
+- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
+
 
 ## Device, Connectivity, and Configuration data
 This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
@@ -59,15 +68,11 @@ This type of data includes details about the device, its configuration and conne
 - Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
 
     - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues.
-
     - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues.
-
     - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices.
 
 - Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
-
 - Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
-
 - Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.  
 
 **With (optional) Tailored experiences:**
          
@@ -78,13 +83,91 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
 - Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.  
   
 ### Data Description for Device, Connectivity, and Configuration data type
-|Sub-type|Description and examples|
-|- |- |
-|Device properties |Information about the operating system and device hardware, such as:
          • Operating system - version name, edition
          • Installation type, subscription status, and genuine operating system status
          • Processor architecture, speed, number of cores, manufacturer, and model
          • OEM details --manufacturer, model, and serial number
          • Device identifier and Xbox serial number
          • Firmware/BIOS operating system -- type, manufacturer, model, and version
          • Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
          • Storage -- total capacity and disk type
          • Battery -- charge capacity and InstantOn support
          • Hardware chassis type, color, and form factor
          • Is this a virtual machine?
          |
-|Device capabilities|Information about the specific device capabilities, such as:
          • Camera -- whether the device has a front facing camera, a rear facing camera, or both.
          • Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
          • Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
          • Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
          • Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
          • Voice -- whether voice interaction is supported and the number of active microphones
          • Number of displays, resolutions, and DPI
          • Wireless capabilities
          • OEM or platform face detection
          • OEM or platform video stabilization and quality-level set
          • Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
          |
-|Device preferences and settings |Information about the device settings and user preferences, such as:
          • User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
          • User-provided device name
          • Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
          • Hashed representation of the domain name
          • MDM (mobile device management) enrollment settings and status
          • BitLocker, Secure Boot, encryption settings, and status
          • Windows Update settings and status
          • Developer Unlock settings and status
          • Default app choices
          • Default browser choice
          • Default language settings for app, input, keyboard, speech, and display
          • App store update settings
          • Enterprise OrganizationID, Commercial ID
          |
-|Device peripherals |Information about the device peripherals, such as:
          • Peripheral name, device model, class, manufacturer, and description
          • Peripheral device state, install state, and checksum
          • Driver name, package name, version, and manufacturer
          • HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
          • Driver state, problem code, and checksum
          • Whether driver is kernel mode, signed, and image size
          |
-|Device network info |Information about the device network configuration, such as:
          • Network system capabilities
          • Local or Internet connectivity status
          • Proxy, gateway, DHCP, DNS details, and addresses
          • Whether it's a paid or free network
          • Whether the wireless driver is emulated
          • Whether it's access point mode-capable
          • Access point manufacturer, model, and MAC address
          • WDI Version
          • Name of networking driver service
          • Wi-Fi Direct details
          • Wi-Fi device hardware ID and manufacturer
          • Wi-Fi scan attempt  and item counts
          • Whether MAC randomization is supported and enabled
          • Number of supported spatial streams and channel frequencies
          • Whether Manual or Auto-connect is enabled
          • Time and result of each connection attempt
          • Airplane mode status and attempts
          • Interface description provided by the manufacturer
          • Data transfer rates
          • Cipher algorithm
          • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
          • Mobile operator and service provider name
          • Available SSIDs and BSSIDs
          • IP Address type -- IPv4 or IPv6
          • Signal Quality percentage and changes
          • Hotspot presence detection and success rate
          • TCP connection performance
          • Miracast device names
          • Hashed IP address
          
+
+**Device properties sub-type:** Information about the operating system and device hardware
+
+- Operating system - version name, edition
+- Installation type, subscription status, and genuine operating system status
+- Processor architecture, speed, number of cores, manufacturer, and model
+- OEM details --manufacturer, model, and serial number
+- Device identifier and Xbox serial number
+- Firmware/BIOS operating system -- type, manufacturer, model, and version
+- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage -- total capacity and disk type
+- Battery -- charge capacity and InstantOn support
+- Hardware chassis type, color, and form factor
+- Is this a virtual machine?
+
+**Device capabilities sub-type:** Information about the capabilities of the device
+
+- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
+- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice -- whether voice interaction is supported and the number of active microphones
+- Number of displays, resolutions, and DPI
+- Wireless capabilities
+- OEM or platform face detection
+- OEM or platform video stabilization and quality-level set
+- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
+
+**Device preferences and settings sub-type:** Information about the device settings and user preferences
+
+- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User-provided device name
+- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
+- Hashed representation of the domain name
+- MDM (mobile device management) enrollment settings and status
+- BitLocker, Secure Boot, encryption settings, and status
+- Windows Update settings and status
+- Developer Unlock settings and status
+- Default app choices
+- Default browser choice
+- Default language settings for app, input, keyboard, speech, and display
+- App store update settings
+- Enterprise OrganizationID, Commercial ID
+
+**Device peripherals sub-type:** Information about the peripherals of the device
+
+- Peripheral name, device model, class, manufacturer, and description
+- Peripheral device state, install state, and checksum
+- Driver name, package name, version, and manufacturer
+- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://docs.microsoft.com/windows-hardware/drivers/install/hardware-ids)
+- Driver state, problem code, and checksum
+- Whether driver is kernel mode, signed, and image size
+
+**Device network info sub-type:** Information about the device network configuration
+
+- Network system capabilities
+- Local or Internet connectivity status
+- Proxy, gateway, DHCP, DNS details, and addresses
+- Whether it's a paid or free network
+- Whether the wireless driver is emulated
+- Whether it's access point mode-capable
+- Access point manufacturer, model, and MAC address
+- WDI Version
+- Name of networking driver service
+- Wi-Fi Direct details
+- Wi-Fi device hardware ID and manufacturer
+- Wi-Fi scan attempt and item counts
+- Whether MAC randomization is supported and enabled
+- Number of supported spatial streams and channel frequencies
+- Whether Manual or Auto-connect is enabled
+- Time and result of each connection attempt
+- Airplane mode status and attempts
+- Interface description provided by the manufacturer
+- Data transfer rates
+- Cipher algorithm
+- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
+- Mobile operator and service provider name
+- Available SSIDs and BSSIDs
+- IP Address type -- IPv4 or IPv6
+- Signal Quality percentage and changes
+- Hotspot presence detection and success rate
+- TCP connection performance
+- Miracast device names
+- Hashed IP address
 
 ## Product and Service Usage data
 This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
@@ -95,32 +178,60 @@ This type of data includes details about the usage of the device, operating syst
 [Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
 - Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. 
-
 - Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
-
 - Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
-
 - Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
-
 - Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
-
 - Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
 
 **With (optional) Tailored experiences:**
          
 If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
 
 - If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-
 - Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
 
 
 ### Data Description for Product and Service Usage data type
-|Sub-type|Description and examples |
-|- |- |
-|App usage|Information about Windows and application usage, such as:
          • Operating system component and app feature usage
          • User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
          • Time of and count of app and component launches, duration of use, session GUID, and process ID
          • App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
          • User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
          • Cortana launch entry point and reason
          • Notification delivery requests and status
          • Apps used to edit images and videos
          • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
          • Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
          • Emergency alerts are received or displayed statistics
          • Content searches within an app
          • Reading activity -- bookmarked, printed, or had the layout changed
          |
-|App or product state|Information about Windows and application state, such as:
          • Start Menu and Taskbar pins
          • Online and offline status
          • App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
          • Personalization impressions delivered
          • Whether the user clicked on, or hovered over, UI controls or hotspots
          • User provided feedback, such as Like, Dislike or a rating
          • Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
          |
-|Purchasing|Information about purchases made on the device, such as:
          • Product ID, edition ID and product URI
          • Offer details -- price
          • Date and time an order was requested
          • Microsoft Store client type -- web or native client
          • Purchase quantity and price
          • Payment type -- credit card type and PayPal
           |
-|Login properties|Information about logins on the device, such as:
          • Login success or failure
          • Login sessions and state
          |
+
+**App usage sub-type:** Information about Windows and application usage
+
+- Operating system component and app feature usage
+- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- Time of and count of app and component launches, duration of use, session GUID, and process ID
+- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
+- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
+- Cortana launch entry point and reason
+- Notification delivery requests and status
+- Apps used to edit images and videos
+- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
+- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
+- Emergency alerts are received or displayed statistics
+- Content searches within an app
+- Reading activity -- bookmarked, printed, or had the layout changed
+
+**App or product state sub-type:** Information about Windows and application state
+
+- Start Menu and Taskbar pins
+- Online and offline status
+- App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
+- Personalization impressions delivered
+- Whether the user clicked on, or hovered over, UI controls or hotspots
+- User provided feedback, such as Like, Dislike or a rating
+- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+
+**Purchasing sub-type:** Information about purchases made on the device
+
+- Product ID, edition ID and product URI
+- Offer details -- price
+- Date and time an order was requested
+- Microsoft Store client type -- web or native client
+- Purchase quantity and price
+- Payment type -- credit card type and PayPal
+
+**Login properties sub-type:** Information about logins on the device
+
+- Login success or failure
+- Login sessions and state
 
 ## Product and Service Performance data
 This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
@@ -131,35 +242,109 @@ This type of data includes details about the health of the device, operating sys
 [Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
 - Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
-
 - Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
-
 - Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
-
 - Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
 
 **With (optional) Tailored experiences:**
          
 If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
 
 - Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
-
 - If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-
 - If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
 
 **Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
 
 ### Data Description for Product and Service Performance data type
-|Sub-type|Description and examples |
-|- |- |
-|Device health and crash data|Information about the device and software health, such as:
          • Error codes and error messages, name and ID of the app, and process reporting the error
          • DLL library predicted to be the source of the error -- for example, xyz.dll
          • System generated files -- app or product logs and trace files to help diagnose a crash or hang
          • System settings, such as registry keys
          • User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
          • Details and counts of abnormal shutdowns, hangs, and crashes
          • Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
          • Crash and hang dumps, including:
            • The recorded state of the working memory at the point of the crash
            • Memory in-use by the kernel at the point of the crash.
            • Memory in-use by the application at the point of the crash
            • All the physical memory used by Windows at the point of the crash
            • Class and function name within the module that failed.
            |
-|Device performance and reliability data|Information about the device and software performance, such as:
            • User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
            • Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
            • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
            • User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
            • UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
            • Disk footprint -- Free disk space, out of memory conditions, and disk score
            • Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
            • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
            • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
            • Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
            • Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
            • Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
            • Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
            |
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
            • Video Width, height, color palette, encoding (compression) type, and encryption type
            • Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
            • URL for a specific two-second chunk of content if there is an error
            • Full-screen viewing mode details
            |
-|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.
            • Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
            • Content type (video, audio, or surround audio)
            • Local media library collection statistics -- number of purchased tracks and number of playlists
            • Region mismatch -- User's operating system region and Xbox Live region
            |
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
            • App accessing content and status and options used to open a Microsoft Store book
            • Language of the book
            • Time spent reading content
            • Content type and size details
            |
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.
            • File source data -- local, SD card, network device, and OneDrive
            • Image and video resolution, video length, file sizes types, and encoding
            • Collection view or full screen viewer use and duration of view
            |
-|On-device file query |Information about local search activity on the device, such as: 
            • Kind of query issued and index type (ConstraintIndex or SystemIndex)
            • Number of items requested and retrieved
            • File extension of search result with which the user interacted
            • Launched item type, file extension, index of origin, and the App ID of the opening app
            • Name of process calling the indexer and the amount of time to service the query
            • A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
             |
-|Entitlements |Information about entitlements on the device, such as:
            • Service subscription status and errors
            • DRM and license rights details -- Groove subscription or operating system volume license
            • Entitlement ID, lease ID, and package ID of the install package
            • Entitlement revocation
            • License type (trial, offline versus online) and duration
            • License usage session
            |
+
+**Device health and crash data sub-type:** Information about the device and software health
+
+- Error codes and error messages, name and ID of the app, and process reporting the error
+- DLL library predicted to be the source of the error -- for example, xyz.dll
+- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- System settings, such as registry keys
+- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- Details and counts of abnormal shutdowns, hangs, and crashes
+- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash and hang dumps, including:
+    - The recorded state of the working memory at the point of the crash
+    - Memory in-use by the kernel at the point of the crash.
+    - Memory in-use by the application at the point of the crash
+    - All the physical memory used by Windows at the point of the crash
+    - Class and function name within the module that failed.
+
+**Device performance and reliability data sub-type:** Information about the device and software performance
+
+- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint -- Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+
+**Movies sub-type:** Information about movie consumption functionality on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+ 
+- Video Width, height, color palette, encoding (compression) type, and encryption type
+- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- URL for a specific two-second chunk of content if there is an error
+- Full-screen viewing mode details
+
+**Music & TV sub-type:** Information about music and TV consumption on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Content type (video, audio, or surround audio)
+- Local media library collection statistics -- number of purchased tracks and number of playlists
+- Region mismatch -- User's operating system region and Xbox Live region
+
+**Reading sub-type:** Information about reading consumption functionality on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- App accessing content and status and options used to open a Microsoft Store book
+- Language of the book
+- Time spent reading content
+- Content type and size details
+
+**Photos app sub-type:** Information about photos usage on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- File source data -- local, SD card, network device, and OneDrive
+- Image and video resolution, video length, file sizes types, and encoding
+- Collection view or full screen viewer use and duration of view
+
+**On-device file query sub-type:** Information about local search activity on the device
+
+- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Number of items requested and retrieved
+- File extension of search result with which the user interacted
+- Launched item type, file extension, index of origin, and the App ID of the opening app
+- Name of process calling the indexer and the amount of time to service the query
+- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
+
+**Entitlements sub-type:** Information about entitlements on the device
+
+- Service subscription status and errors
+- DRM and license rights details -- Groove subscription or operating system volume license
+- Entitlement ID, lease ID, and package ID of the install package
+- Entitlement revocation
+- License type (trial, offline versus online) and duration
+- License usage session
 
 ## Software Setup and Inventory data
 This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
@@ -170,11 +355,8 @@ This type of data includes software installation and update information on the d
 [Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
 - Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
-
 - Data about when a download starts and finishes on a device is used to understand and address download problems.
-
 - Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
-
 - Data about the antimalware installed on a device is used to understand malware transmissions vectors.
 
 **With (optional) Tailored experiences:**
            
@@ -183,10 +365,28 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
 
 ### Data Description for Software Setup and Inventory data type
-|Sub-type|Description and examples |
-|- |- |
-|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:
            • App, driver, update package, or component’s Name, ID, or Package Family Name
            • Product, SKU, availability, catalog, content, and Bundle IDs
            • Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
            • Install date, method, install directory, and count of install attempts
            • MSI package and product code
            • Original operating system version at install time
            • User, administrator, or mandatory installation or update
            • Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
            |
-|Device update information |Information about Windows Update, such as:
            • Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
            • Number of applicable updates, importance, and type
            • Update download size and source -- CDN or LAN peers
            • Delay upgrade status and configuration
            • Operating system uninstall and rollback status and count
            • Windows Update server and service URL
            • Windows Update machine ID
            • Windows Insider build details
            |
+
+**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+
+- App, driver, update package, or component’s Name, ID, or Package Family Name
+- Product, SKU, availability, catalog, content, and Bundle IDs
+- Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
+- Install date, method, install directory, and count of install attempts
+- MSI package and product code
+- Original operating system version at install time
+- User, administrator, or mandatory installation or update
+- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+
+**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+
+- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
+- Number of applicable updates, importance, and type
+- Update download size and source -- CDN or LAN peers
+- Delay upgrade status and configuration
+- Operating system uninstall and rollback status and count
+- Windows Update server and service URL
+- Windows Update machine ID
+- Windows Insider build details
 
 ## Browsing History data
 This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
@@ -197,13 +397,9 @@ This type of data includes details about web browsing in the Microsoft browsers.
 [Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
 
 - Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
-
 - Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
-
 - Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation.
-
 - Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature.
-
 - Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
 
 **With (optional) Tailored experiences:**
             
@@ -212,9 +408,17 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
 - We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
 
 ### Data Description for Browsing History data type
-|Sub-type|Description and examples |
-|- |- |
-|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:
            • Text typed in **Address** bar and **Search** box
            • Text selected for an **Ask Cortana** search
            • Service response time
            • Auto-completed text, if there was an auto-complete
            • Navigation suggestions provided based on local history and favorites
            • Browser ID
            • URLs (may include search terms)
            • Page title
            |
+
+**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+
+- Text typed in **Address** bar and **Search** box
+- Text selected for an Ask Cortana search
+- Service response time
+- Auto-completed text, if there was an auto-complete
+- Navigation suggestions provided based on local history and favorites
+- Browser ID
+- URLs (may include search terms)
+- Page title
 
 ## Inking Typing and Speech Utterance data
 This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
@@ -225,13 +429,9 @@ This type of data gathers details about the voice, inking, and typing input feat
 [Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
 
 - Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
-
 - Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-
 - Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
-
 - Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
-
 - Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. 
 
 **With (optional) Tailored experiences:**
@@ -239,26 +439,69 @@ This type of data gathers details about the voice, inking, and typing input feat
 **Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.**
 
 ### Data Description for Inking, Typing, and Speech Utterance data type
-|Sub-type|Description and examples |
-|- |- |
-|Voice, inking, and typing|Information about voice, inking and typing features, such as:
            • Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
            • Pen gestures (click, double click, pan, zoom, or rotate)
            • Palm Touch x,y coordinates
            • Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
            • Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
            • Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
            • Text of speech recognition results -- result codes and recognized text
            • Language and model of the recognizer and the System Speech language
            • App ID using speech features
            • Whether user is known to be a child
            • Confidence and success or failure of speech recognition
            |
+
+**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+
+- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
+- Pen gestures (click, double click, pan, zoom, or rotate)
+- Palm Touch x,y coordinates
+- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results -- result codes and recognized text
+- Language and model of the recognizer and the System Speech language
+- App ID using speech features
+- Whether user is known to be a child
+- Confidence and success or failure of speech recognition
 
 ## ISO/IEC 19944:2017-specific terminology
-This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
 
-|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
-|-|-|-|
-|Provide |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.|
-|Improve |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.|
-|Personalize |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.|
-|Recommend |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.

            Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.|
-|Offer |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.

            Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.|
-|Promote|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
+This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
 
-

            
+### Provide
 
-|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
-|-|-|-|
-|Pseudonymized Data |8.3.3 Pseudonymized data|As defined|
-|Anonymized Data |8.3.5 Anonymized data|As defined|
-|Aggregated Data |8.3.6 Aggregated data|As defined|
\ No newline at end of file
+ISO/IEC 19944:2017 Reference: **9.3.2 Provide**
+
+Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.
+
+### Improve
+
+ISO/IEC 19944:2017 Reference: **9.3.3 Improve**
+
+Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.
+
+### Personalize
+
+ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
+
+Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.
+
+### Recommend
+
+ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
+
+“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.
+
+Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.
+
+### Offer
+
+ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
+
+Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+
+### Promote
+
+ISO/IEC 19944:2017 Reference: **9.3.6 Market/advertise/promote**
+
+Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.
+
+### Data identification qualifiers
+
+Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+
+- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
+- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
+- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
\ No newline at end of file
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
index 601a236c61..b0ee83d6a3 100644
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@@ -22,9 +22,9 @@ In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-e
 
 We used the following methodology to derive these network endpoints:
 
-1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings. 
+1.	Set up the latest version of Windows 10 on a test virtual machine using the default settings.
 2.	Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
-3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.  
+3.	Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
 4.	Compile reports on traffic going to public IP addresses.
 5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
 
@@ -113,7 +113,7 @@ We used the following methodology to derive these network endpoints:
 | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
 | www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
 | www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
 
 ## Windows 10 Pro
 
@@ -202,7 +202,7 @@ We used the following methodology to derive these network endpoints:
 | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
 | www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
 | www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](http://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
 
 ## Windows 10 Education
 
diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md
index 9c969844b3..3743dc7b3b 100644
--- a/windows/privacy/windows-personal-data-services-configuration.md
+++ b/windows/privacy/windows-personal-data-services-configuration.md
@@ -397,4 +397,4 @@ These settings whether employees send “Do Not Track” header from the Microso
 
 ### Other resources
 
-* [Privacy at Microsoft](http://privacy.microsoft.com/)
+* [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/TOC.md b/windows/security/TOC.md
index ad302db477..6ac5b43506 100644
--- a/windows/security/TOC.md
+++ b/windows/security/TOC.md
@@ -1,7 +1,6 @@
 # [Security](index.yml)
 ## [Identity and access management](identity-protection/index.md)
 ## [Information protection](information-protection/index.md)
-## [Hardware-based protection](hardware-protection/index.md)
 ## [Threat protection](threat-protection/index.md)
 
 
diff --git a/windows/security/hardware-protection/TOC.md b/windows/security/hardware-protection/TOC.md
deleted file mode 100644
index 3dac21b0fa..0000000000
--- a/windows/security/hardware-protection/TOC.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# [Hardware-based protection](index.md)
-
-## [Encrypted Hard Drive](encrypted-hard-drive.md)
-
-## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
-
-## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
-
-## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
-### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
-### [TPM fundamentals](tpm/tpm-fundamentals.md)
-### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
-### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
-### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
-### [Manage TPM commands](tpm/manage-tpm-commands.md)
-### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
-### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
-### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
-### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-### [TPM recommendations](tpm/tpm-recommendations.md)
-
diff --git a/windows/security/hardware-protection/images/application-guard-and-system-guard.png b/windows/security/hardware-protection/images/application-guard-and-system-guard.png
deleted file mode 100644
index b4b883db90..0000000000
Binary files a/windows/security/hardware-protection/images/application-guard-and-system-guard.png and /dev/null differ
diff --git a/windows/security/hardware-protection/images/traditional-windows-software-stack.png b/windows/security/hardware-protection/images/traditional-windows-software-stack.png
deleted file mode 100644
index 0da610c368..0000000000
Binary files a/windows/security/hardware-protection/images/traditional-windows-software-stack.png and /dev/null differ
diff --git a/windows/security/hardware-protection/index.md b/windows/security/hardware-protection/index.md
deleted file mode 100644
index 454b0ec4e1..0000000000
--- a/windows/security/hardware-protection/index.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-title: Hardware-based Protection (Windows 10)
-description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 02/05/2018
----
-
-# Hardware-based protection
-
-Windows 10 leverages these hardware-based security features to protect and maintain system integrity.
-
-| Section | Description |
-|-|-|
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
-|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index 7fde2f9d2f..23991e4fc0 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -17,7 +17,7 @@
 
 ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
 
-## [How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md)
+## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
 
 ## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
 ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
@@ -28,7 +28,6 @@
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
 ### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
 
-
 ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
 
 ## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)
@@ -71,115 +70,5 @@
 ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
 ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
 
-## [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md)
-### [Isolating Microsoft Store Apps on Your Network](windows-firewall/isolating-apps-on-your-network.md)
-### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-### [Windows Firewall with Advanced Security Design Guide](windows-firewall/windows-firewall-with-advanced-security-design-guide.md)
-#### [Understanding the Windows Firewall with Advanced Security Design Process](windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md)
-#### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-##### [Protect Devices from Unwanted Network Traffic](windows-firewall/protect-devices-from-unwanted-network-traffic.md)
-##### [Restrict Access to Only Trusted Devices](windows-firewall/restrict-access-to-only-trusted-devices.md)
-##### [Require Encryption When Accessing Sensitive Network Resources](windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md)
-##### [Restrict Access to Only Specified Users or Computers](windows-firewall/restrict-access-to-only-specified-users-or-devices.md)
-#### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-##### [Basic Firewall Policy Design](windows-firewall/basic-firewall-policy-design.md)
-##### [Domain Isolation Policy Design](windows-firewall/domain-isolation-policy-design.md)
-##### [Server Isolation Policy Design](windows-firewall/server-isolation-policy-design.md)
-##### [Certificate-based Isolation Policy Design](windows-firewall/certificate-based-isolation-policy-design.md)
-#### [Evaluating Windows Firewall with Advanced Security Design Examples](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-##### [Firewall Policy Design Example](windows-firewall/firewall-policy-design-example.md)
-##### [Domain Isolation Policy Design Example](windows-firewall/domain-isolation-policy-design-example.md)
-##### [Server Isolation Policy Design Example](windows-firewall/server-isolation-policy-design-example.md)
-##### [Certificate-based Isolation Policy Design Example](windows-firewall/certificate-based-isolation-policy-design-example.md)
-#### [Designing a Windows Firewall with Advanced Security Strategy](windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md)
-##### [Gathering the Information You Need](windows-firewall/gathering-the-information-you-need.md)
-###### [Gathering Information about Your Current Network Infrastructure](windows-firewall/gathering-information-about-your-current-network-infrastructure.md)
-###### [Gathering Information about Your Active Directory Deployment](windows-firewall/gathering-information-about-your-active-directory-deployment.md)
-###### [Gathering Information about Your Computers](windows-firewall/gathering-information-about-your-devices.md)
-###### [Gathering Other Relevant Information](windows-firewall/gathering-other-relevant-information.md)
-##### [Determining the Trusted State of Your Computers](windows-firewall/determining-the-trusted-state-of-your-devices.md)
-#### [Planning Your Windows Firewall with Advanced Security Design](windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md)
-##### [Planning Settings for a Basic Firewall Policy](windows-firewall/planning-settings-for-a-basic-firewall-policy.md)
-##### [Planning Domain Isolation Zones](windows-firewall/planning-domain-isolation-zones.md)
-###### [Exemption List](windows-firewall/exemption-list.md)
-###### [Isolated Domain](windows-firewall/isolated-domain.md)
-###### [Boundary Zone](windows-firewall/boundary-zone.md)
-###### [Encryption Zone](windows-firewall/encryption-zone.md)
-##### [Planning Server Isolation Zones](windows-firewall/planning-server-isolation-zones.md)
-##### [Planning Certificate-based Authentication](windows-firewall/planning-certificate-based-authentication.md)
-###### [Documenting the Zones](windows-firewall/documenting-the-zones.md)
-###### [Planning Group Policy Deployment for Your Isolation Zones](windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md)
-####### [Planning Isolation Groups for the Zones](windows-firewall/planning-isolation-groups-for-the-zones.md)
-####### [Planning Network Access Groups](windows-firewall/planning-network-access-groups.md)
-####### [Planning the GPOs](windows-firewall/planning-the-gpos.md)
-######## [Firewall GPOs](windows-firewall/firewall-gpos.md)
-######### [GPO_DOMISO_Firewall](windows-firewall/gpo-domiso-firewall.md)
-######## [Isolated Domain GPOs](windows-firewall/isolated-domain-gpos.md)
-######### [GPO_DOMISO_IsolatedDomain_Clients](windows-firewall/gpo-domiso-isolateddomain-clients.md)
-######### [GPO_DOMISO_IsolatedDomain_Servers](windows-firewall/gpo-domiso-isolateddomain-servers.md)
-######## [Boundary Zone GPOs](windows-firewall/boundary-zone-gpos.md)
-######### [GPO_DOMISO_Boundary](windows-firewall/gpo-domiso-boundary.md)
-######## [Encryption Zone GPOs](windows-firewall/encryption-zone-gpos.md)
-######### [GPO_DOMISO_Encryption](windows-firewall/gpo-domiso-encryption.md)
-######## [Server Isolation GPOs](windows-firewall/server-isolation-gpos.md)
-####### [Planning GPO Deployment](windows-firewall/planning-gpo-deployment.md)
-#### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
-#### [Planning to Deploy Windows Firewall with Advanced Security](windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md)
-#### [Implementing Your Windows Firewall with Advanced Security Design Plan](windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-#### [Checklist: Creating Group Policy Objects](windows-firewall/checklist-creating-group-policy-objects.md)
-#### [Checklist: Implementing a Basic Firewall Policy Design](windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md)
-#### [Checklist: Configuring Basic Firewall Settings](windows-firewall/checklist-configuring-basic-firewall-settings.md)
-#### [Checklist: Creating Inbound Firewall Rules](windows-firewall/checklist-creating-inbound-firewall-rules.md)
-#### [Checklist: Creating Outbound Firewall Rules](windows-firewall/checklist-creating-outbound-firewall-rules.md)
-#### [Checklist: Implementing a Domain Isolation Policy Design](windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md)
-##### [Checklist: Configuring Rules for the Isolated Domain](windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md)
-##### [Checklist: Configuring Rules for the Boundary Zone](windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md)
-##### [Checklist: Configuring Rules for the Encryption Zone](windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md)
-##### [Checklist: Configuring Rules for an Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md)
-#### [Checklist: Implementing a Standalone Server Isolation Policy Design](windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md)
-##### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-##### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-#### [Checklist: Implementing a Certificate-based Isolation Policy Design](windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md)
-#### [Procedures Used in This Guide](windows-firewall/procedures-used-in-this-guide.md)
-##### [Add Production Devices to the Membership Group for a Zone](windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md)
-##### [Add Test Devices to the Membership Group for a Zone](windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md)
-##### [Assign Security Group Filters to the GPO](windows-firewall/assign-security-group-filters-to-the-gpo.md)
-##### [Change Rules from Request to Require Mode](windows-firewall/change-rules-from-request-to-require-mode.md)
-##### [Configure Authentication Methods](windows-firewall/configure-authentication-methods.md)
-##### [Configure Data Protection (Quick Mode) Settings](windows-firewall/configure-data-protection-quick-mode-settings.md)
-##### [Configure Group Policy to Autoenroll and Deploy Certificates](windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-##### [Configure Key Exchange (Main Mode) Settings](windows-firewall/configure-key-exchange-main-mode-settings.md)
-##### [Configure the Rules to Require Encryption](windows-firewall/configure-the-rules-to-require-encryption.md)
-##### [Configure the Windows Firewall Log](windows-firewall/configure-the-windows-firewall-log.md)
-##### [Configure the Workstation Authentication Certificate Template](windows-firewall/configure-the-workstation-authentication-certificate-template.md)
-##### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-##### [Confirm That Certificates Are Deployed Correctly](windows-firewall/confirm-that-certificates-are-deployed-correctly.md)
-##### [Copy a GPO to Create a New GPO](windows-firewall/copy-a-gpo-to-create-a-new-gpo.md)
-##### [Create a Group Account in Active Directory](windows-firewall/create-a-group-account-in-active-directory.md)
-##### [Create a Group Policy Object](windows-firewall/create-a-group-policy-object.md)
-##### [Create an Authentication Exemption List Rule](windows-firewall/create-an-authentication-exemption-list-rule.md)
-##### [Create an Authentication Request Rule](windows-firewall/create-an-authentication-request-rule.md)
-##### [Create an Inbound ICMP Rule](windows-firewall/create-an-inbound-icmp-rule.md)
-##### [Create an Inbound Port Rule](windows-firewall/create-an-inbound-port-rule.md)
-##### [Create an Inbound Program or Service Rule](windows-firewall/create-an-inbound-program-or-service-rule.md)
-##### [Create an Outbound Port Rule](windows-firewall/create-an-outbound-port-rule.md)
-##### [Create an Outbound Program or Service Rule](windows-firewall/create-an-outbound-program-or-service-rule.md)
-##### [Create Inbound Rules to Support RPC](windows-firewall/create-inbound-rules-to-support-rpc.md)
-##### [Create WMI Filters for the GPO](windows-firewall/create-wmi-filters-for-the-gpo.md)
-##### [Enable Predefined Inbound Rules](windows-firewall/enable-predefined-inbound-rules.md)
-##### [Enable Predefined Outbound Rules](windows-firewall/enable-predefined-outbound-rules.md)
-##### [Exempt ICMP from Authentication](windows-firewall/exempt-icmp-from-authentication.md)
-##### [Link the GPO to the Domain](windows-firewall/link-the-gpo-to-the-domain.md)
-##### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-##### [Open the Group Policy Management Console to IP Security Policies](windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md)
-##### [Open the Group Policy Management Console to Windows Firewall](windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md)
-##### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-##### [Open Windows Firewall with Advanced Security](windows-firewall/open-windows-firewall-with-advanced-security.md)
-##### [Restrict Server Access to Members of a Group Only](windows-firewall/restrict-server-access-to-members-of-a-group-only.md)
-##### [Turn on Windows Firewall and Configure Default Behavior](windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md)
-##### [Verify That Network Traffic Is Authenticated](windows-firewall/verify-that-network-traffic-is-authenticated.md)
-
 ## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
 
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 321cfccf77..d08c52de33 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -93,16 +93,16 @@ The permissions attached to an object depend on the type of object. For example,
 
 When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
 
-When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](http://technet.microsoft.com/library/cc770962.aspx).
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](https://technet.microsoft.com/library/cc770962.aspx).
 
 **Note**  
-Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](http://technet.microsoft.com/library/cc754178.aspx).
+Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](https://technet.microsoft.com/library/cc754178.aspx).
 
  
 
 ### Ownership of objects
 
-An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](http://technet.microsoft.com/library/cc732983.aspx).
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](https://technet.microsoft.com/library/cc732983.aspx).
 
 ### Inheritance of permissions
 
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 7ac2f1da1b..18260aeb64 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -351,7 +351,7 @@ Because it is impossible to predict the specific errors that will occur for any
 **Important**  
 Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
 
-For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
+For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
 
 ### Read-only domain controllers and the KRBTGT account
 
@@ -497,11 +497,11 @@ After the default local accounts are installed, these accounts reside in the Use
 
 You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
 
-For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx).
 
 You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network.
 
-You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](http://technet.microsoft.com/library/cc677002.aspx).
+You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](https://technet.microsoft.com/library/cc677002.aspx).
 
 Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object.
 
@@ -585,7 +585,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
 2.  Create computer accounts for the new workstations.
 
-    > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
+    > **Note**  You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
 
     ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif)
 
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 4d1ebc58cb..d0a9735761 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -312,14 +312,14 @@ The following tables provide descriptions of the default groups that are located
 
          
-    
+
-    
+
@@ -1270,7 +1270,7 @@ Members of the DnsUpdateProxy group are DNS clients. They are permitted to perfo
 
 However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
 
-For information, see [DNS Record Ownership and the DnsUpdateProxy Group](http://technet.microsoft.com/library/dd334715.aspx).
+For information, see [DNS Record Ownership and the DnsUpdateProxy Group](https://technet.microsoft.com/library/dd334715.aspx).
 
 This security group has not changed since Windows Server 2008.
 
@@ -2180,7 +2180,7 @@ This group appears as a SID until the domain controller is made the primary doma
 
  
 
-For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](http://technet.microsoft.com/library/f5c70774-25cd-4481-8b7a-3d65c86e69b1).
+For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](https://technet.microsoft.com/library/f5c70774-25cd-4481-8b7a-3d65c86e69b1).
 
 The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -3105,7 +3105,7 @@ Members of the Remote Management Users group can access WMI resources over manag
 
 The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands.
 
-For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](http://msdn.microsoft.com/library/aa384642.aspx).
+For more information, see [What's New in MI?](https://msdn.microsoft.com/library/jj819828(v=vs.85).aspx) and [About WMI](https://msdn.microsoft.com/library/aa384642.aspx).
 
 This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
 
@@ -3171,7 +3171,7 @@ In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or c
 
 However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see:
 
-- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](http://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
+- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](https://msdn.microsoft.com/library/windows/desktop/ff384840.aspx)
 - [DFS Namespaces and DFS Replication Overview](https://technet.microsoft.com/library/jj127250(v=ws.11).aspx)
 
 This security group has not changed since Windows Server 2008.
@@ -3237,7 +3237,7 @@ The group is authorized to make schema changes in Active Directory. By default,
 
 The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory.
 
-For more information, see [What Is the Active Directory Schema?: Active Directory](http://technet.microsoft.com/library/cc784826.aspx).
+For more information, see [What Is the Active Directory Schema?: Active Directory](https://technet.microsoft.com/library/cc784826.aspx).
 
 The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -3408,7 +3408,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper
 
 Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
-For more information about this security group, see [Terminal Services License Server Security Group Configuration](http://technet.microsoft.com/library/cc775331.aspx).
+For more information about this security group, see [Terminal Services License Server Security Group Configuration](https://technet.microsoft.com/library/cc775331.aspx).
 
 The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index cdfbc8c21a..b7b1c25886 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -5,7 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-ms.date: 04/19/2017
+ms.date: 07/30/2018
 ---
 
 # Local Accounts
@@ -82,7 +82,7 @@ The default Administrator account is initially installed differently for Windows
 
 In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
 
-In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**. 
+In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
 
 **Account group membership**
 
@@ -94,13 +94,13 @@ The Administrator account cannot be deleted or removed from the Administrators g
 
 Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
 
-You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](http://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](http://technet.microsoft.com/library/cc725595.aspx).
+You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](https://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](https://technet.microsoft.com/library/cc725595.aspx).
 
 As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](https://technet.microsoft.com/en-us/library/cc732200.aspx).
 
 In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
 
-In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](http://technet.microsoft.com/library/hh831791.aspx).
+In this case, Group Policy can be used to enable secure settings that can control the use of the local Administrators group automatically on every server or client computer. For more information about Group Policy, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
 
 **Note**  
 Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
@@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g
 
 ### Guest account
 
-The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
+The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
 
 **Account group membership**
 
-By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
+By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers.
 
 **Security considerations**
 
@@ -159,7 +159,7 @@ To grant the account Administrators group file permissions does not implicitly g
 ## How to manage local user accounts
 
 
-The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](http://technet.microsoft.com/library/cc731899.aspx).
+The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx).
 
 You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
 
@@ -475,7 +475,7 @@ Passwords can be randomized by:
 
 -   Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools.
 
--   Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](http://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
+-   Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789).
 
     **Note**  
     This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage.
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index e2fb4669aa..f1071d55e7 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -52,7 +52,7 @@ Credential information is encrypted twice. The first encryption is based on the
 
     Blank passwords are not allowed.
 
-    For more information, see [Microsoft Account Security Overview](http://www.microsoft.com/account/security/default.aspx).
+    For more information, see [Microsoft Account Security Overview](https://www.microsoft.com/account/security/default.aspx).
 
 -   **Secondary proof of identity is required**.
 
@@ -118,13 +118,13 @@ The following Group Policy settings help control the use of Microsoft accounts i
 
 This setting controls whether users can provide Microsoft accounts for authentication for applications or services.
 
-If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. 
-This applies both to existing users of a device and new users who may be added. 
+If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
+This applies both to existing users of a device and new users who may be added.
 
-However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. 
+However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
 It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present.
 
-If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. 
+If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
 By default, this setting is **Disabled**.
 
 This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
@@ -135,7 +135,7 @@ Computer Configuration\Administrative Templates\Windows Components\Microsoft acc
 
 #### Accounts: Block Microsoft accounts
 
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. 
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.
 
 There are two options if this setting is enabled:
 
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index ff297b1517..c210880baa 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -74,7 +74,7 @@ A 64-bit architecture is required to run the Windows PowerShell commands that ar
 A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) should always be explicitly configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail.
 
 **Note**  
-Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](http://technet.microsoft.com/library/dd560670(WS.10).aspx).
+Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](https://technet.microsoft.com/library/dd560670(WS.10).aspx).
 
  
 
@@ -92,7 +92,7 @@ Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and
 
 Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$.
 
-For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](http://technet.microsoft.com/library/dd548356.aspx).
+For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](https://technet.microsoft.com/library/dd548356.aspx).
 
 ### Software requirements
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index 2147976e2f..37b2f2e983 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -18,20 +18,20 @@ ms.date: 08/31/2017
 
 Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
 in the **Deep Dive into Windows Defender Credential Guard** video series.
-     
+
 Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-   
-Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
+
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
 
 ## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
 
 ## Kerberos Considerations
 
 When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
 
 ## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](https://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
 
 ## Upgrade Considerations
 As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
@@ -44,19 +44,19 @@ Starting with Windows 10, version 1511, domain credentials that are stored with
     -   When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
 
 ## Clearing TPM Considerations
-Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.  
+Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
 
->[!WARNING] 
+>[!WARNING]
 > Clearing the TPM results in loss of protected data for all features that use VBS to protect data.  
          
 > When a TPM is cleared ALL features, which use VBS to protect data can no longer decrypt their protected data.
 
 As a result Credential Guard can no longer decrypt protected data. VBS creates a new TPM protected key for Credential Guard. Credential Guard uses the new key to protect new data. However, the previously protected data is lost forever.
 
->[!NOTE] 
-> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup. 
+>[!NOTE]
+> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup.
 
 ### Windows credentials saved to Credential Manager
-Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard. 
+Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
 
 ### Domain-joined device’s automatically provisioned public key
 Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
@@ -66,17 +66,17 @@ Since Credential Guard cannot decrypt the protected private key, Windows uses th
 Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx).
 
 ### Breaking DPAPI on domain-joined devices
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. 
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
 
->[!IMPORTANT] 
+>[!IMPORTANT]
 > Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior. 
          
-Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost. 
+Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
 
 If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
 
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller: 
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
 
-|Credential Type | Windows 10 version | Behavior                             
+|Credential Type | Windows 10 version | Behavior
 |---|---|---|
 | Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
 | Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
@@ -86,7 +86,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
 Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
 
 #### Impact of DPAPI failures on Windows Information Protection
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened.  If DPAPI is working, then newly created work data is protected and can be accessed.  
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection.  The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened.  If DPAPI is working, then newly created work data is protected and can be accessed.
 
 **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 40b59a9301..66069f5d73 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 05/18/2018
+ms.date: 09/04/2018
 ---
 
 # Manage Windows Defender Credential Guard
@@ -19,7 +19,7 @@ ms.date: 05/18/2018
 Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
 
 ## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
 The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
 
 
@@ -33,10 +33,10 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 4.  In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
 
     ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
-    
+
 5.  Close the Group Policy Management Console.
 
-To enforce processing of the group policy, you can run ```gpupdate /force```. 
+To enforce processing of the group policy, you can run ```gpupdate /force```.
 
 
 ### Enable Windows Defender Credential Guard by using the registry
@@ -47,9 +47,9 @@ If you don't use Group Policy, you can enable Windows Defender Credential Guard
 
 Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
 
-If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. 
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
 You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-> [!NOTE]  
+> [!NOTE]
 If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
 
  
@@ -58,7 +58,7 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps
 1.  Open the Programs and Features control panel.
 2.  Click **Turn Windows feature on or off**.
 3.  Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4.  Select the **Isolated User Mode** check box at the top level of the feature selection. 
+4.  Select the **Isolated User Mode** check box at the top level of the feature selection.
 5.  Click **OK**.
 
 **Add the virtualization-based security features to an offline image by using DISM**
@@ -73,7 +73,7 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps
     dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
     ```
 
-> [!NOTE]  
+> [!NOTE]
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
 #### Enable virtualization-based security and Windows Defender Credential Guard
@@ -89,8 +89,8 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps
 4.  Close Registry Editor.
 
 
-> [!NOTE]  
-> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> [!NOTE]
+> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
 
 
 ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
@@ -98,7 +98,7 @@ If you enable Windows Defender Credential Guard by using Group Policy, the steps
 You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
-DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
+DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot
 ```
 
 ### Review Windows Defender Credential Guard performance
@@ -112,20 +112,20 @@ You can view System Information to check that Windows Defender Credential Guard
 3.  Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**.
 
     Here's an example:
-    
+
     ![System Information](images/credguard-msinfo32.png)
 
 You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
-DG_Readiness_Tool_v3.2.ps1 -Ready
+DG_Readiness_Tool_v3.5.ps1 -Ready
 ```
 
 > [!NOTE]
 
 For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
 
--   We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.  
+-   We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
 
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
     -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
@@ -137,7 +137,7 @@ For client machines that are running Windows 10 1703, LsaIso.exe is running when
     -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
     You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
         -   **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-      
+
 ## Disable Windows Defender Credential Guard
 
 To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
@@ -148,34 +148,34 @@ To disable Windows Defender Credential Guard, you can use the following set of p
     - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
     - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
 
-    > [!IMPORTANT]  
+    > [!IMPORTANT]
     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
 
 3.  Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
     ``` syntax
 
     mountvol X: /s
-    
+
     copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
-    
+
     bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
-    
+
     bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
-    
+
     bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
-    
+
     bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
-    
+
     bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
-    
+
     mountvol X: /d
-    
+
     ```
 2.  Restart the PC.
 3.  Accept the prompt to disable Windows Defender Credential Guard.
 4.  Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
 
-> [!NOTE]  
+> [!NOTE]
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
 For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -186,7 +186,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
 You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
 
 ```
-DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
+DG_Readiness_Tool_v3.5.ps1 -Disable -AutoReboot
 ```
 
 #### Disable Windows Defender Credential Guard for a virtual machine
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index f63762b17a..2e605bc8fe 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -1,6 +1,6 @@
 ---
 title: Windows Defender Credential Guard Requirements (Windows 10)
-description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options. 
+description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
 ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
@@ -16,7 +16,7 @@ ms.date: 01/12/2018
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See 
+Prefer video? See
 [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
 in the Deep Dive into Windows Defender Credential Guard video series.
 
@@ -36,14 +36,14 @@ The Virtualization-based security requires:
 - CPU virtualization extensions plus extended page tables
 - Windows hypervisor
 
-### Windows Defender Credential Guard deployment in virtual machines 
+### Windows Defender Credential Guard deployment in virtual machines
 
 Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
 
 #### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
 
 - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. 
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
 
 For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
 
@@ -51,14 +51,14 @@ For information about Windows Defender Remote Credential Guard hardware and soft
 
 ## Application requirements
 
-When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. 
+When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
 
->[!WARNING] 
+>[!WARNING]
 > Enabling Windows Defender Credential Guard on domain controllers is not supported. 
          
-> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. 
+> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
 
 >[!NOTE]
-> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). 
+> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
 
 Applications will break if they require:
 - Kerberos DES encryption support
@@ -71,32 +71,32 @@ Applications will prompt and expose credentials to risk if they require:
 - Credential delegation
 - MS-CHAPv2
 
-Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. 
+Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
 
-Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard. 
+Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
 
 See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
 
 
 ## Security considerations
 
-All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard. 
-Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.  
+All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
+Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
 The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
 
-> [!NOTE]  
+> [!NOTE]
 > Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. 
          
 > If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
          
 
 ### Baseline protections
 
-|Baseline Protections | Description | Security benefits                                     
+|Baseline Protections | Description | Security benefits
 |---|---|---|
 | Hardware: **64-bit CPU**              | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
 | Hardware: **CPU virtualization extensions**,
          plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
          One of the following virtualization extensions:
          • VT-x (Intel) or
          • AMD-V
          And:
          • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
 | Hardware: **Trusted Platform Module (TPM)**  |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
          [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**  | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**  | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
 | Software: Qualified **Windows operating system**  | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
          Important:
           Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
           |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
 
 > [!IMPORTANT]
@@ -126,11 +126,11 @@ The following tables describe baseline protections, plus protections for improve
 
 
          
 
-### 2017 Additional security qualifications starting with Windows 10, version 1703 
+### 2017 Additional security qualifications starting with Windows 10, version 1703
 
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
+The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
 
 | Protections for Improved Security  | Description  | Security Benefits
 |---|---|---|
 | Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
          • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
          • UEFI runtime service must meet these requirements: 
              - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. 
              - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
              - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                  - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both 
                  - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. 
          Notes:
          • This only applies to UEFI runtime service memory, and not UEFI boot service memory. 
          • This protection is applied by VBS on OS page tables.

           Please also note the following: 
          • Do not use sections that are both writeable and executable
          • Do not attempt to directly modify executable system memory
          • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
          • Reduces the attack surface to VBS from system firmware.     |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. |  • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
          • Reduces the attack surface to VBS from system firmware.
          • Blocks additional security attacks against SMM. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. |  • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
          • Reduces the attack surface to VBS from system firmware.
          • Blocks additional security attacks against SMM. |
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 39efca9686..d541979fb9 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -35,9 +35,9 @@ By enabling Windows Defender Credential Guard, the following features and soluti
 - [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
 - [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
 - [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
-- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
-- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
-- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
+- [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382)
+- [What's New in Kerberos Authentication for Windows Server 2012](https://technet.microsoft.com/library/hh831747.aspx)
+- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897.aspx)
 - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
  
 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 31116809dd..5bc351b6ed 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -8,33 +8,37 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
+localizationpriority: high
 ms.date: 03/20/2018
 ---
 # Multifactor Unlock
 
+**Applies to:**
+-   Windows 10
+
 **Requirements:**
 * Windows Hello for Business deployment (Hybrid or On-premises)
-* Hybird Azure AD joined (Hybrid deployments)
+* Azure AD joined device (Cloud and Hybrid deployments)
+* Hybrid Azure AD joined (Hybrid deployments)
 * Domain Joined (on-premises deployments) 
 * Windows 10, version 1709
 * Bluetooth, Bluetooth capable phone - optional
 
 Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
 
-Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
+Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
 
-Which organizations can take advantage of Multifactor unlock? Those who:
+Which organizations can take advantage of Multi-factor unlock? Those who:
 * Have expressed that PINs alone do not meet their security needs.
 * Want to prevent Information Workers from sharing credentials.
 * Want their organizations to comply with regulatory two-factor authentication policy.
-* Want to retain the familiar Windows logon UX and not settle for a custom solution.
+* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
  
-You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
+You enable multi-factor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
 
 ## The Basics: How it works
 
-First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
+First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration.  Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.
 
 The policy setting has three components:
 * First unlock factor credential provider
@@ -60,7 +64,7 @@ Supported credential providers include:
 The default credential providers for the **First unlock factor credential provider** include:
 * PIN
 * Fingerprint
-* Facial Recongition
+* Facial Recognition
 
 The default credential providers for the **Second unlock factor credential provider** include:
 * Trusted Signal
@@ -76,7 +80,7 @@ For example, if you include the PIN and fingerprint credential providers in both
 The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
 
 ### Rule element
-You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported scheam version is 1.0.
          
+You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported schema version is 1.0.
          
 **Example**
 ```
 
@@ -89,9 +93,10 @@ Each rule element has a **signal** element.  All signal elements have a **type**
 |Attribute|Value|
 |---------|-----|
 | type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| 
+| type| "wifi" (Windows 10, version 1803)
 
 #### Bluetooth
-You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
+You define the bluetooth signal with additional attribute in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
 
 |Attribute|Value|Required|
 |---------|-----|--------|
@@ -188,13 +193,61 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP
 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
 ```
 ##### dnsSuffix
-The fully qualified domain name of your 
-s internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix.  The **signal** element may contain one or more **dnsSuffix** elements.
          
+The fully qualified domain name of your organizations internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix.  The **signal** element may contain one or more **dnsSuffix** elements.
          
 **Example**
 ```
 corp.contoso.com
 ```
 
+#### Wi-Fi
+
+**Applies to:**
+-   Windows 10, version 1803
+
+You define Wi-Fi signals using one or more wifi elements.  Each element has a string value.  Wifi elements do not have attributes or nested elements.
+
+#### SSID
+Contains the service set identifier (SSID) of a wireless network.  The SSID is the name of the wireless network.  The SSID element is required.
          
+```
+corpnetwifi
+```
+
+#### BSSID
+Contains the basic service set identifier (BSSID) of a wireless access point.  the BSSID is the mac address of the wireless access point.  The BSSID element is optional.
          
+**Example**
+```
+12-ab-34-ff-e5-46
+```
+
+#### Security
+Contains the type of security the client uses when connecting to the wireless network.  The security element is required and must contain one of the following values:
          
+
+|Value | Description|
+|:----:|:-----------|
+|Open| The wireless network is an open network that does not require any authentication or encryption.|
+|WEP| The wireless network is protected using Wired Equivalent Privacy.|
+|WPA-Personal| The wireless network is protected using Wi-Fi Protected Access.|
+|WPA-Enterprise| The wireless network is protected using Wi-Fi Protected Access-Enterprise.|
+|WPA2-Personal| The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key.|
+|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
+
+**Example**
+```
+WPA2-Enterprise 
+```
+#### TrustedRootCA
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space.  This element is optional.
          
+**Example**
+```
+a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
+```
+#### Sig_quality
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
          
+**Example**
+```
+80
+```
+ 
 ### Sample Trusted Signal Congfigurations
 
 These examples are wrapped for readability.  Once properly formatted, the entire XML contents must be a single line.
@@ -240,7 +293,19 @@ This example configures the same as example 2 using compounding And elements.  T
 
           
 ```
-
+#### Example 4 
+This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
+```
+ 
+   
+    contoso 
+    12-ab-34-ff-e5-46 
+    WPA2-Enterprise 
+    a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa 
+    80 
+   
+ 
+```
 
 ## Deploying Multifactor Unlock
 
@@ -249,7 +314,7 @@ This example configures the same as example 2 using compounding And elements.  T
 
 ### How to configure Multifactor Unlock policy settings
 
-You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes muiltifactor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
+You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
 
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 
@@ -278,7 +343,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
 
  ## Troubleshooting
-Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
 
 ### Events
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 4aa79711f4..69c2f928e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -9,15 +9,14 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
 ---
 # Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
 
 **Applies to**
--   Windows 10
-
-
->This section only applies to Hybrid and On-premises key trust deployments.
+-   Windows 10, version 1702 or later
+-   Hybrid or On-Premises deployment
+-   Key trust
 
 ## How many is adequate
 
@@ -29,23 +28,23 @@ Determining an adequate number of Windows Server 2016 domain controllers is impo
  
 Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment.  The Kerberos AS requests load would look something like the following.
 
-![dc-chart1](images/dc-chart1.png)
+![dc-chart1](images/plan/dc-chart1.png)
 
 The environment changes.  The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment.   Given all other factors stay constant, the authentication would now look like the following.
 
-![dc-chart2](images/dc-chart2.png)
+![dc-chart2](images/plan/dc-chart2.png)
 
 The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication.  However, it is also handling 10 percent of the password authentication. Why?  This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication.  The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients.  Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded.  What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients.
 
-![dc-chart3](images/dc-chart3.png)
+![dc-chart3](images/plan/dc-chart3.png)
 
 Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load.  But it doesn't change the distribution of password and certificate trust authentication.  Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same.
 
-![dc-chart4](images/dc-chart4.png)
+![dc-chart4](images/plan/dc-chart4.png)
 
 Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication.  These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed.  Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
 
-![dc-chart5](images/dc-chart5.png)
+![dc-chart5](images/plan/dc-chart5.png)
 
 You'll notice the distribution did not change.  Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication.  However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent.  In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication.  However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller.  Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 11cf729dd4..4602d7703e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -15,7 +15,6 @@ ms.date: 07/27/2017
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 38f8220dc6..aa575dd8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -7,15 +7,15 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
 ---
 
 # Windows Hello biometrics in the enterprise
-**Applies to:**
 
+**Applies to:**
 -   Windows 10
 
 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
@@ -82,7 +82,6 @@ To allow facial recognition, you must have devices with integrated special infra
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
 
  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index d4cda1fcb1..570b69dde7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -8,17 +8,18 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 08/19/2018
 ---
 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
 
 The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
 
@@ -43,7 +44,7 @@ Sign-in the federation server with _local admin_ equivalent credentials.
 
 ## Enroll for a TLS Server Authentication Certificate
 
-Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment.  Typically, a federation service is an edge facing role.  However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity.  
+Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment.  Typically, a federation service is an edge facing role.  However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.  
 
 The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority.  The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
 * Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
@@ -57,9 +58,9 @@ It’s recommended that you mark the private key as exportable so that the same
 
 Be sure to enroll or import the certificate into the AD FS server’s computer certificate store.  Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
 
-### Internal Server Authentication Certificate Enrollment
+### Internal Web Server Authentication Certificate Enrollment
+Sign-in the federation server with domain administrator equivalent credentials.
 
-Sign-in the federation server with domain admin equivalent credentials.
 1. Start the Local Computer **Certificate Manager** (certlm.msc).
 2. Expand the **Personal** node in the navigation pane.
 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
@@ -135,7 +136,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 1.	Open **Active Directory Users and Computers**.
 2.	Right-click the **Users** container, Click **New**. Click **User**.
 3.	In the **New Object – User** window, type **adfssvc** in the **Full name** text box.  Type **adfssvc** in the **User logon name** text box.  Click **Next**.
-4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
 5.	Click **Next** and then click **Finish**.
 
 ## Configure the Active Directory Federation Service Role
@@ -147,11 +148,11 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**.  If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
 
-Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
-   ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
 
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
+![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -160,35 +161,34 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials. These
 8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**.  In the **Account Name** box, type **adfssvc**.
 9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
 10. On the **Review Options** page, click **Next**.
-11.	On the **Pre-requisite Checks** page, click **Configure**.
-12.	When the process completes, click **Close**.
+11. On the **Pre-requisite Checks** page, click **Configure**.
+12. When the process completes, click **Close**.
 
 ### Windows Server 2008 or 2008 R2 Domain Controllers
 
 Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**.  If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
 
-Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
-    ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+Sign-in the federation server with _domain administrator_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
 
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.
+![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
 6. Select the federation service name from the **Federation Service Name** list.
 7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.   
-    * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
-9.	On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10.	On the **Review Options** page, click **Next**.
-11.	On the **Pre-requisite Checks** page, click **Configure**.
-12.	When the process completes, click **Close**.
-13.	Do not restart the AD FS server. You will do this later.
+8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.  In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
+9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10. On the **Review Options** page, click **Next**.
+11. On the **Pre-requisite Checks** page, click **Configure**.
+12. When the process completes, click **Close**.
+13. Do not restart the AD FS server. You will do this later.
 
 
 ### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
 
-The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration.  The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
 
 Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
 1. Open **Active Directory Users and Computers**.
@@ -205,7 +205,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ### Configure Permissions for Key Registration
 
-Key Registration stores the Windows Hello for Business public key in Active Directory.  In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
+Key Registration stores the Windows Hello for Business public key in Active Directory.  With on-premises deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
 
 The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. 
 
@@ -217,7 +217,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**.  Click **OK**.
 6. In the **Applies to** list box, select **Descendant User objects**.
 7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
-8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
 9. Click **OK** three times to complete the task. 
 
 ## Configure the Device Registration Service
@@ -251,7 +251,7 @@ Before you continue with the deployment, validate your deployment progress by re
 
 ## Prepare and Deploy AD FS Registration Authority
 
-A registration authority is a trusted authority that validates certificate request.  Once it validates the request, it presents the request to the certificate authority for issuance.  The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user.  The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
+A registration authority is a trusted authority that validates certificate request.  Once it validates the request, it presents the request to the certificate authority for issuance.  The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user.  The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
 
 ### Configure Registration Authority template
 
@@ -263,22 +263,23 @@ The registration authority template you configure depends on the AD FS service c
 >Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
 
 #### Windows 2012 or later domain controllers
+Sign-in a certificate authority or management workstations with _domain administrator_ equivalent credentials.
 
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1. Open the **Certificate Authority Management** console.
 2. Right-click **Certificate Templates** and click **Manage**.
 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.   
-    **Note:** The preceding step is very important.  Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate.  You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+> [!NOTE]
+> The preceding step is very important.  Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate.  You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
 
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
-8. On the **Security** tab, click **Add**. 
-9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**. 
-10.	Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11.	Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
-12.	Close the console.
+8. On the **Security** tab, click **Add**.
+9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**.
+10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+12. Close the console.
 
 #### Windows 2008 or 2008R2 domain controllers
 
@@ -298,7 +299,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 
 During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring.
 
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign-in a certificate authority or management workstations with _domain administrator equivalent_ credentials.
 1. Open the **Certificate Authority** management console.
 2. Right-click **Certificate Templates** and click **Manage**.
 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
@@ -318,7 +319,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
 
 #### Mark the template as the Windows Hello Sign-in template 
 
-Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials.
 1. Open an elevated command prompt.
 2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
 
@@ -338,7 +339,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 
 ### Configure the Registration Authority
 
-Sign-in the AD FS server with Domain Admin equivalent credentials. 
+Sign-in the AD FS server with domain administrator equivalent credentials. 
 
 1.	Open a **Windows PowerShell** prompt.
 2.	Type the following command   
@@ -378,7 +379,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 2. Click **Manage** and then click **Add Roles and Features**.
 3. Click **Next** On the **Before you begin** page.
 4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, chosoe **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation   
@@ -412,7 +413,7 @@ Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 
 ## Configure DNS for Device Registration
 
-Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
 1. Open the **DNS Management** console.
 2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index cad539f4e1..e8ac53a3f2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/5/2018
+ms.date: 08/19/2018
 ---
 # Configure or Deploy Multifactor Authentication Services
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model  Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.  
 
@@ -29,7 +30,7 @@ The Azure MFA Server and User Portal servers have several prerequisites and must
 
 ### Primary MFA Server
 
-The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writeable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
+The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
 
 For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**.  All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
 
@@ -54,7 +55,7 @@ A server authentication certificate should appear in the computer’s Personal c
 
 #### Install the Web Server Role
 
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
 
 To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
 
@@ -89,7 +90,7 @@ Sign in the primary MFA server with _administrator_ equivalent credentials.
 
 #### Configure the Web Service’s Security
 
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the Phonefactor Admins security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the **Phonefactor Admins** security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group.
 
 Sign in the domain controller with _domain administrator_ equivalent credentials.
 
@@ -160,7 +161,7 @@ A server authentication certificate should appear in the computer’s Personal c
 
 #### Install the Web Server Role
 
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not requiret this. 
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not require this. 
 
 #### Update the Server
 
@@ -172,7 +173,7 @@ To do this, please follow the instructions mentioned in the previous [Configure
 
 #### Create WebServices SDK user account
 
-The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
+The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
 
 1. Open **Active Directory Users and Computers**.
 2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **User**.
@@ -234,12 +235,12 @@ Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
 2. Click **Company Settings**.
 3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
 4. In **User defaults**, select **Phone Call** or **Text Message**   
-    **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+    **Note:** You can use the mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
 5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
 6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal.  A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
 7. Select **Fail Authentication** from the **When user is disabled** list.  Users should provision their account through the user portal.
 8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
 10. Configure the minimum length for the PIN.
 11.	Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
 12.	Select the **Expiration days** check box if you want to expire PINs.  If enabled, provide a numeric value representing the number of days the PIN is valid.
@@ -255,9 +256,9 @@ Now that you have imported or synchronized with your Azure Multi-Factor Authenti
 
 With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.  
 
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
 
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
 
 #### Settings
 
@@ -304,7 +305,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
 2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
 3. Click the **Synchronization** tab.
 4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
 
 #### Synchronization
 
@@ -352,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor
 
 Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information.  The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
 
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
 
 ## Install Secondary MFA Servers
 
@@ -391,7 +392,7 @@ You previously configured the User Portal settings on the primary MFA server.  T
 
 Sign in the primary MFA server with _local administrator_ equivalent credentials.
 1. Open Windows Explorer.
-2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
 3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
 
 ### Configure Virtual Directory name
@@ -410,7 +411,7 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
 2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
 3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
 4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
 
 ### Create a DNS entry for the User Portal web site
 
@@ -453,7 +454,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
 3. On the Settings tab, type the URL your users use to access the User Portal.  The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. 
 The Multi-Factor Authentication Server uses this information when sending emails to users.
 4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service).  Select Automatically trigger user’s default method.
+5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service).  Select Automatically trigger user’s default method.
 6. Select Allow users to select language.
 7. Select Use security questions for fallback and select 4 from the Questions to answer list.
 
@@ -495,7 +496,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
 2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
 3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
 4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
 
 ### Edit the AD FS Adapter Windows PowerShell cmdlet
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index e15da1d342..97f8ceee36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -6,17 +6,18 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/20/2018
 ---
 # Configure Windows Hello for Business Policy settings
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
 Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
@@ -103,7 +104,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 ### Use biometrics
 
@@ -132,7 +133,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 * Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
 * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
 * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
 * Confirm you configured the proper security settings for the Group Policy object   
     * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 2fa60f6b13..9c64a37ec4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -6,19 +6,20 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
 ---
 # Validate Active Directory prerequisites
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
-The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
 
 Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO.  Before running adprep.exe, you must identify the domain controller hosting the schema master role.
 
@@ -28,7 +29,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i “schema”```
 
-![Netdom example output](images\hello-cmd-netdom.png)
+![Netdom example output](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
@@ -36,7 +37,7 @@ The command should return the name of the domain controller where you need to ad
 
 Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords).  During enrollment, the public key is registered in an attribute on the user object in Active Directory.  The schema update adds this new attribute to Active Directory.  
 
-Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
 
 1.	Open an elevated command prompt.
 2.	Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
@@ -48,7 +49,7 @@ Sign-in to the domain controller hosting the schema master operational role usin
 
 The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning.  You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow.
 
-Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
 
 1.	Open **Active Directory Users and Computers**.
 2.	Click **View** and click **Advance Features**.
@@ -61,7 +62,7 @@ Sign-in a domain controller or management workstation with Domain Admin equivale
 
 The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases.  You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group.  This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
 
-Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
 
 1.	Open **Active Directory Users and Computers**.
 2.	Click **View** and click **Advanced Features**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 00290c9fef..63ea357adc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -6,23 +6,24 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
 ---
 # Validate and Deploy Multifactor Authentication Services (MFA)
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential.  Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication.  On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
 
 Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
 * **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
 * **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
 * **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 802e517e38..294064bd90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -6,17 +6,18 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 09/01/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
 ---
 # Validate and Configure Public Key Infrastructure
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  The certificate trust model extends certificate issuance to client computers.  During Windows Hello for Business provisioning, the user receives a sign-in certificate.
 
@@ -60,7 +61,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
 3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
 6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
@@ -120,16 +121,16 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
-1.	Open the **Certificate Authority** management console.
-2.	Expand the parent node from the navigation pane.
-3.	Click **Certificate Templates** in the navigation pane.
-4.	Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
-5.	In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
-6.	If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.   
-    * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.   
+Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
 
-7.	Close the console.
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
+    * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+7. Close the console.
 
 ### Configure Domain Controllers for Automatic Certificate Enrollment
 
@@ -163,7 +164,7 @@ You want to confirm your domain controllers enroll the correct certificates and
 
 #### Use the Event Logs
 
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows.
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**.
 
 Look for an event indicating a new certificate enrollment (autoenrollment).  The details of the event include the certificate template on which the certificate was issued.  The name of the certificate template used to issue the certificate should match the certificate template name included in the event.  The certificate thumbprint and EKUs for the certificate are also included in the event.  The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. 
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index cdda9c2ea9..0945e7436d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -6,17 +6,18 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
 ---
 # On Premises Certificate Trust Deployment
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Certificate trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.  The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 81601d68e7..d2b2d4db85 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -9,15 +9,13 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 11/08/2017
+ms.date: 08/29/2018
 ---
 # Windows Hello for Business Deployment Guide
 
 **Applies to**
--   Windows 10
--   Windows 10 Mobile
+-   Windows 10, version 1703 or later
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
 
@@ -50,10 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises
 * The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
 
 Following are the various deployment guides included in this topic:
-* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md)
-* [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-* [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-* [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
+- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
+- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
+- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 
 
 ## Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 6a760736b9..1c7fd1f995 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -9,18 +9,19 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/23/2017
+ms.date: 08/20/2018
 ---
 # On Premises Key Trust Deployment
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust 
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair.  The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.  
 
-Below, you can find all the infromation you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
+Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
 2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index f98a329631..f5b102d219 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -10,14 +10,13 @@ ms.pagetype: security
 author: DaniHalfin
 ms.localizationpriority: medium
 ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 05/05/2018
 ---
 
 # Windows Hello errors during PIN creation
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index b25f03be7c..2aac336bfc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -17,7 +17,7 @@ ms.date: 07/27/2017
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
+
 
 This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
new file mode 100644
index 0000000000..2a7d32efaf
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -0,0 +1,157 @@
+---
+title: Windows Hello for Business Frequently Asked Questions
+description: Windows Hello for Business FAQ 
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Frequently Ask Questions
+
+**Applies to**
+-   Windows 10
+
+## What about virtual smart cards?
+Windows Hello for Business is the modern, two-factor credential for Windows 10.  Microsoft will be deprecating virtual smart cards in the future but not date at this time.  Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business.  Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business.  Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
+
+## What about convenience PIN?
+Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication.  Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business.  New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs.  Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business. 
+
+## Can I deploy Windows Hello for Business using System Center Configuration Manager?
+Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
+
+## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
+The maximum number of supported enrollments on a single Windows 10 computer is 10.  That enables 10 users to each enroll their face and up to 10 fingerprints.  While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
+
+## How can PIN be more secure than a Password?
+When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key.  With passwords, there is a server that has some representation of the password.  With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM.  The server does not have a copy of the PIN.  For that matter, the Windows client does not have a copy of the current PIN either.  The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key.
+
+The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN.  It is about the difference of providing entropy vs continuing the use of a symmetric key (the password).  The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs).  Some organizations may worry about shoulder surfing.  For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+
+## Why is the Key Admins group missing, I have Windows Server 2016 domain controller(s)?
+The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name.  To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
+
+## Can I use convenience PIN with Azure AD?
+No. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, then you must deploy Windows Hello for Business.
+
+## Can I use an external camera when my laptop is closed or docked?
+No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed.  The product group is aware of this and is investigating this topic further.
+
+## What is the password-less strategy?
+Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
+
+[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
+
+## What is the user experience for Windows Hello for Business?
+The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
+
+## What happens when my user forgets their PIN?
+If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings.  Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
+
+[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
+
+For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs.  Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
+
+## What URLs do I need to allow for a hybrid deployment?
+Communicating with Azure Active Directory uses the following URLs:
+- enterpriseregistration.windows.net
+- login.microsoftonline.com
+- login.windows.net
+
+If your environment uses Microsoft Intune, you need these additional URLs:
+- enrollment.manage-beta.microsoft.com
+- enrollment.manage.microsoft.com
+- portal.manage-beta.microsoft.com
+- portal.manage.microsoft.com
+
+## What is the difference between non-destructive and destructive PIN Reset?
+Windows Hello for Business has two types of PIN reset: non-destructive and destructive.  Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service.  Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one.  Read [PIN Reset](hello-features.md#pin-reset) from our [Windows Hello for Business Features](hello-features.md) page for more information.
+
+Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset.  with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate.  On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+
+## Which is better or more secure: Key trust or Certificate trust?
+The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware backed, two-factor credential. The difference between the two trust types are:
+- Required domain controllers 
+- Issuing end entity certificates
+
+The **key trust** model authenticates to Active Directory using a raw key.  Windows Server 2016 domain controllers enables this authentication.  Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed).
+The **certificate trust** model authenticates to Active Directory using a certificate.  Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers.  The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority. 
+
+## Do I need Windows Server 2016 domain controllers?
+There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
+
+## What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
+Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios.  The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
+
+## Is Windows Hello for Business multifactor authentication?
+Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you.  Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
+
+## What are the biometric requirements for Windows Hello for Business?
+Read [Windows Hello biometric requirements](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
+
+## Can I use PIN and biometrics to unlock my device?
+Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device.  Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop.  Read more about [multifactor unlock](feature-multifactor-unlock.md).
+
+## What is the difference between Windows Hello and Windows Hello for Business?
+Windows Hello represents the biometric framework provided in Windows 10.  Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics.  Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
+
+## Why can I not enroll biometrics for my local built-in Administrator?
+Windows 10 does not allow the local administrator to enroll biometric gestures(face or fingerprint).
+
+## I have extended Active Directory to Azure Active Directory.  Can I use the on-premises deployment model?
+No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model.  On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
+
+## Does Windows Hello for Business prevent the use of simple PINs?
+Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next.  This prevents repeating numbers, sequential numbers and simple patterns.
+So, for example:
+* 1111 has a constant delta of 0, so it is not allowed
+* 1234 has a constant delta of 1, so it is not allowed
+* 1357 has a constant delta of 2, so it is not allowed
+* 9630 has a constant delta of -3, so it is not allowed
+* 1231 does not have a constant delta, so it is okay
+* 1593 does not have a constant delta, so it is okay
+
+This algorithm does not apply to alphanumeric PINs.
+
+## How does PIN caching work with Windows Hello for Business?
+
+Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations.  Azure AD and Active Directory sign-in keys are cached under lock.  This means the keys remain available for use without prompting as long as the user is interactively signed-in.  Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.  
+
+Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching.  Each process requesting a private key operation will prompt the user for the PIN on first use.  Subsequent private key operations will not prompt the user for the PIN.  
+
+The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket.  The process does not receive the PIN, but rather the ticket that grants them private key operations.  Windows 10 does not provide any Group Policy settings to adjust this caching.
+
+## Can I disable the PIN while using Windows Hello for Business?
+No. The movement away from passwords is accomplished by gradually reducing the use of the password.  In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password.  The PIN is the fall back mechanism.  Disabling or hiding the PIN credential provider disabled the use of biometrics.
+
+## How keys are protected?
+Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software  
+
+Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register).
+
+## Can Windows Hello for Business work in air gapped environments?
+Yes.  You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
+
+## Can I use third-party authentication providers with Windows Hello for Business?
+Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter.  A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
+
+## Does Windows Hello for Business work with third party federation servers?
+Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience.  Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
+
+| Protocol | Description |
+| :---: | :--- |
+| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |  
+| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
+
+## Does Windows Hello for Business work with Mac and Linux clients?
+Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms.  However, Microsoft is open to third parties who are interested in moving these platforms away from passwords.  Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 5f06ce94b9..5efa0cb2b4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -9,18 +9,21 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 3/5/2018
+localizationpriority: high
+ms.date: 05/05/2018
 ---
 # Windows Hello for Business Features
 
+**Applies to:**
+-   Windows 10
+
 Consider these additional features you can use after your organization deploys Windows Hello for Business. 
 
-* [Conditional access](#conditional-access)
-* [Dynamic lock](#dynamic-lock)
-* [PIN reset](#pin-reset)
-* [Privileged credentials](#privileged-credentials)
-
+- [Conditional access](#conditional-access)
+- [Dynamic lock](#dynamic-lock)
+- [PIN reset](#pin-reset)
+- [Dual Enrollment](#dual-enrollment)
+- [Remote Desktop with Biometrics](#remote-desktop-with-biometrics)
 
 ## Conditional access 
 
@@ -29,21 +32,20 @@ Consider these additional features you can use after your organization deploys W
 * Hybrid Windows Hello for Business deployment 
 
 
-In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS apps, IT professionals are faced with two opposing goals:+  
+In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+  
 * Empower the end users to be productive wherever and whenever
 * Protect the corporate assets at any time
  
-To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don't trust. You can address these questions using conditional access.
+To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
 
 Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access.  Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
 
-
 ## Dynamic lock
 
 **Requirements:**
 * Windows 10, version 1703
 
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Recieved Signal Stregnth Indicator (RSSI) value.  You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines**.  The name of the policy is **Configure dynamic lock factors**.
+Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value.  You configure the dynamic lock policy using Group Policy.  You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.  The name of the policy is **Configure dynamic lock factors**.
 
 The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
 
@@ -78,54 +80,78 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
 
 ## PIN reset
 
+**Applies to:**
+-   Windows 10, version 1709 or later
+
+
 ### Hybrid Deployments
 
 **Requirements:**
-* Azure Active Directory
-* Hybrid Windows Hello for Business deployment
-* Modern Management - Microsoft Intune, or compatible mobile device management (MDM)
-* Remote reset - Windows 10, version 1703
-* Reset above Lock - Windows 10, version 1709
+- Azure Active Directory
+- Hybrid Windows Hello for Business deployment
+- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
+- Windows 10, version 1709 or later, **Enterprise Edition**
  
-The Microsoft PIN reset services enables you to help users who have forgotten their PIN.  Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen without requiring reenrollment.
+The Microsoft PIN reset services enables you to help users who have forgotten their PIN.  Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
+
+>[!IMPORTANT]
+> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**.  The feature does not work with the **Pro** edition.]
 
 #### Onboarding the Microsoft PIN reset service to your Intune tenant
 
-Before you can remotely reset PINs, you must onboard the Microsoft PIN reset service to your Intune or MDM tenant, and configure devices you manage. Follow these instructions to get that set up:
+Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage. 
 
-#### Connect Intune with the PIN reset service
+#### Connect Azure Active Directory with the PIN reset service
 
-1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Intune tenant.
+1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
 2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
          
+![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)
          
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.
          
 ![PIN reset service permissions page](images/pinreset/pin-reset-service-application.png)
-3. In the Azure portal, you can verify that Intune and the PIN reset service were integrated from the Enterprise applications - All applications blade as shown in the following screenshot:
          
-![PIN reset service application in Azure](images/pinreset/pin-reset-service-home-screen.png)
-4. Log in to [this website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent) using your Intune tenant admin credentials and, again, choose **Accept** to give consent for the service to access your account.
 
-#### Configure Windows devices to use PIN reset
+#### Configure Windows devices to use PIN reset using Group Policy
+You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 
 
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC. 
+
+#### Configure Windows devices to use PIN reset using Microsoft Intune
 To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
 
-- **For devices** - **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery**
+##### Create a PIN Reset Device configuration profile using Microsoft Intune
 
-*tenant ID* refers to your Azure Active Directory, Directory ID which you can obtain from the **Properties** page of Azure Active Directory.
-
-Set the value for this CSP to **True**.
-
-Read the [Steps to reset the passcode](https://docs.microsoft.com/en-us/intune/device-windows-pin-reset#steps-to-reset-the-passcode) section to remotely reset a PIN on an Intune managed device.
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal.  You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
          
+```
+dsregcmd /status | findstr -snip "tenantid"
+```
+3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
+4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list.  Select **Custom** from the **Profile type** list.
+5. In the **Custom OMA-URI Settings** blade, Click **Add**.
+6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
+7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
+8. Click **OK** to save the row configuration. Click **OK** to close the **Custom OMA-URI Settings blade.  Click **Create** to save the profile.
+ 
+##### Assign the PIN Reset Device configuration profile using Microsoft Intune
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
+2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
+3. In the device configuration profile, click **Assignments**.
+4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
 
 ### On-premises Deployments
 
 ** Requirements**
 * Active Directory
 * On-premises Windows Hello for Business deployment
-* Reset from settings - Windows 10, version 1703
-* Reset above Lock - Windows 10, version 1709
+* Reset from settings - Windows 10, version 1703, Professional
+* Reset above Lock - Windows 10, version 1709, Professional
 
-On-premises deployments provide users with the ability to reset forgotton PINs either through the settings page or from above the user's lock screen.  Users must know or be provided their password for authentication, must perform a second factor of authentication, and then reprovision Windows Hello for Business.
+On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen.  Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
 
 >[!IMPORTANT]
->Users must have corporate network connectivity to domain controllers and the AD FS server to reset their PINs.
+>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
 
 #### Reset PIN from Settings
 1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
@@ -136,20 +162,108 @@ On-premises deployments provide users with the ability to reset forgotton PINs e
  1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
  2. Enter your password and press enter.
  3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly creeated PIN.
+ 4. When finished, unlock your desktop using your newly created PIN.
 
 >[!NOTE]
-> Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video.
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
 
-## Privileged Credentials
+## Dual Enrollment
 
 **Requirements**
 * Hybrid and On-premises Windows Hello for Business deployments
-* Domain Joined or Hybrid Azure joined devices
+* Enterprise Joined or Hybrid Azure joined devices
 * Windows 10, version 1709
 
-The privileged credentials scenario enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+> [!NOTE]
+> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
 
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, Allow enumeration of emulated smart card for all users, you can configure a device to all this enumeration on selected devices.  
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
 
-With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+
+By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. 
+
+With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+### Configure Windows Hello for Business Dual Enroll
+In this task you will 
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure Dual Enrollment using Group Policy
+
+#### Configure Active Directory to support Domain Administrator enrollment
+The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
          
+```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```
          
+where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:
          
+```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink```
+2. To trigger security descriptor propagation, open **ldp.exe**.
+3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
+4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
+5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
+6. Click **Run** to start the task.
+7. Close LDP.  
+
+#### Configuring Dual Enrollment using Group Policy
+You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
+5. Restart computers targeted by this Group Policy object. 
+
+The computer is ready for dual enrollment.  Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+
+## Remote Desktop with Biometrics 
+
+> [!Warning]
+> Some information relates to pre-released product that may change before it is commercially released.  Microsoft makes no warranties, express or implied, with respect to the information provided here. 
+
+**Requirements**
+- Hybrid and On-premises Windows Hello for Business deployments
+- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Certificate trust deployments
+- Biometric enrollments
+- Windows 10, version 1809
+
+Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture.  Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture.  The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+
+> [!IMPORTANT]
+> The remote desktop with biometrics feature only works with certificate trust deployments.  The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol.  Microsoft continues to investigate supporting this feature for key trust deployments.
+
+### How does it work 
+It start with creating cryptographic keys.  Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP).  Software-based keys are created and stored using the Microsoft Software Key Storage Provider.  Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider.  Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP.  Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store.  The private key remains on the smart card and the public key is stored with the certificate.  Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key). 
+
+This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). 
+
+Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. 
+
+### Compatibility
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+
+![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
+
+> [!IMPORTANT]
+> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.\
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
new file mode 100644
index 0000000000..7ae1ab1d14
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -0,0 +1,91 @@
+---
+title: How Windows Hello for Business works - Authentication
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business and Authentication
+
+**Applies to:**
+-   Windows 10
+
+Windows Hello for Business authentication is passwordless, two-factor authentication.  Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
          
+Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory.  Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
          
+
+[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
          
+[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)
          
+[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
          
+[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
          
+[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
          
+
+
+## Azure AD join authentication to Azure Active Directory
+![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.| 
+|B | The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
+|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|D | The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
+|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| 
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Azure AD join authentication to Active Directory using a Key
+![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
+
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain.  Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
          The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Azure AD join authentication to Active Directory using a Certificate
+![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication.  The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate.  Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider use the private key to sign the Kerberos pre-authentication data.|
+|B | The Kerberos provider sends the signed pre-authentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
          The domain controller determines the certificate is not self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed pre-authentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Hybrid Azure AD join authentication using a Key
+![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
          The 2016 domain controller determines the certificate is a self-signed certificate.  It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory.  It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| 
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. 
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|E | Lsass informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
          The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
          The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Hybrid Azure AD join authentication using a Certificate
+![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider.  The user provides their Windows Hello gesture (PIN or biometrics).  The credential provider packages these credentials and returns them to winlogon.  Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider.  The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed pre-authentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
          The domain controller determines the certificate is not self-signed certificate.  The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked.  It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory.  It validates the signed pre-authentication data using the public key from the certificate.  On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| 
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device.  Next, it ensures the certificate is within its validity period and that it has not be revoked.  The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. 
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|E | Lsass informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.  The Cloud AP provider requests a nonce from Azure Active Directory.  Azure AD returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.  Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature.  After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
          The Cloud AP provider receives the encrypted PRT with session key.  Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
          The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
new file mode 100644
index 0000000000..d2f8d995f9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -0,0 +1,87 @@
+---
+title: How Windows Hello for Business works - Device Registration
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business and Device Registration
+
+**Applies to:**
+-   Windows 10
+
+Device Registration is a prerequisite to Windows Hello for Business provisioning.  Device registration occurs regardless of a cloud, hybrid, or on-premises deployments.  For cloud and hybrid deployments, devices register with Azure Active Directory. For on-premises deployments, devices registered with the enterprise device registration service hosted by Active Directory Federation Services (AD FS).
+
+[Azure AD joined in Managed environments](#Azure-AD-joined-in-Managed-environments)
          
+[Azure AD joined in Federated environments](#Azure-AD-joined-in-Federated-environments)
          
+[Hybrid Azure AD joined in Managed environments](#HybridAzure-AD-joined-in-Managed-environments)
          
+[Hybrid Azure AD joined in Federated environments](#Hybrid-Azure-AD-joined-in-Federated-environments)
          
+
+
+
+
+## Azure AD joined in Managed environments
+![Azure AD joined in Managed environments](images/howitworks/devreg-aadj-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application.  The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints.  Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.|
+|B | The application builds a sign-in request for the authorization end point and collects user credentials.|
+|C |  After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user.  This determines if the environment is managed or federated.  Azure returns the information in a JSON object.  The application determines the environment is managed (non-federated).
          The last step in this phase has the application create an authentication buffer and if in OOBE, temporarily caches it for automatic sign-in at the end of OOBE.  The application POSTs the credentials to Azure Active Directory where they are validated.  Azure Active Directory returns an ID token with claims.|
+|D | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use.  This step is optional and skipped if the claim is not present or if the claim value is empty.|
+|E | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS).  Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.|
+|F | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv).  The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv.  Next, the application derives second key pair from the TPM's storage root key.  This is the transport key (tkpub/tkpriv).|
+|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.  Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|H |  Device registration completes by receiving the device ID and the device certificate from Azure DRS.  The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer.  With device registration complete, the process continues with MDM enrollment.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Azure AD joined in Federated environments
+![Azure AD joined in Managed environments](images/howitworks/devreg-aadj-federated.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application.  The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints.  Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.|
+|B | The application builds a sign-in request for the authorization end point and collects user credentials.|
+|C |  After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user.  This determines if the environment is managed or federated.  Azure returns the information in a JSON object.  The application determines the environment is managed (non-federated).
          The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object.  The application collects credentials through the STS web page.|
+|D | The application POST the credential to the on-premises STS, which may require additional factors of authentication.  The on-premises STS authenticates the user and returns a token.   The application POSTs the token to Azure Active Directory for authentication.  Azure Active Directory validates the token and returns an ID token with claims.|
+|E | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use.  This step is optional and skipped if the claim is not present or if the claim value is empty.|
+|F | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS).  Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.|
+|G | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv).  The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv.  Next, the application derives second key pair from the TPM's storage root key.  This is the transport key (tkpub/tkpriv).|
+|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.  Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|I |  Device registration completes by receiving the device ID and the device certificate from Azure DRS.  The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer.  With device registration complete, the process continues with MDM enrollment.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Hybrid Azure AD joined in Managed environments
+![Hybrid Azure AD joined in Managed environments](images/howitworks/devreg-hybrid-haadj-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A | The user signs in to a domain joined Windows 10 computers using domain credentials.  This can be user name and password or smart card authentication.  The user sign-in triggers the Automatic Device Join task.|
+|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com).  The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
+|C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate.  The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.
+|D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory.  Azure AD Connect detects an attribute change.  On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS.  Azure DRS uses the attribute information to create a device object in Azure Active Directory.|
+|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute.  Azure Active Directory authenticates the computer and issues a ID token to the computer.|
+|F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv).  The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv.  Next, the application derives second key pair from the TPM's storage root key.  This is the transport key (tkpub/tkpriv).|
+|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.  Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS.  The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer.  With device registration complete, the task exits.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Hybrid Azure AD joined in Federated environments
+![Hybrid Azure AD joined in Managed environments](images/howitworks/devreg-hybrid-haadj-federated.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A | The user signs in to a domain joined Windows 10 computers using domain credentials.  This can be user name and password or smart card authentication.  The user sign-in triggers the Automatic Device Join task.|
+|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com).  The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
+|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication.  The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated.  Azure Active Directory returns an ID token to the running task.
+|D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv).  The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv.  Next, the application derives second key pair from the TPM's storage root key.  This is the transport key (tkpub/tkpriv).|
+|E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.|
+|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.  Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.  Device registration completes by receiving the device ID and the device certificate from Azure DRS.  The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer.  With device registration complete, the task exits.|
+|G |If device write-back is enabled, on it's next synchronization cycle, Azure AD Connect requests updates from Azure Active Directory.  Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
new file mode 100644
index 0000000000..2251f953d0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -0,0 +1,145 @@
+---
+title: How Windows Hello for Business works - Provisioning
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Provisioning
+
+**Applies to:**
+-   Windows 10
+
+Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:
+- How the device is joined to Azure Active Directory
+- The Windows Hello for Business deployment type
+- If the environment is managed or federated
+
+[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)
          
+[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)
          
+[Hybrid Azure AD joined provisioning in a Key Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment)
          
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment)
          
+[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment)
          
+[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Key-Trust-deployment)
          
+[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Certificate-Trust-deployment)
          
+
+
+
+## Azure AD joined provisioning in a Managed environment
+![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Azure AD joined provisioning in a Federated environment
+![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
            In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
           The on-premises STS server issues a enterprise token on successful MFA.  The application sends the token to Azure Active Directory.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
+![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+|D | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+> [!IMPORTANT]
+> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+
+
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment
+![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
           The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
            After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
            If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes.  The application is informed of the deferment and exits to the user's desktop.  The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes.  The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment.  If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
           After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|G |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|H | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
+|F | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+> [!IMPORTANT]
+> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environmnet
+![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
           The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
            After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
            If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
          After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
+> [!IMPORTANT]
+> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
+![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Fedeerated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
            In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services (or a third party MFA service) provides the second factor of authentication.
           The on-premises STS server issues a enterprise token on successful MFA.  The application sends the token to Azure Active Directory.
          Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
           The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
            After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
            If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
          After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.| 
+> [!IMPORTANT]
+> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Domain joined provisioning in an On-premises Key Trust deployment
+![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
            In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.
           The on-premises STS server issues a enterprise DRS token on successful MFA.|
+| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Domain joined provisioning in an On-premises Certificate Trust deployment
+![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png)
+
+| Phase  | Description  |
+| :----: | :----------- |
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
            In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
          Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA server (or a third party MFA service) provides the second factor of authentication.
           The on-premises STS server issues a enterprise DRS token on successful MFA.|
+| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
+|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration.  Enterprise DRS validates the MFA claim remains current.  On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
           The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
            After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
            After validating the  public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
new file mode 100644
index 0000000000..7297f63ac7
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -0,0 +1,44 @@
+---
+title: How Windows Hello for Business works - Techincal Deep Dive
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Technical Deep Dive
+
+**Applies to:**
+-   Windows 10
+
+Windows Hello for Business authentication works through collection of components and infrastructure working together.  You can group the infrastructure and components in three categories:
+- [Registration](#Registration)
+- [Provisioning](#Provisioning)
+- [Authentication](#Authentication)
+
+## Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business.  Without registration, Windows Hello for Business provisioning cannot start.  Registration is where the device **registers** its identity with the identity provider.  For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS).  For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). 
+
+[How Device Registration Works](hello-how-it-works-device-registration.md)
+
+
+## Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential.  Typically the user signs in to Windows using user name and password.  The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
          
+After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture.  Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
          
+For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS).  For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
          
+Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings.  Users can start provisioning through **Add PIN** from Windows Settings.  Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
+
+[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
+
+## Authentication
+
+Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment.  With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN.  PIN is the most common gesture and is avaiable on most computers and devices.  Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential.  The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device.  It is user provided entropy when performing operations that use the private portion of the credential.
+
+[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
new file mode 100644
index 0000000000..e48b498d4e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -0,0 +1,313 @@
+---
+title: How Windows Hello for Business works - Technology and Terms
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Technology and Terms
+
+**Applies to:**
+-   Windows 10
+
+- [Attestation Identity Keys](#Attestation-Identity-Keys)
+- [Azure AD Joined](#Azure-AD-Joined)
+- [Azure AD Registered](#Azure-AD-Registered)
+- [Certificate Trust](#Certificate-Trust)
+- [Cloud Deployment](#Cloud-Deployment)
+- [Deployment Type](#Deployment-Type)
+- [Endorsement Key](#Endorsement-Key)
+- [Federated Environment](#Federated-Environment)
+- [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+- [Hybrid Deployment](#Hybrid-Deployment)
+- [Join Type](#Join-Type)
+- [Key Trust](#Key-Trust)
+- [Managed Environment](#Managed-Environment)
+- [On-premises Deployment](#Onpremises-Deployment)
+- [Pass-through Authentication](#Passthrough-Authentication)
+- [Password Hash Synchronization](#Password-Hash-Synchronization)
+- [Primary Refresh Token](#Primary-Refresh-Token) 
+- [Storage Root Key](#Storage-Root-Key)
+- [Trust Type](#Trust-Type)
+- [Trusted Platform Module](#Trusted-Platform-Module)
+
          
+
+## Attestation Identity Keys
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+> [!NOTE]
+> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
+
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+
+### Related topics
+[Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+- [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/en-us/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab)
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+
+[Return to Top](#Technology-and-Terms)
+## Azure AD Joined
+Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources.
+### Related topics
+[Join Type](#Join-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+
+### More information
+ - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction).
+
+[Return to Top](#Technology-and-Terms)
+## Azure AD Registered
+The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. 
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Join Type](#Join-Type)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+
+[Return to Top](#Technology-and-Terms)
+## Certificate Trust
+The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
+
+### Related topics
+[Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type)
+
+### More information 
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Cloud Deployment
+The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources.  Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Deployment Type](#Deployment-Type), [Join Type](#Join-Type)
+
+[Return to Top](#Technology-and-Terms)
+## Deployment Type
+Windows Hello for Business has three deployment models to accommodate the needs of different organizations.  The three deployment models include:
+- Cloud
+- Hybrid
+- On-Premises
+
+### Related topics
+[Cloud Deployment](#Cloud-Deployment), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Endorsement Key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM.
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+-   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+-   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+- [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952).
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+## Federated Environment
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+
+### Related topics
+[Hybrid Deployment](#Hybrid-Deployment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Sync](#Password-Hash-Sync)
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Hybrid Azure AD Joined
+For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
+- IT departments to manage work-owned devices from a central location.
+- Users to sign in to their devices with their Active Directory work or school accounts. 
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Deployment](#Hybrid-Deployment)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+[Return to Top](#Technology-and-Terms)
+## Hybrid Deployment
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory.  Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined.  The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), 
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Join type
+Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined.
+Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
+When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune .
+Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+[Return to Top](#Technology-and-Terms)
+## Key Trust
+The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
+
+### Related topics
+[Certificate Trust](#Certificate-Trust), [Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type), [Trust Type](#Trust-Type)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Managed Environment
+Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. 
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Synchronization](#Password-Hash-Synchronization)
+
+[Return to Top](#Technology-and-Terms)
+## On-premises Deployment 
+The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities.  On-premises deployments support domain joined devices.  The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
+
+### Related topics
+[Cloud Deployment](#Cloud-Deployment), [Deployment Type](#Deployment-Type), [Hybrid Deployment](#Hybrid-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Pass-through authentication
+Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Password Hash Synchronization](#Password-Hash-Synchronization)
+
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Password Hash Sync
+The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication)
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Primary Refresh Token
+SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.
+
+The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and domain joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
+
+The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
+
+[Return to Top](#Technology-and-Terms)
+## Storage Root Key
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+[TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+## Trust type
+The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust.  The hybrid and on-premises deployment models support both trust types.  The trust type does not affect authentication to Azure Active Directory.  Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). 
+
+### Related topics
+[Certificate Trust](#Certificate-Trust), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Trusted Platform Module
+
+A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
          
+
+Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
+A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
+- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
+Windows10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+
+Windows10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows10 supports only TPM 2.0. 
+
+TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
+- Update cryptography strength to meet modern security needs
+    - Support for SHA-256 for PCRs
+    - Support for HMAC command
+- Cryptographic algorithms flexibility to support government needs
+    - TPM 1.2 is severely restricted in terms of what algorithms it can support
+    - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+- Consistency across implementations
+    - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+    - TPM 2.0 standardizes much of this behavior
+
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.  A TPM incorporates in a single component:
+- A RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
+
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key)
+
+### More information
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+    
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index e1e4b79c14..8f2df655ab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -1,114 +1,32 @@
 ---
-title: How Windows Hello for Business works (Windows 10)
+title: How Windows Hello for Business works
 description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/16/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 05/05/2018
 ---
 # How Windows Hello for Business works
 
 **Applies to**
--   Windows 10
--   Windows 10 Mobile
-
-Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
-
-## Register a new user or device
-
-A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
- 
-> [!NOTE]
->This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.  
-
- The registration process works like this: 
- 
-1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
-2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
-3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
-
-The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
-
-- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
-- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
-
-When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
-
-At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
-
-## What’s a container?
-
-You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
-
-The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. 
-
-It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
-
-The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
- 
-![Each logical container holds one or more sets of keys](images/passport-fig3-logicalcontainer.png)
-
-Containers can contain several types of key material:
-
-- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
-- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
-- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
-    - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
-    - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
-    
-## How keys are protected
-
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
-
-Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
-
-
-## Authentication
-
-When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
-
-For example, the authentication process for Azure Active Directory works like this:
-
-1.	The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
-2.	The IDP returns a challenge, known as a nonce.
-3.	The device signs the nonce with the appropriate private key.
-4.	The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
-5.	The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
-6.	If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
-7.	The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
-8.	The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
-
-When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
-
-
-## The infrastructure
-
-Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: 
-
-- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. 
-- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. 
-- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
-
-
-
-
-
-
-
-
-
-
+-   Windows 10
 
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords.  Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you.  For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices.  Windows Hello for Business also works for domain joined devices. 
 
+Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
+> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
 
+## Technical Deep Dive
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
 
+- [Technology and Terminology](hello-how-it-works-technology.md)
+- [Device Registration](hello-how-it-works-device-registration.md)
+- [Provisioning](hello-how-it-works-provisioning.md)
+- [Authentication](hello-how-it-works-authentication.md)
 
 ## Related topics
 
@@ -119,4 +37,4 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
new file mode 100644
index 0000000000..fab2f25e0b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -0,0 +1,329 @@
+---
+title: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+
+**Applies to**
+- Windows 10
+- Azure Active Directory joined
+- Hybrid Deployment
+- Key trust model
+
+## Prerequisites
+
+Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD joined devices.  Unlike hybrid Azure AD joined devices, Azure AD joined devices do not have a relationship with your Active Directory domain.  This factor changes the way in which users authenticate to Active Directory.  Validate the following configurations to ensure they support Azure AD joined devices.
+
+- Azure Active Directory Connect synchronization
+- Device Registration
+- Certificate Revocation List (CRL) Distribution Point (CDP)
+- 2016 Domain Controllers
+- Domain Controller certificate
+
+### Azure Active Directory Connect synchronization
+Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure.  To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate.  Ensure you have Azure AD Connect installed and functioning properly.  To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect).
+
+If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
+![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png)
+
+### Azure Active Directory Device Registration
+A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/devices/overview).
+
+You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
+![dsregcmd outpout](images/aadj/dsregcmd.png)
+
+### CRL Distribution Point (CDP)
+
+Certificates issued by a certificate authority can be revoked.  When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list.  During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates.  Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.  
+
+![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png)
+
+The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory.  You can determine this because the value in the URL begins with **ldap**.  Using Active Directory for domain joined devices provides a highly available CRL distribution point.  However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list.  This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
+
+To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory joined devices that does not require authentication.  The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+
+If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
+
+### Windows Server 2016 Domain Controllers
+If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers.  Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key.  What do we mean by adequate?  We are glad you asked.  Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place.  The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server.  You can simply ignore the Windows Server 2016 domain controller requirement.  
+
+### Domain Controller Certificates
+
+Certificate authorities write CRL distribution points in certificates as they are issued.  If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point.  The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory
+
+#### Why does Windows need to validate the domain controller certifcate?
+
+Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+
+- The domain controller has the private key for the certificate provided.
+- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. 
+- The domain controller's certificate has the **KDC Authentication** enhanced key usage.
+- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
+
+## Configuring a CRL Distribution Point for an issuing certificate authority
+
+Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. 
+
+Steps you will perform include:
+
+- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) 
+- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
+- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Publish CRL](#publish-a-new-crl)
+- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
+
+
+### Configure Internet Information Services to host CRL distribution point
+
+You need to host your new certificate revocation list of a web server so Azure AD joined devices can easily validate certificates without authentication.  You can host these files on web servers many ways.  The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
+
+> [!IMPORTANT]
+> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate.  Clients should access the distribution point using http. 
+
+#### Installing the Web Server
+
+1. Sign-in to your server as a local administrator and start **Server Manager** if it did not start during your sign in. 
+2. Click the **Local Server** node in the navigation pane.  Click **Manage** and click **Add Roles and Features**.
+3. In the **Add Role and Features Wizard**, click **Server Selection**.  Verify the selected server is the local server.  Click **Server Roles**.  Select the check box next to **Web Server (IIS)**.
+4. Click **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
+ 
+#### Configure the Web Server
+
+1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
+2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
+3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you will host the certificate revocation list.  For this example, the path **c:\cdp** is used. Click **OK**.
+![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) 
+> [!NOTE]
+> Make note of this path as you will use it later to configure share and file permissions.
+
+4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Click **Enable** in the details pane.
+5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
+6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
+![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
+In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**.  Click **Apply** in the actions pane.
+![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
+7. Close **Internet Information Services (IIS) Manager**. 
+
+#### Create a DNS resource record for the CRL distribution point URL 
+
+1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
+2. Expand **Forward Lookup Zones** to show the DNS zone for your domain.  Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
+3. In the **New Host** dialog box, type **crl** in **Name**.  Type the IP address of the web server you configured in **IP Address**. Click **Add Host**.  Click **OK** to close the **DNS** dialog box.  Click **Done**.
+![Create DNS host record](images/aadj/dns-new-host-dialog.png)
+4. Close the **DNS Manager**. 
+
+### Prepare a file share to host the certificate revocation list
+
+These procedures configure NTFS and share permissions on the web server to allow the certificate authority to automatically publish the certificate revocation list.
+
+#### Configure the CDP file share
+
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
+3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**.
+![cdp sharing](images/aadj/cdp-sharing.png)
+4. In the **Permissions for cdp$** dialog box, click **Add**.
+5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**, and then click **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
+8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
+9. In the **Advanced Sharing** dialog box, click **OK**.
+
+#### Disable Caching 
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
+3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
+![CDP disable caching](images/aadj/cdp-disable-caching.png)
+4. Click **OK**. 
+
+#### Configure NTFS permission for the CDP folder
+
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**.  Click the **Security** tab.
+3. On the **Security** tab, click Edit.
+5. In the **Permissions for cdp** dialog box, click **Add**.
+![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png)
+6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**. Click **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
+8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+9. Click **Close** in the **cdp Properties** dialog box.
+
+
+### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority
+
+The web server is ready to host the CRL distribution point.  Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point
+
+
+#### Configure the CRL distribution Point
+1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
+2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
+3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, click **Add**. Type **http://crl.[domainname]/cdp/** in **location**.  For example, *http://crl.corp.contoso.com/cdp/* or *http://crl.contoso.com/cdp/* (do not forget the trailing forward slash). 
+![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
+5. Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+7. Select the CDP you just created.
+![CDP complete http](images/aadj/cdp-extension-complete-http.png)
+8. Select **Include in CRLs.  Clients use this to find Delta CRL locations**.
+9. Select **Include in the CDP extension of issued certificates**.
+10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
+
+> [!NOTE]
+> Optionally, you can remove unused CRL distribution points and publishing locations.
+
+#### Configure the CRL publishing location
+
+1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
+2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
+3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, click **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\** (do not forget the trailing backwards slash).
+5. Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+7. Select the CDP you just created.
+![CDP publishing location](images/aadj/cdp-extension-complete-unc.png)
+8. Select **Publish CRLs to this location**.
+9. Select **Publish Delta CRLs to this location**.
+10. Click **Apply** save your selections.  Click **Yes** when ask to restart the service.  Click **OK** to close the properties dialog box.
+
+### Publish a new CRL
+
+1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**.
+2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
+![Publish a New CRL](images/aadj/publish-new-crl.png)
+3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
+
+#### Validate CDP Publishing
+
+Validate your new CRL distribution point is working. 
+
+1. Open a web browser.  Navigate to **http://crl.[yourdomain].com/cdp**.  You should see two files created from publishing your new CRL.
+![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
+
+### Reissue domain controller certificates
+
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate does not have the updated CRL distribution point. 
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+![Certificate Manager Personal store](images/aadj/certlm-personal-store.png)
+4. Right-click the selected certificate.  Hover over **All Tasks** and then select **Renew Certificate with New Key...**.  In the **Certificate Enrollment** wizard, click **Next**.
+![Renew with New key](images/aadj/certlm-renew-with-new-key.png) 
+5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available.  Click **Enroll**.
+6. After the enrollment completes, click **Finish** to close the wizard. 
+7. Repeat this procedure on all your domain controllers.
+
+> [!NOTE]
+> You can configure domain controllers to automatically enroll and renew their certificates.  Automatic certificate enrollment helps prevent authentication outages due to expired certificates.  Refer to the [Windows Hello Deployment Guides](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide) to learn how to deploy automatic certificate enrollment for domain controllers. 
+
+> [!IMPORTANT]
+> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
+
+#### Validate CDP in the new certificate
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Click the **Details** tab.  Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list.  Select **CRL Distribution Point**.
+5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Click **OK**.
          
+![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png)
+
+
+## Configure and Assign a Trusted Certificate Device Configuration Profile
+
+Your domain controllers have new certificate that include the new CRL distribution point.  Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices.  Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority.  Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. 
+
+Steps you will perform include:
+- [Export Enterprise Root certificate](#export-enterprise-root-certificate)
+- [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile)
+
+### Export Enterprise Root certificate
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Click the **Certification Path** tab.  In the **Certifcation path** view, select the top most node and click **View Certificate**.
+![Certificate Path](images/aadj/certlm-cert-path-tab.png)
+5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
+![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png)
+6. In the **Certificate Export Wizard**, click **Next**.  
+7. On the **Export File Format** page of the wizard, click **Next**.  
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+![Export root certificate](images/aadj/certlm-export-root-certificate.png)
+9. Click **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
+
+### Create and Assign a Trust Certificate Device Configuration Profile
+
+A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD joined devices.
+
+1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
+2. Click **Device configuration**.  In the **Device Configuration** blade, click **Create profile**.
+![Intune Create Profile](images/aadj/intune-create-device-config-profile.png)
+3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Click **Configure**.
+4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Click **OK**.  Click **Create**.
+![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png)
+5. In the **Enterprise Root Certificate** blade, click **Assignmnets**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
+![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
+6. Sign out of the Microsoft Azure Portal.
+
+## Configure Windows Hello for Business Device Enrollment
+
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**.  Type **Intune** to filter the list of services.  Click **Microsoft Intune**.
+3. Click **device enrollment**.
+4. Click **Windows enrollment**
+5. Under **Windows enrollment**, click **Windows Hello for Business**.
+![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png)
+6. Under **Priority**, click **Default**. 
+7. Under **All users and all devices**, click **Settings**.
+8. Select **Enabled** from the **Configure Windows Hello for Business** list.
+9. Select **Required** next to **Use a Trusted Platform Module (TPM)**.  By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys.
+10. Type the desired **Minimum PIN length** and **Maximum PIN length**.
+> [!IMPORTANT]
+> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6.  Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to 6.
+
+![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png)
+
+11. Select the appropriate configuration for the following settings.
+  * **Lowercase letters in PIN**
+  * **Uppercase letters in PIN**
+  * **Special characters in PIN**
+  * **PIN expiration (days)**
+  * **Remember PIN history**
+> [!NOTE]
+> The Windows Hello for Business PIN is not a symmetric key (a password).  A copy of the current PIN is not stored locally or on a server like in the case of passwords.  Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs.  Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN.  If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+
+12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device.  To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
+13. Select **No** to **Allow phone sign-in**.  This feature has been deprecated.
+14. Click **Save**
+15. Sign-out of the Azure portal.
+
+## Section Review
+> [!div class="checklist"]
+> * Configure Internet Information Services to host CRL distribution point
+> * Prepare a file share to host the certificate revocation list
+> * Configure the new CRL distribution point in the issuing certificate authority
+> * Publish CRL
+> * Reissue domain controller certificates
+> * Export Enterprise Root certificate
+> * Create and Assign a Trust Certificate Device Configuration Profile
+> * Configure Windows Hello for Business Device Enrollment
+
+If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). 
+ 
+
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
new file mode 100644
index 0000000000..d47f46ccc8
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -0,0 +1,689 @@
+---
+title: Using Certificates for AADJ On-premises Single-sign On single sign-on
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Using Certificates for AADJ On-premises Single-sign On
+
+**Applies to**
+- Windows 10
+- Azure Active Directory joined
+- Hybrid Deployment
+- Certificate trust
+
+If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices.
+
+> [!IMPORTANT]
+> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. 
+
+Steps you will perform include:
+- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
+- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
+- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
+- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
+- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
+- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
+- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
+
+## Requirements
+You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.
+
+- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
+- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
+
+### High Availaibilty
+The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority.  Certificate registration servers enroll certificates on behalf of the user.  Users request certificates from the NDES service rather than directly from the issuing certificate authority. 
+
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability.  To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
+
+The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates.  The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template.  The certificate request purpose has three options:
+
+- Signature
+- Encryption
+- Signature and Encryption
+
+If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers.  Alternatively, consider consolidating certificates templates to reduce the number of certificate templates.
+
+### Network Requirements
+All communication occurs securely over port 443. 
+
+## Prepare Azure AD Connect
+Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain.  The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
+
+Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller.  Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
+
+To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute.  Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. 
+
+### Verify AAD Connect version
+Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
+
+1. Open **Syncrhonization Services** from the **Azure AD Connect** folder.
+2. In the **Syncrhonization Service Manager**, click **Help** and then click **About**.
+3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+
+### Verify the onPremisesDistinguishedName attribute is synchronized
+The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
+
+1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
+2. Click **Login** and provide Azure credentials
+3. In the Azure AD Graph Explorer URL, type **https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory.  Click **Go**
+4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and the value is accurate for the given user.
+![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png)
+
+## Prepare the Network Device Enrollment Services (NDES) Service Account
+
+### Create the NDES Servers global security group
+The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1.	Open **Active Directory Users and Computers**.
+2.	Expand the domain node from the navigation pane.
+3.	Right-click the **Users** container. Hover over **New** and click **Group**.
+4.	Type **NDES Servers** in the **Group Name** text box.
+5.	Click **OK**.
+
+### Add the NDES server to the NDES Servers global security group
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1.	Open **Active Directory Users and Computers**.
+2.  Expand the domain node from the navigation pane.
+3.  Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role.  Click **Add to a group...**.
+4. Type **NDES Servers** in **Enter the object names to select**.  Click **OK**.  Click **OK** on the **Active Directory Domain Services** success dialog.
+
+> [!NOTE]
+> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests.  You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+
+### Create the NDES Service Account
+The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA).  While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.  The deployment uses a normal services account.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. In the navigation pane, expand the node that has your domain name.  Select **Users**.
+2. Right-click the **Users** container. Hover over **New** and then select **User**.  Type **NDESSvc** in  **Full Name** and **User logon name**. Click **Next**.
+3. Type a secure password in **Password**.  Confirm the secure password in **Confirm Password**.  Clear **User must change password at next logon**.  Click **Next**.
+4. Click **Finish**.
+
+> [!IMPORTANT]
+> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk.  Normal service account passwords should expire in accordance with the organizations user password expiration policy.  Create a reminder to change the service account's password two weeks before it will expire.  Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. 
+
+### Create the NDES Service User Rights Group Policy object
+The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group.  As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy.
+
+Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**.
+4. Type **NDES Service Rights** in the name box and click **OK**.
+5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+10. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
+11. Close the **Group Policy Management Editor**. 
+
+### Configure security for the NDES Service User Rights Group Policy object
+The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that  receive the Group Policy settings by adding them to a group. 
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Double-click the **NDES Service User Rights** Group Policy object.
+4. In the **Security Filtering** section of the content pane, click **Add**.  Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+6. In the **Group or User names** list, select **Authenticated Users**.  In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+
+### Deploy the NDES Service User Rights Group Policy object
+The application of the **NDES Service User Rights** Group Policy object uses security group filtering.  This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
+
+> [!IMPORTANT]
+> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. 
+
+## Prepare Active Directory Certificate Authority
+You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role.  In this task, you will
+
+- Configure the certificate authority to let Intune provide validity periods
+- Create an NDES-Intune Authentication Certificate template
+- Create an Azure AD joined Windows Hello for Business authentication certificate template
+- Publish certificate templates
+
+### Configure the certificate authority to let Intune provide validity periods
+When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template.  If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
+
+> [!NOTE]
+> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate.  Without this configuiration, the certificate request uses the validity period configured in the certificate template.
+
+Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
+
+1. Open and elevated command prompt.  Type the command
+```
+certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
+```
+2. Restart the **Active Directory Certificate Services** service. 
+
+### Create an NDES-Intune authentication certificate template
+NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client.  The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. 
+
+Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
+1.  Open the **Certificate Authority** management console.
+2.	Right-click **Certificate Templates** and click **Manage**.
+3.	In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+4.	On the **General** tab, type **NDES-Intune Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.  
+    **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+5.  On the **Subject** tab, select **Supply in the request**.
+6.  On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+7.  On the **Security** tab, click **Add**. 
+8.  Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+9.  Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+10.	 Click on the **Apply** to save changes and close the console. 
+
+### Create an Azure AD joined Windows Hello for Business authentication certificate template
+During Windows Hello for Business provisioning,  Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
+
+Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.   
+    **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  
+7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+8. On the **Subject** tab, select **Supply in the request**.
+9.	On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list.  Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+10.	On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
+12.	Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 
+13.	Close the console.
+
+### Publish certificate templates
+The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+
+> [!Important]
+> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates.  You need to publish that cerificate templates to that issuing certificate authority.  The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5.	In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.   
+6.	Close the console.
+
+## Install and Configure the NDES Role
+This section includes the following topics:
+* Install the Network Device Enrollment Service Role
+* Configure the NDES service account
+* Configure the NDES role and Certificate Templates
+* Create a Web Application Proxy for the Internal NDES URL.
+* Enroll for an NDES-Intune Authentication Certificate
+* Configure the Web Server Certificate for NDES
+* Verify the configuration
+
+### Install the Network Device Enrollment Services Role
+Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+1. Open **Server Manager** on the NDES server.
+2. Click **Manage**.  Click **Add Roles and Features**. 
+3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
+![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png)
+4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.  
+![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png)
+Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png)
+5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png)
+6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
+7. Click **Next** on the **Web Server Role (IIS)** page.
+8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
+  * **Web Server > Security > Request Filtering**
+  * **Web Server > Application Development > ASP.NET 3.5**.
+  * **Web Server > Application Development > ASP.NET 4.5**.   .
+  * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+  * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
+9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
+> [!Important]
+> The .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
+![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
+
+### Configure the NDES service account
+This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation
+
+#### Add the NDES service account to the IIS_USRS group
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+1. Start the **Local Users and Groups** management console (lusrmgr.msc).
+2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
+3. In the **IIS_IUSRS Properties** dialog box, click **Add**.  Type **NDESSvc** or the name of your NDES service account.  Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
+4. Close the management console.
+
+#### Register a Service Principal Name on the NDES Service account
+Sign-in the NDES server with a access equivalent to _Domain Admins_.
+
+1. Open an elevated command prompt.
+2. Type the following command to register the service principal name
          
+```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```
          
+where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\).  An example of the command looks like the following.
          
+```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
+
+> [!NOTE]
+> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
+
+![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png)
+
+#### Configure the NDES Service account for delegation
+The NDES service enrolls certificates on behalf of users.  Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
+
+Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
+
+1. Open **Active Directory Users and Computers**
+2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
+![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png)
+3. Select **Trust this user for delegation to specified services only**.
+4. Select **Use any authentication protocol**.
+5. Click **Add**.
+6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Avaiable services** list, select **HOST**.  Click **OK**.
+![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
+7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**.
+8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
+9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
+![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
+10. Click **OK**.  Close **Active Directory Users and Computers**.
+
+### Configure the NDES Role and Certificate Templates
+This task configures the NDES role and the certificate templates the NDES server issues.
+
+#### Configure the NDES Role
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+> [!NOTE]
+> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. 
+
+![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
+
+1. Click the **Configure Active Directory Certificate Services on the destination server** link.
+2. On the **Credentials** page, click **Next**.
+![NDES Installation Credentials](images/aadjcert/ndesconfig01.png)
+3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
+![NDES Role Services](images/aadjcert/ndesconfig02.png)
+4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Click **Next**.
+![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png)
+5. On the **CA for NDES** page, select **CA name**. Click **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Click **Next**.
+![NDES CA selection](images/aadjcert/ndesconfig04.png)
+6. On the **RA Information**, click **Next**.
+7. On the **Cryptography for NDES** page, click **Next**.
+8. Review the **Confirmation** page.  Click **Configure**.
+![NDES Confirmation](images/aadjcert/ndesconfig05.png)
+8. Click **Close** after the configuration completes.
+
+#### Configure Certificate Templates on NDES
+A single NDES server can request a maximum of three certificate template.  The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile.  The Microsoft Intune SCEP certificate profile has three values.  
+* Digital Signature
+* Key Encipherment
+* Key Encipherment, Digital Signature
+
+Each value maps to a registry value name in the NDES server.  The NDES server translate an incoming SCEP provide value into the correspond certificate template.  The table belows shows the SCEP profile value to the NDES certificate template registry value name
+
+|SCEP Profile Key usage| NDES Registry Value Name|
+|:----------:|:-----------------------:|
+|Digital Signature|SignatureTemplate|
+|Key Encipherment|EncryptionTemplate|
+|Key Encipherment
          Digital Signature|GeneralPurposeTemplate|
+
+Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.).  A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
+
+ If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure.  This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
+
+Sign-in to the NDES Server with _local administrator_ equivalent credentials.
+
+1. Open an elevated command prompt.
+2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+3. Type the following command
          
+```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```
          
+where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices.  Example:
          
+```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```
          
+4. Type **Y** when the command asks for permission to overwrite the existing value.
+5. Close the command prompt.
+
+> [!IMPORTANT]
+> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certifcates Templates** management console (certtmpl.msc).
+
+### Create a Web Application Proxy for the internal NDES URL.
+Certificate enrollment for Azure AD joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs.  This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests).  Microsoft Intune sends these requests to Azure AD Application Proxies.  
+
+Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents.  These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+
+Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group.  This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests.  Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
+
+#### Download and Install the Application Proxy Connector Agent
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
+5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
+> [!IMPORTANT]
+> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+
+6. Start **AADApplicationProxyConnectorInstaller.exe**.
+7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
+![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png)
+8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
+![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png)
+9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
+![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png)
+10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
+
+#### Create a Connector Group
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
+4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
+5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
+6. Click **Save**.
+
+#### Create the Azure Application Proxy
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+4. Click **Configure an app**.
+5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
+6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**.
+7. Under **Internal Url**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
+8. Select **Passthrough** from the **Pre Authentication** list.
+9. Select **NDES WHFB Connectors** from the **Connector Group** list.
+10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
+11. Click **Add**.
+12. Sign-out of the Azure Portal.
+> [!IMPORTANT]
+> Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
+
+
+### Enroll the NDES-Intune Authentication certificate
+This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
+
+Sign-in the NDES server with access equivalent to _local administrators_.
+
+1. Start the Local Computer **Certificate Manager** (certlm.msc).
+2. Expand the **Personal** node in the navigation pane.
+3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4. Click **Next** on the **Before You Begin** page.
+5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
+7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
+8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
+9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
+9. Click **Enroll**
+10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+
+### Configure the Web Server Role
+This task configures the Web Server role on the NDES server to use the server authentication certificate.
+
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**. 
+![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
+3. Click **Bindings...*** under **Actions**.  Click **Add**.
+![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png)
+4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
+5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
+![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png)
+6. Select **http** from the **Site Bindings** list.  Click **Remove**. 
+7. Click **Close** on the **Site Bindings** dialog box.
+8. Close **Internet Information Services (IIS) Manager**. 
+
+### Verify the configuration
+This task confirms the TLS configuration for the NDES server.
+
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+#### Disable Internet Explorer Enhanced Security Configuration 
+1. Open **Server Manager**. Click **Local Server** from the navigation pane.
+2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
+3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**.  Click **OK**.
+4. Close **Server Manager**.
+
+#### Test the NDES web server
+1. Open **Internet Explorer**. 
+2. In the navigation bar, type 
+```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
+where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
+
+A web page similar to the following should appear in your web browser.  If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+
+![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png)
+
+Confirm the web site uses the server authentication certificate. 
+![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png)
+
+
+## Configure Network Device Enrollment Services to work with Microsoft Intune
+You have successfully configured the Network Device Enrollment Services.  You must now modify the configuration to work with the Intune Certificate Connector.  In this task, you will enable the NDES server and http.sys to handle long URLs. 
+
+- Configure NDES to support long URLs
+
+### Configure NDES and HTTP to support long URLs
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+#### Configure the Default Web Site
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
+3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
+![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png)
+4. Select **Allow unlisted file name extensions**.
+5. Select **Allow unlisted verbs**.
+6. Select **Allow high-bit characters**.
+7. Type **30000000** in **Maximum allowed content length (Bytes)**.
+8. Type **65534** in **Maximum URL length (Bytes)**.
+9. Type **65534** in **Maximum query string (Bytes)**.
+10. Click **OK**.  Close **Internet Information Services (IIS) Manager**.
+
+#### Configure Parameters for HTTP.SYS
+1. Open an elevated command prompt.
+2. Run the following commands 
          
+```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` 
          
+```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
          
+3. Restart the NDES server.
+
+## Download, Install and Configure the Intune Certificate Connector
+The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.  
+
+### Download Intune Certificate Connector 
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**.  Type **Intune** to filter the list of services.  Click **Microsoft Intune**.
+![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png)
+3. Select **Device Configuration**, and then select **Certificate Authority**.
+![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png)
+4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
+![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png)
+5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
+6. Sign-out of the Azure Portal.
+
+### Install the Intune Certificate Connector
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
+2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
+3. On the **Microsoft Intune** page, click **Next**. 
+![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png)
+4. Read the **End User License Agreement**.  Click **Next** to accept the agreement and to proceed with the installation.
+5. On the **Destination Folder** page, click **Next**.
+6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
+![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
+7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**. 
+![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
+> [!NOTE]
+> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
+
+8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
+9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
+![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
+> [!NOTE]
+> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
+
+10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. 
+![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
+
+### Configure the Intune Certificate Connector
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. The **NDES Connector** user interface should be open from the last task.
+> [!NOTE]
+> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
+
+2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect.  Click **Apply**
+![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png)
+
+3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
+![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
+> [!IMPORTANT]
+> The user account must have a valid Intune licenese asssigned.  If the user account does not have a valid Intune license, the sign-in fails.
+
+4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. 
+
+
+### Configure the NDES Connector for certificate revocation (**Optional**)
+Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
+
+#### Enabling the NDES Service account for revocation
+Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
+
+1. Start the **Certification Authority** management console.
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
+3. Click the **Security** tab.  Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account).  Click *Check Names*. Click **OK**.  Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission.  Click **OK**.
+![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png)
+4. Close the **Certification Authority**
+
+#### Enable the NDES Connector for certificate revocation
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
+2. Click the **Advanced** tab.  Select **Specify a different account username and password**.  TYpe the NDES service account username and password.  Click **Apply**.  Click **OK** to close the confirmation dialog box.  Click **Close**.
+![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png)
+3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
+
+### Test the NDES Connector
+Sign-in the NDES server with access equivalent to _domain admin_.
+
+1. Open a command prompt.
+2. Type the following command to confirm the NDES Connector's last connection time is current.
          
+```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
          
+3. Close the command prompt.
+4. Open **Internet Explorer**.
+5. In the navigation bar, type
          
+```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
          
+where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
          
+A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
+6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
+
+## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
+
+### Create an AADJ WHFB Certificate Users Group
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
+3. Click **Groups**.  Click **New group**.
+4. Select **Security** from the **Group type** list.
+5. Under **Group Name**, type the name of the group.  For example, **AADJ WHFB Certificate Users**.
+6. Provide a **Group description**, if applicable.
+7. Select **Assigned** from the **Membership type** list.
+![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png)
+8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished click **Select**.
+9. Click **Create**.
+
+### Create a SCEP Certificte Profile
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**.  Type **Intune** to filter the list of services.  Click **Microsoft Intune**.
+3. Select **Device Configuration**, and then click **Profiles**.
+4. Select **Create Profile**.
+![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
+5. Next to **Name**, type **WHFB Certificate Enrollment**.
+6. Next to **Description**, provide a description meaningful for your environment.
+7. Select **Windows 10 and later** from the **Platform** list.
+8. Select **SCEP certificate** from the **Profile** list.
+![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png)
+9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
+> [!IMPORTANT]
+    > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
+
+10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+11. Select **Custom** from the **Subject name format** list.
+12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name.  The **Key usage** that maps to that registry value name is **Digital Signature**.
+14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
+15. Under **Extended key usage**, type **Smart Card Logon** under **Name. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**.  Click **Add**.
+16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**.  For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll.  Click **Add**.  Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
+18. Click **OK**.
+19. Click **Create**.
+
+### Assign Group to the WHFB Certificate Enrollment Certificate Profile
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**.  Type **Intune** to filter the list of services.  Click **Microsoft Intune**.
+3. Select **Device Configuration**, and then click **Profiles**.
+4. Click **WHFB Certificate Enrollment**.
+![WHFB Scep Profile landing](images/aadjcert/intunewhfbscepprofile-04.png)
+5. Click **Assignments**.
+6. In the **Assignments** pane, Click **Include**.  Select **Selected Groups** from the **Assign to** list.  Click **Select groups to include**.
+![WHFB SCEP Profile Assignment](images/aadjcert/intunewhfbscepprofileassignment.png)
+7. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
+8. Click **Save**.
+
+You have successfully completed the configuration.  Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group.  This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
+
+## Section Review
+> [!div class="checklist"]
+> * Requirements
+> * Prepare Azure AD Connect
+> * Prepare the Network Device Enrollment Services (NDES) Service Acccount
+> * Prepare Active Directory Certificate Authority
+> * Install and Configure the NDES Role
+> * Configure Network Device Enrollment Services to work with Microsoft Intune
+> * Download, Install, and Configure the Intune Certificate Connector
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
new file mode 100644
index 0000000000..9145280789
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -0,0 +1,45 @@
+---
+title: Azure AD Join Single Sign-on Deployment Guides
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Azure AD Join Single Sign-on Deployment Guides
+
+**Applies to**
+-   Windows 10
+-   Azure Active Directory joined
+-   Hybrid deployment
+
+Windows Hello for Business combined with Azure Active Directory joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential.  Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD joined devices may need to access these resources.  With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory joined devices using Windows Hello for Business, using a key or a certificate.
+ 
+## Key vs. Certificate
+
+Enterprises can use either a key or a certificate to provide single-sign on for on-premises resources.  Both types of authentication provide the same security; one is not more secure than the other.  
+
+When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+
+To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
+To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 9ce7a7999e..33d6215205 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -9,24 +9,25 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/19/2018
 ---
 # Windows Hello for Business Certificate Trust New Installation
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies
+Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
 
 * [Active Directory](#active-directory)
 * [Public Key Infrastructure](#public-key-infrastructure)
 * [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multi-factor Authentication Services](#multi-factor-authentication-services)
 
 
-New installations are considerably more involved than existing implementations because you are building the entire infrastructure.  Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment.  If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
+New installations are considerably more involved than existing implementations because you are building the entire infrastructure.  Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment.  If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
 
 The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.  This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers.
 
@@ -68,7 +69,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
     Install-AdcsCertificateAuthority
     ```   
     
-## Configure a Production Public Key Infrastructure
+### Configure a Production Public Key Infrastructure
 
 If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure.   Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
 
@@ -91,8 +92,8 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
 > * Create an Azure Active Directory Tenant.
 > * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
    
-## Multifactor Authentication Services ##
-Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN.  There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
+## Multifactor Authentication Services
+Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN.  There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
 
 Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index b09e2f8ec6..6a8e0bd587 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -9,16 +9,17 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/18/2018
 ---
 # Configure Device Registration for Hybrid Windows Hello for Business
 
 **Applies to**
--  Windows 10
+-  Windows 10, version 1703 or later
+-  Hybrid deployment
+-  Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
  
-You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
+Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
   
 > [!IMPORTANT]
 > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. 
@@ -58,7 +59,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i schema```
 
-![Netdom example output](images\hello-cmd-netdom.png)
+![Netdom example output](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
@@ -68,7 +69,7 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than
 
 Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO.  Before running adprep.exe, you must identify the domain controller hosting the schema master role.
 
-Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
 
 1.	Open an elevated command prompt.
 2.	Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
@@ -111,7 +112,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
 
 ![Device Registration](images/hybridct/device2.png)
   
-2.  On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
+2.  On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
     
     `Import-module activedirectory`  
 	`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 
@@ -513,4 +514,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. Configure Azure Device Registration (*You are here*)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index ffcdd3cdc3..3885bdbc50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
 ---
 # Hybrid Windows Hello for Business Prerequisites
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
 Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
@@ -32,7 +32,7 @@ The distributed systems on which these technologies were built involved several
 ## Directories ##
 Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
 
-A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription.  Different deployment configurations are supported by different Azure subscriptions.  The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature.  Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
+A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  Different deployment configurations are supported by different Azure subscriptions.  The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature.  Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
 
 Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers.  Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema.
  
@@ -103,7 +103,7 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
 
          
 
 ## Device Registration ##
-Organizations wanting to deploy hybrid certificate trust need thier domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
+Organizations wanting to deploy hybrid certificate trust need their domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
  
 Hybrid certificate trust deployments need the device write back feature.  Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices.  This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures.  For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature.
 
@@ -132,7 +132,7 @@ If your environment is already federated and supports Azure device registration,
 
 ## Follow the Windows Hello for Business hybrid certificate trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. Prerequistes (*You are here*)
+2. Prerequisites (*You are here*)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 97b72c76a3..30efcbd805 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -14,9 +14,9 @@ ms.date: 09/08/2017
 # Hybrid Azure AD joined Certificate Trust Deployment
 
 **Applies to**
--   Windows 10
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
  
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index effbe6b03a..124a34248b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
 ---
 # Hybrid Windows Hello for Business Provisioning
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
@@ -45,7 +45,7 @@ The provisioning flow has all the information it needs to complete the Windows H
 * A fresh, successful multi-factor authentication
 * A validated PIN that meets the PIN complexity requirements
 
-The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
+The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  AAD Connect synchronizes the user's key to the on-premises Active Directory.
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 80b5408547..4395d9c432 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -9,20 +9,21 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
 ---
 # Configuring Windows Hello for Business: Active Directory
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
 The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. 
 
 ### Creating Security Groups
 
-Windows Hello for Business uses several security groups to simplify the deployment and managment.
+Windows Hello for Business uses several security groups to simplify the deployment and management.
 
 > [!Important]
 > If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**.  Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index dd6f6d5b50..25208af1bd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -9,18 +9,17 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 03/26/2018
+ms.date: 08/20/2018
 ---
 # Configure Windows Hello for Business: Active Directory Federation Services
 
 **Applies to**
--   Windows10
+-   Windows10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
 ## Federation Services
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
-The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. 
+The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. 
 
 The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index ce00462dc9..7464c27892 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -14,9 +14,10 @@ ms.date: 10/23/2017
 # Configure Hybrid Windows Hello for Business: Directory Synchronization
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
 ## Directory Synchronization
 
@@ -77,5 +78,5 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*)
+5. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
 6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 1508af5827..f14eedf3af 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -9,23 +9,24 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 11/08/2017
+ms.date: 08/19/2018
 ---
 
 # Configure Hybrid Windows Hello for Business: Public Key Infrastructure
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid Deployment
+-   Certificate Trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
 
-All deployments use enterprise issed certificates for domain controllers as a root of trust.  Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers.  Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates. 
+All deployments use enterprise issued certificates for domain controllers as a root of trust.  Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers.  Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates. 
 
-## Certifcate Templates
+## Certificate Templates
 
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. 
+This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. 
 
 ### Domain Controller certificate template
 
@@ -42,7 +43,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
 3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise's needs.   
     **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
@@ -55,7 +56,7 @@ Many domain controllers may have an existing domain controller certificate.  The
 
 The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
 
-The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates.  You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. 
+The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates.  You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. 
 
 Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
 
@@ -73,7 +74,7 @@ The certificate template is configured to supersede all the certificate template
 
 ### Enrollment Agent certificate template
 
-Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management.  Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management.  Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
 
 Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful.  If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate.  You can view the AD FS event logs to determine the status of the enrollment agent certificate.
 
@@ -96,7 +97,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 8. On the **Security** tab, click **Add**. 
 9. Click **Object Types**.  Select the **Service Accounts** check box and click **OK**.
 10.	Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11.	Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
+11.	Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 
 12.	Close the console.
 
 #### Creating an Enrollment Agent certificate for typical Service Acconts
@@ -128,7 +129,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
     **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  
 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box.  Type **1** in the text box.   
+8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box.  Type **1** in the text box.   
     * Select **Application policy** from the **Policy type required in signature**.	Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
 10.	On the **Request Handling** tab, select the **Renew with same key** check box.
@@ -145,13 +146,25 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ
 
 >[!NOTE]
 >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
-Publish Templates
+
+## Publish Templates
 
 ### Publish Certificate Templates to a Certificate Authority
 
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
-### Unpublish Superseded Certificate Templates
+#### Publish Certificate Templates to the Certificate Authority
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+1.	Open the **Certificate Authority** management console.
+2.	Expand the parent node from the navigation pane.
+3.	Click **Certificate Templates** in the navigation pane.
+4.	Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5.	In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.   
+6.	Close the console.
+
+
+#### Unpublish Superseded Certificate Templates
 
 The certificate authority only issues certificates based on published certificate templates.  For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue.  This includes the pre-published certificate template from the role installation and any superseded certificate templates.
 
@@ -169,9 +182,9 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 > [!div class="checklist"]
 > * Domain Controller certificate template
 > * Configure superseded domain controller certificate templates
-> * Enrollment Agent certifcate template
+> * Enrollment Agent certificate template
 > * Windows Hello for Business Authentication certificate template
-> * Mark the certifcate template as Windows Hello for Business sign-in template
+> * Mark the certificate template as Windows Hello for Business sign-in template
 > * Publish Certificate templates to certificate authorities
 > * Unpublish superseded certificate templates
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 933756d930..9728d0ac98 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 11/08/2017
+ms.date: 08/19/2018
 ---
 # Configure Hybrid Windows Hello for Business: Group Policy
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
 ## Policy Configuration
 
@@ -25,7 +26,7 @@ Install the Remote Server Administration Tools for Windows 10 on a computer runn
 
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 
-Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate.  
+Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.  
 
 Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
 * Enable Windows Hello for Business
@@ -145,7 +146,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 #### Use biometrics
 
@@ -171,7 +172,7 @@ Starting with Windows 10, version 1703, the PIN complexity Group Policy settings
 
 ## Add users to the Windows Hello for Business Users group
 
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
 
 ### Section Review
 > [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index fac7f81257..f3f298b684 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
 ---
 # Configure Windows Hello for Business
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Certificate trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
  
 You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.  
 > [!IMPORTANT]
@@ -28,7 +29,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
 * [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md)
 * [Group Policy](hello-hybrid-cert-whfb-settings-policy.md)
 
-For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration
+For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
 
 > [!div class="step-by-step"]
 [Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index f986fd3e0e..8ec23ffcaa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -9,16 +9,17 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
 ---
 # Windows Hello for Business Key Trust New Installation
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid key trust deployments of Windows Hello for Business rely on these technolgies
+Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure.  Hybrid key trust deployments of Windows Hello for Business rely on these technologies
 
 * [Active Directory](#active-directory)
 * [Public Key Infrastructure](#public-key-infrastructure)
@@ -26,7 +27,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
 * [Active Directory Federation Services](#active-directory-federation-services)
 
 
-New installations are considerably more involved than existing implementations because you are building the entire infrastructure.  Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment.  If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
+New installations are considerably more involved than existing implementations because you are building the entire infrastructure.  Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment.  If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
 
 The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.  
 
@@ -142,8 +143,8 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
 
          
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+1. [Overview](hello-hybrid-key-trust.md)
+2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
 3. New Installation Baseline (*You are here*)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 45f22f940d..c4ddccad00 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -9,15 +9,15 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/19/2018
 ---
 # Configure Device Registration for Hybrid key trust Windows Hello for Business
 
 **Applies to**
--  Windows 10
+-  Windows 10, version 1703 or later
+-  Hybrid deployment
+-  Key trust
 
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
  
 You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.   
 
@@ -34,7 +34,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
 
 To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/)  
 
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page.  In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a checkmark.
+Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page.  In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
 
 
 

          
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 97684aec7b..041c3f0a23 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -8,29 +8,34 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 10/20/2017
+localizationpriority: high
+ms.date: 08/19/2018
 ---
 # Configure Directory Synchronization for Hybrid key trust Windows Hello for Business
 
 **Applies to**
--  Windows 10
+-  Windows 10, version 1703 or later
+-  Hybrid deployment
+-  Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
  
 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.    
 
 ## Deploy Azure AD Connect
 Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory.  To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
 
-

          
+
+> [!NOTE]
+> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
+
+
          
 
 
          
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
+1. [Overview](hello-hybrid-key-trust.md)
+2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. Configure Directory Synchronization (*You are here*)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index f1093f35c9..00a4885e90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -8,17 +8,17 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 11/17/2017
+localizationpriority: high
+ms.date: 08/20/2018
 ---
 # Hybrid Key trust Windows Hello for Business Prerequisites
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
 Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
 
 The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure.  High-level pieces of the infrastructure include:
@@ -30,9 +30,9 @@ The distributed systems on which these technologies were built involved several
 * [Device Registration](#device-registration)
   
 ## Directories ##
-Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. The 
+Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.  
 
-A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
+A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription.  The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
 
 You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.  However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
  
@@ -52,7 +52,7 @@ Review these requirements and those from the Windows Hello for Business planning
 ## Public Key Infrastructure ##
 The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
 
-Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Diretory object.
+Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
 
 The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.
 
@@ -91,9 +91,9 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
 
          
 
 ## Multifactor Authentication ##
-Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication.
+Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords.  The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
 
-Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
+Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS.
 
 ### Section Review 
 > [!div class="checklist"]
@@ -104,7 +104,7 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
 
          
 
 ## Device Registration ##
-Organizations wanting to deploy hybrid key trust need thier domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
+Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory.  Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud.  This ensures that only approved computers are used with that Azure Active Directory.  Each computer registers its identity in Azure Active Directory. 
  
 
 ### Section Checklist ###
@@ -118,7 +118,7 @@ Follow the Windows Hello for Business hybrid key trust deployment guide.  For pr
 
 For environments transitioning from on-premises to hybrid, start with  **Configure Azure Directory Syncrhonization**. 
 
-For federerated and non-federated environments, start with **Configure Windows Hello for Business settings**.
+For federated and non-federated environments, start with **Configure Windows Hello for Business settings**.
 
 > [!div class="op_single_selector"]
 > - [New Installation Baseline](hello-hybrid-key-new-install.md)
@@ -131,7 +131,7 @@ For federerated and non-federated environments, start with **Configure Windows H
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-key-trust.md)
-2. Prerequistes (*You are here*)
+2. Prerequisites (*You are here*)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 397e878d3c..8fb2bf361a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -9,14 +9,14 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
 ---
 # Hybrid Azure AD joined Key Trust Deployment
 
 **Applies to**
--   Windows 10
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
  
 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index c4889c081a..fecb1059be 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
 ---
 # Hybrid Windows Hello for Business Provisioning
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
@@ -45,11 +45,11 @@ The provisioning flow has all the information it needs to complete the Windows H
 * A fresh, successful multi-factor authentication
 * A validated PIN that meets the PIN complexity requirements
 
-The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  When key registration completes, Windows Hello for Business provisioning informs the user  they can use their PIN to sign-in.  The user may close the provisiong application and see their desktop.  While the user has completed provisioning, Azure AD Connect syncrhonizes the user's key to Active Directory.   
+The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key.  When key registration completes, Windows Hello for Business provisioning informs the user they can use their PIN to sign-in.  The user may close the provisioning application and see their desktop.  While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory.   
 
 > [!IMPORTANT]
-> The minimum time needed to syncrhonize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
-> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
+> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
+> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index be72d0be4e..c2821a19f1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -9,21 +9,22 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/20/2018
 ---
 # Configuring Hybrid key trust Windows Hello for Business: Active Directory
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Configure the appropriate security groups to effeiciently deploy Windows Hello for Business to users. 
+Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users. 
 
 
 ### Creating Security Groups
 
-Windows Hello for Business uses a security group to simplify the deployment and managment.
+Windows Hello for Business uses a security group to simplify the deployment and management.
 
 #### Create the Windows Hello for Business Users Security Group
 
@@ -58,4 +59,4 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings: Active Directory (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 2059a8d2ff..4679d66c11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
 ---
 # Configure Hybrid Windows Hello for Business: Directory Synchronization
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
 ## Directory Syncrhonization
 
@@ -54,5 +55,5 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-6. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*)
+6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
 7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index c52c1c6950..21befdf74e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -9,23 +9,24 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
 ---
 
 # Configure Hybrid Windows Hello for Business: Public Key Infrastructure
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid Deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
-Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates.  Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
 
 All deployments use enterprise issued certificates for domain controllers as a root of trust. 
 
-## Certifcate Templates
+## Certificate Templates
 
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority. 
+This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. 
 
 ### Domain Controller certificate template
 
@@ -42,14 +43,14 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
 3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise's needs.   
     **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
 7.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8.	Close the console.
 
-#### Configure Certificate Suspeding for the Domain Controller Authentication (Kerberos) Certificate Template
+#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
 
 Many domain controllers may have an existing domain controller certificate.  The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template.  Later releases provided a new certificate template--the domain controller authentication certificate template.  These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.  
 
@@ -76,6 +77,17 @@ The certificate template is configured to supersede all the certificate template
 
 The certificate authority may only issue certificates for certificate templates that are published to that certificate authority.  If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
 
+Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node.  Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps.  Click **OK** to publish the selected certificate templates to the certificate authority.
+6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
+    * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+7. Close the console.
+
 ### Unpublish Superseded Certificate Templates
 
 The certificate authority only issues certificates based on published certificate templates.  For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue.  This includes the pre-published certificate template from the role installation and any superseded certificate templates.
@@ -108,7 +120,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 
 ## Follow the Windows Hello for Business hybrid key trust deployment guide
 1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 65a1b8fd53..1a0b808710 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -6,17 +6,18 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-ms.localizationpriority: medium
+localizationpriority: high
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/20/2018
 ---
 # Configure Hybrid Windows Hello for Business: Group Policy
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
 
 ## Policy Configuration
 
@@ -36,7 +37,7 @@ Domain controllers automatically request a certificate from the *Domain Controll
 
 To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
 
-#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object
+#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object
 
 Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
 
@@ -47,7 +48,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 5.	Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
 6.	In the navigation pane, expand **Policies** under **Computer Configuration**.
 7.	Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
-8.	In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
+8.	In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**.
 9.	Select **Enabled** from the **Configuration Model** list.
 10.	Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
 11.	Select the **Update certificates that use certificate templates** check box.
@@ -58,7 +59,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
 
 1.	Start the **Group Policy Management Console** (gpmc.msc)
-2.	In the navigation pane, expand the domain and expand the node that has your Active Directory domain name.  Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO**
+2.	In the navigation pane, expand the domain and expand the node that has your Active Directory domain name.  Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�**
 3.	In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
 
 ### Windows Hello for Business Group Policy
@@ -103,13 +104,13 @@ The application of the Windows Hello for Business Group Policy object uses secur
 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
 3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
 
-Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object. 
+Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. 
 
 ## Other Related Group Policy settings
 
 ### Windows Hello for Business
 
-There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment.  These policy settings are computer-based policy setting so they are applicable to any user that sign-in from a computer with these policy settings. 
+There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment.  These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. 
 
 #### Use a hardware security device
 
@@ -117,7 +118,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 #### Use biometrics
 
@@ -144,7 +145,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra
 
 ## Add users to the Windows Hello for Business Users group
 
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision  Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision  Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group.   Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
 
 ### Section Review
 > [!div class="checklist"]
@@ -168,4 +169,4 @@ Users must receive the Windows Hello for Business group policy settings and have
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business policy settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 98ea8551bf..c28c97dce0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -9,19 +9,20 @@ ms.pagetype: security, mobile
 ms.localizationpriority: medium
 author: mikestephens-MS
 ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
 ---
 # Configure Hybrid Windows Hello for Business key trust settings
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   Hybrid deployment
+-   Key trust
 
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
  
 You are ready to configure your hybrid key trust environment for Windows Hello for Business.
   
 > [!IMPORTANT]
-> Ensure your environment meets all the [prerequistes](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.  
+> Ensure your environment meets all the [prerequisites](hello-hybrid-key-trust-prereqs.md) before proceeding. Review the [New Installation baseline](hello-hybrid-key-new-install.md) section of this deployment document to learn how to prepare your environment for your Windows Hello for Business deployment.  
 
 The configuration for Windows Hello for Business is grouped in four categories.  These categories are: 
 * [Active Directory](hello-hybrid-key-whfb-settings-ad.md)
@@ -29,7 +30,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
 * [Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
 * [Group Policy](hello-hybrid-key-whfb-settings-policy.md)
 
-For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration
+For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
 
 > [!div class="step-by-step"]
 [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)
@@ -45,4 +46,4 @@ For the most efficent deployment, configure these technologies in order beginnin
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
 6. Configure Windows Hello for Business settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 3a148d65c9..34a61661eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -9,8 +9,8 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 05/05/2018
 ---
 # Windows Hello for Business
 
@@ -34,7 +34,7 @@ Windows Hello addresses the following problems with passwords:
 * Windows 10, version 1511 or later
 * Microsoft Azure Account
 * Azure Active Directory
-* Azure Multifactor authentication
+* Azure Multi-factor authentication
 * Modern Management (Intune or supported third-party MDM), *optional*
 * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
 
@@ -53,7 +53,7 @@ The table shows the minimum requirements for each deployment.
 | Azure Account | Azure Account | Azure Account | Azure Account |
 | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
 | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | 
-| Azure AD Premium, optional | Azure AD Premium, needed for device writeback | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
+| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
 
 ### On-premises Deployments 
 The table shows the minimum requirements for each deployment.
@@ -68,85 +68,3 @@ The table shows the minimum requirements for each deployment.
 | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) |
 | AD FS with Azure MFA Server, or
          AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
          AD FS with 3rd Party MFA Adapter |
 | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
-
-## Frequently Asked Questions
-
-### Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
-
-### What is the password-less strategy?
-
-Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
-
-> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
-
-### What is the user experience for Windows Hello for Business?
-The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
-
-> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
- 
-
          
-
-> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
-
-
-
-
-### What happens when my user forgets their PIN?
-
-If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings.  Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
-
-> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
-
-For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs.  Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
-
-### Do I need Windows Server 2016 domain controllers?
-There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
-
-### Is Windows Hello for Business multifactor authentication?
-Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you.  Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
-
-### Can I use PIN and biometrics to unlock my device?
-Starting in Windows 10, version 1709, you can use multifactor unlock to require the user to provide an additional factor to unlock the device.  Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop.  Read more about [multifactor unlock](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-features#multifactor-unlock) in [Windows Hello for Business Features](#hello-features.md)
-
-### What is the difference between Windows Hello and Windows Hello for Business
-Windows Hello represents the biometric framework provided in Windows 10.  Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics.  Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
-
-### I have extended Active Directory to Azure Active Directory.  Can I use the on-prem deployment model?
-No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model.  On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
-
-### Does Windows Hello for Business prevent the use of simple PINs?
-Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next.  This prevents repeating numbers, sequential numbers and simple patterns.
-So, for example:
-* 1111 has a constant delta of 0, so it is not allowed
-* 1234 has a constant delta of 1, so it is not allowed
-* 1357 has a constant delta of 2, so it is not allowed
-* 9630 has a constant delta of -3, so it is not allowed
-* 1231 does not have a constant delta, so it is okay
-* 1593 does not have a constant delta, so it is okay
-
-This algorithm does not apply to alphanumeric PINs.
-
-### How does PIN caching work with Windows Hello for Business?
-Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations.  Azure AD and Active Directory sign-in keys are cached under lock.  This means the keys remain available for use without prompting as long as the user is interactively signed-in.  Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.  
-
-Beginning with Windows 10, Fall Creators Update, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching.  Each process requesting a private key operation will prompt the user for the PIN on first use.  Subsequent private key operations will not prompt the user for the PIN.  
-
-The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket.  The process does not receive the PIN, but rather the ticket that grants them private key operations.  Windows 10 does not provide any Group Policy settings to adjust this caching.
-
-### Can I disable the PIN while using Windows Hello for Business?
-No. The movement away from passwords is accomplished by gradually reducing the use of the password.  In the occurence where you cannot authenticate with biometrics, you need a fall back mechansim that is not a password.  The PIN is the fall back mechansim.  Disabling or hiding the PIN credential provider disabled the use of biometrics.
-
-### Does Windows Hello for Business work with third party federation servers?
-Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience.  Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
-
-| Protocol | Description |
-| :---: | :--- |
-| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
-| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |  
-| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
-| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider metadata that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
-
-### Does Windows Hello for Business work with Mac and Linux clients?
-Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms.  However, Microsoft is open to third parties who are interested in moving these platforms away from passwords.  Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 03cf30c20c..125313997c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -9,16 +9,17 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
 ---
 # Prepare and Deploy Windows Server 2016 Active Directory Federation Services
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-prem key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update.  The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
 
 The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
 
@@ -59,7 +60,7 @@ Be sure to enroll or import the certificate into the AD FS server’s computer c
 
 ### Internal Server Authentication Certificate Enrollment
 
-Sign-in the federation server with domain admin equivalent credentials.
+Sign-in the federation server with domain administrator equivalent credentials.
 1. Start the Local Computer **Certificate Manager** (certlm.msc).
 2. Expand the **Personal** node in the navigation pane.
 3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
@@ -134,7 +135,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 1.	Open **Active Directory Users and Computers**.
 2.	Right-click the **Users** container, Click **New**. Click **User**.
 3.	In the **New Object – User** window, type **adfssvc** in the **Full name** text box.  Type **adfssvc** in the **User logon name** text box.  Click **Next**.
-4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+4.	Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
 5.	Click **Next** and then click **Finish**.
 
 ## Configure the Active Directory Federation Service Role
@@ -253,7 +254,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 2. Click **Manage** and then click **Add Roles and Features**.
 3. Click **Next** On the **Before you begin** page.
 4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, chosoe **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**.  Select the federation server from the **Server Pool** list.  Click **Next**.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation   
@@ -287,7 +288,7 @@ Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 
 ## Configure DNS for Device Registration
 
-Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials.  You’ll need the Federation service name to complete this task.  You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
 1. Open the **DNS Management** console.
 2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index cd5414603f..67a8061c4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
 ---
 # Configure or Deploy Multifactor Authentication Services
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model  Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.  
 
@@ -29,7 +30,7 @@ The Azure MFA Server and User Portal servers have several perquisites and must h
 
 ### Primary MFA Server
 
-The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writeable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
+The Azure MFA server uses a primary and secondary replication model for its configuration database.  The primary Azure MFA server hosts the writable partition of the configuration database.  All secondary Azure MFA servers hosts read-only partitions of the configuration database.  All production environment should deploy a minimum of two MFA Servers.  
 
 For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**.  All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
 
@@ -54,7 +55,7 @@ A server authentication certificate should appear in the computer’s Personal c
 
 #### Install the Web Server Role
 
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK.  The MFA Web Services SDK uses the Web Server role.
 
 To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
 
@@ -89,7 +90,7 @@ Sign in the primary MFA server with _administrator_ equivalent credentials.
 
 #### Configure the Web Service’s Security
 
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the Phonefactor Admins security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services.  Access control to the information is gated by membership to the Phonefactor Admins security group.  You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server.  Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
 
 Sign in the domain controller with _domain administrator_ equivalent credentials.
 
@@ -160,7 +161,7 @@ A server authentication certificate should appear in the computer’s Personal c
 
 #### Install the Web Server Role
 
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not requiret this. 
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section.  However, do **not** install Security > Basic Authentication.  The user portal server does not require this. 
 
 #### Update the Server
 
@@ -172,7 +173,7 @@ To do this, please follow the instructions mentioned in the previous [Configure
 
 #### Create WebServices SDK user account
 
-The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
+The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server.  You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.   
 
 1. Open **Active Directory Users and Computers**.
 2. In the navigation pane, expand the node with the organization’s Active Directory domain name.  Right-click the **Users** container, select **New**, and select **User**.
@@ -234,12 +235,12 @@ Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
 2. Click **Company Settings**.
 3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
 4. In **User defaults**, select **Phone Call** or **Text Message**   
-    **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+    **Note:** You can use mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
 5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
 6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal.  A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
 7. Select **Fail Authentication** from the **When user is disabled** list.  Users should provision their account through the user portal.
 8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
 10. Configure the minimum length for the PIN.
 11.	Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
 12.	Select the **Expiration days** check box if you want to expire PINs.  If enabled, provide a numeric value representing the number of days the PIN is valid.
@@ -255,9 +256,9 @@ Now that you have imported or synchronized with your Azure Multi-Factor Authenti
 
 With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.  
 
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. 
 
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
 
 #### Settings
 
@@ -304,7 +305,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
 2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
 3. Click the **Synchronization** tab.
 4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust.  When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
 
 #### Synchronization
 
@@ -352,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor
 
 Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information.  The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
 
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
 
 ## Install Secondary MFA Servers
 
@@ -391,7 +392,7 @@ You previously configured the User Portal settings on the primary MFA server.  T
 
 Sign in the primary MFA server with _local administrator_ equivalent credentials.
 1. Open Windows Explorer.
-2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
 3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
 
 ### Configure Virtual Directory name
@@ -410,7 +411,7 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
 2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
 3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
 4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
 
 ### Create a DNS entry for the User Portal web site
 
@@ -453,7 +454,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
 3. On the Settings tab, type the URL your users use to access the User Portal.  The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. 
 The Multi-Factor Authentication Server uses this information when sending emails to users.
 4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service).  Select Automatically trigger user’s default method.
+5. Select Allow users to select method.  Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service).  Select Automatically trigger user’s default method.
 6. Select Allow users to select language.
 7. Select Use security questions for fallback and select 4 from the Questions to answer list.
 
@@ -495,7 +496,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
 2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
 3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
 4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
 
 ### Edit the AD FS Adapter Windows PowerShell cmdlet
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 69e6e36112..bbc808feae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
 ---
 # Configure Windows Hello for Business Policy settings
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
 Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
@@ -76,7 +77,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
 
 You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials.  Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
 
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
 
 ### Use biometrics
 
@@ -105,7 +106,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 * Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
 * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
 * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
 * Confirm you configured the proper security settings for the Group Policy object   
     * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index da6751970c..9c5067319d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,19 +8,21 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: DaniHalfin
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/23/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
 ---
 # Validate Active Directory prerequisites
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business.  To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
 
-The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.  The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest.  The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
 
 ## Create the Windows Hello for Business Users Security Global Group
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 8980d9d210..f657b6ca14 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -9,20 +9,21 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
 ---
 # Validate and Deploy Multifactor Authentication Services (MFA)
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential.  Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication.  On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
 
 Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
 * **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
 * **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
 * **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 2d65964f36..764dacd461 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -8,15 +8,16 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 10/10/2017
+localizationpriority: high
+ms.date: 08/19/2018
 ---
 # Validate and Configure Public Key Infrastructure
 
 **Applies to**
--   Windows 10
+-   Windows 10, version 1703 or later
+-   On-premises deployment
+-   Key trust
 
-> This guide only applies to Windows 10, version 1703 or higher.
 
 Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model.  All trust models depend on the domain controllers having a certificate.  The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.  
 
@@ -60,7 +61,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
 3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
 6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 499d76b162..f367ae301e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -17,7 +17,6 @@ ms.date: 10/18/2017
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index e37f8cbe0f..0d044aa31e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -6,15 +6,15 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.localizationpriority: high
+ms.date: 05/05/2018
 ---
 # Windows Hello for Business Overview
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
 
@@ -53,15 +53,14 @@ Windows stores biometric data that is used to implement Windows Hello securely o
 
 - Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
 
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication.  Support for key-based or certificate-based authentication is on the roadmap for a future release.
 
 ## Benefits of Windows Hello
 
 Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
 
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
 
-In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services. 
 
 >[!NOTE]
 >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
@@ -79,8 +78,8 @@ Windows Hello helps protect user identities and user credentials. Because the us
 -   Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
 -   Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
 -   Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
--   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
--   Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+-   Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device.  The PIN is never stored or shared.
+-   The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
 -   PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider.  The identity provider verifies the user's identity and authenticates the user.
 -   Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
 -   Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
@@ -99,17 +98,12 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
 
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
 [Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
 
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
 [Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
 
 [Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
 
-[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index e13cabd2e5..b762cb48f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -8,8 +8,8 @@ ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 08/19/2018
 ---
 # Planning a Windows Hello for Business Deployment
 
@@ -73,7 +73,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
   
 The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authentice using their certificate to any Windows Server 2008 R2 or later domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
 
 #### Device registration
 
@@ -85,9 +85,9 @@ The in-box Windows Hello for Business provisioning experience creates a hardware
 
 #### Multifactor authentication
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The in-box provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
-Cloud only and hybrid deployments provide many choices for multifactor authentication.  On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 >[!NOTE]
 > Azure Multi-Factor Authentication is available through:
 >* Microsoft Enterprise Agreement
@@ -128,7 +128,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
 
 ### Public Key Infrastructure
 
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users.  Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
 
 ### Cloud
 
@@ -163,7 +163,7 @@ Choose a trust type that is best suited for your organizations.  Remember, the t
 
 One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).  
 
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployements includes a certificate registration authority.  Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.  
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision.  Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority.  Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates.  Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.  
 
 If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
 
@@ -187,17 +187,17 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
 
 ### Directory Synchronization
 
-Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multifactor authentication during provisioning or writing the user’s public key.
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair).  Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multi-factor authentication during provisioning or writing the user’s public key.
 
 If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**.  User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
 
 If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**.  This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication.  The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credential remain on the on-premises network.
 
 ### Multifactor Authentication
 
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication.  Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business.  To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multi-factor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
 
 If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service.  Write **Azure MFA** in box **1f** on your planning worksheet.
 
@@ -311,9 +311,9 @@ Windows Hello for Business does not require an Azure AD premium subscription.  H
 
 If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
 
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet.  You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multifactor authentication).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet.  You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication).
 
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device writeback—an Azure AD Premium feature.
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet.  Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
 
 Modern managed devices do not require an Azure AD premium subscription.  By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index df783bb5d9..363636202f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -7,17 +7,16 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
 ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
 ---
 
 # Prepare people to use Windows Hello
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
 
@@ -37,7 +36,7 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
 
 ![choose how you'll connect](images/connect.png)
 
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
+They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
 
 After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
new file mode 100644
index 0000000000..6c6251b3f1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -0,0 +1,46 @@
+---
+title: Windows Hello for Business Videos
+description: Windows Hello for Business Videos 
+keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Videos
+
+**Applies to**
+-   Windows 10
+
+## Overview of Windows Hello for Business and Features
+
+Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
+> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
+
+## Microsoft's passwordless strategy
+
+Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
+
+> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
+
+## Windows Hello for Business user enrollment experience
+
+The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
+ 
+
          
+
+> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
+
+## Windows Hello for Business forgotten PIN user experience
+
+If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings.  Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
+
+> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
+
+For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs.  Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index d0cd963ed7..c7eae511cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -17,7 +17,6 @@ ms.date: 10/23/2017
 
 **Applies to**
 -   Windows 10
--   Windows 10 Mobile
 
 Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
 On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png
new file mode 100644
index 0000000000..2a5658b1a9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png b/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png
new file mode 100644
index 0000000000..34a1cf932a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png
new file mode 100644
index 0000000000..88aaf424f0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png
new file mode 100644
index 0000000000..3d547d05fc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png
new file mode 100644
index 0000000000..bb66d1a699
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png
new file mode 100644
index 0000000000..2d4f57993d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png
new file mode 100644
index 0000000000..edeb6d971e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png
new file mode 100644
index 0000000000..a56d495089
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png
new file mode 100644
index 0000000000..79a72ae29f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png
new file mode 100644
index 0000000000..30da456ff0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png
new file mode 100644
index 0000000000..4efa6708c6
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png
new file mode 100644
index 0000000000..9f19625b42
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png
new file mode 100644
index 0000000000..fa835f58dc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png
new file mode 100644
index 0000000000..daa8efae51
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png
new file mode 100644
index 0000000000..efad4471ca
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png
new file mode 100644
index 0000000000..4f34de2e73
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png b/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png
new file mode 100644
index 0000000000..174ee56fd0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png b/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png
new file mode 100644
index 0000000000..4076e6ad33
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png
new file mode 100644
index 0000000000..cacbcf0737
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png
new file mode 100644
index 0000000000..b33235ec14
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png
new file mode 100644
index 0000000000..20fbffbd85
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png
new file mode 100644
index 0000000000..8c057c4d29
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png
new file mode 100644
index 0000000000..caacf8a566
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png
new file mode 100644
index 0000000000..226f85eeb0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png
new file mode 100644
index 0000000000..067c109808
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png b/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png
new file mode 100644
index 0000000000..b9176ebfc4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png b/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png
new file mode 100644
index 0000000000..59ff4c01d2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png
new file mode 100644
index 0000000000..c2a4f36704
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png
new file mode 100644
index 0000000000..c54b8061cd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png
new file mode 100644
index 0000000000..1e8f3268a2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png
new file mode 100644
index 0000000000..23e573ba1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png
new file mode 100644
index 0000000000..2482c97c25
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png
new file mode 100644
index 0000000000..3a31bdd905
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png
new file mode 100644
index 0000000000..336da91706
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png
new file mode 100644
index 0000000000..9a78424978
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png
new file mode 100644
index 0000000000..c620c6593c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png
new file mode 100644
index 0000000000..f2c38239f3
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png
new file mode 100644
index 0000000000..74cea5f0b5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png
new file mode 100644
index 0000000000..e95fd1b9ba
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png
new file mode 100644
index 0000000000..c973e43aec
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png
new file mode 100644
index 0000000000..70aaa2db9d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png
new file mode 100644
index 0000000000..eadf1eb285
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png
new file mode 100644
index 0000000000..56cced034f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png
new file mode 100644
index 0000000000..e4e4555942
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png
new file mode 100644
index 0000000000..1f5512c1a5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png
new file mode 100644
index 0000000000..390bfecafd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png
new file mode 100644
index 0000000000..a136973f04
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png
new file mode 100644
index 0000000000..c78baecd49
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png
new file mode 100644
index 0000000000..96fe45bbcf
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png
new file mode 100644
index 0000000000..004d3a3f25
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png
new file mode 100644
index 0000000000..9d66d330fd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png
new file mode 100644
index 0000000000..dea61f116e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png
new file mode 100644
index 0000000000..831e12fe59
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png
new file mode 100644
index 0000000000..21f4159d80
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png
new file mode 100644
index 0000000000..00b75cbcd4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png
new file mode 100644
index 0000000000..89335a38fe
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png
new file mode 100644
index 0000000000..d1e5d924a5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png
new file mode 100644
index 0000000000..100c33218b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png
new file mode 100644
index 0000000000..0e90f4ed40
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png
new file mode 100644
index 0000000000..475313433f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png
new file mode 100644
index 0000000000..49c4dee983
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png
new file mode 100644
index 0000000000..a97f9f579a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png
new file mode 100644
index 0000000000..a66dcb1d27
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png
new file mode 100644
index 0000000000..fe3e125013
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png
new file mode 100644
index 0000000000..9e17a4353a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png
new file mode 100644
index 0000000000..c7015d5153
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png
new file mode 100644
index 0000000000..d71124ff6b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png
new file mode 100644
index 0000000000..f2ee619ccc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png
new file mode 100644
index 0000000000..ac473ff1f1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png
new file mode 100644
index 0000000000..42f44f1450
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png
new file mode 100644
index 0000000000..2aaf619b44
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png
new file mode 100644
index 0000000000..0ec08ecbc0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png
new file mode 100644
index 0000000000..e049986459
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png
new file mode 100644
index 0000000000..03a63b4da1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png
new file mode 100644
index 0000000000..a4081da362
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png
new file mode 100644
index 0000000000..deaef2b720
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png
new file mode 100644
index 0000000000..81b0b2f36a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png
new file mode 100644
index 0000000000..cd64efd4f8
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png
new file mode 100644
index 0000000000..e7016550bc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png
new file mode 100644
index 0000000000..fa38ebce96
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart1.png b/windows/security/identity-protection/hello-for-business/images/dc-chart1.png
deleted file mode 100644
index f5c8d3f2f3..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart1.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart2.png b/windows/security/identity-protection/hello-for-business/images/dc-chart2.png
deleted file mode 100644
index ff99966521..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart3.png b/windows/security/identity-protection/hello-for-business/images/dc-chart3.png
deleted file mode 100644
index bb0f940660..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart3.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart4.png b/windows/security/identity-protection/hello-for-business/images/dc-chart4.png
deleted file mode 100644
index ecdab58907..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart4.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart5.png b/windows/security/identity-protection/hello-for-business/images/dc-chart5.png
deleted file mode 100644
index 5671c2ecf7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart5.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png b/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png
new file mode 100644
index 0000000000..8552a3ee2f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png
new file mode 100644
index 0000000000..344be6aa22
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png
new file mode 100644
index 0000000000..751e2fbe99
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png
new file mode 100644
index 0000000000..095ebc3417
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png
new file mode 100644
index 0000000000..905d36fa8f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png
new file mode 100644
index 0000000000..7f82cda5ae
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
new file mode 100644
index 0000000000..454fe3df0a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
new file mode 100644
index 0000000000..7f9774389c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png
new file mode 100644
index 0000000000..df7973e2ca
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png
new file mode 100644
index 0000000000..eb3458bf76
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png
new file mode 100644
index 0000000000..dd7eee063e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png
new file mode 100644
index 0000000000..3e67ac6b42
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png
new file mode 100644
index 0000000000..6011b3c66e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png
new file mode 100644
index 0000000000..b7f4927730
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png
new file mode 100644
index 0000000000..ac1752b75b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png
new file mode 100644
index 0000000000..5bf7d96a34
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png
new file mode 100644
index 0000000000..6afa492270
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png
new file mode 100644
index 0000000000..3e051918ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png
new file mode 100644
index 0000000000..fd9085fbd1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png
new file mode 100644
index 0000000000..6b19520041
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png
new file mode 100644
index 0000000000..1ec0fe5a29
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png
new file mode 100644
index 0000000000..9731de1222
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png
new file mode 100644
index 0000000000..5935422718
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png
new file mode 100644
index 0000000000..21329d0ffa
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png
new file mode 100644
index 0000000000..9e3a5509a9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png
new file mode 100644
index 0000000000..b4e1575d05
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png
new file mode 100644
index 0000000000..9b068a70a2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png
new file mode 100644
index 0000000000..8133c22b66
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png
new file mode 100644
index 0000000000..66f3d18bf2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png
new file mode 100644
index 0000000000..c3e127c0c2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png
new file mode 100644
index 0000000000..4559b432aa
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png
new file mode 100644
index 0000000000..b8e2bea022
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png b/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png
new file mode 100644
index 0000000000..06a2ab8543
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png differ
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
new file mode 100644
index 0000000000..0836a4dfc0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -0,0 +1,291 @@
+---
+title: Password-less Strategy
+description: Reducing Password Usage Surface
+keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/20/2018
+---
+# Password-less Strategy
+
+## Four steps to Password-less
+
+Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less.
+![Password-less approach](images/four-steps-passwordless.png)
+
+
+### 1. Develop a password replacement offering
+Before you move away from passwords, you need something to replace them.  With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
+
+Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely.  Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics.  However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
+
+### 2. Reduce user-visible password surface area
+With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface.  The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it.  This state helps decondition users from providing a password any time a password prompt shows on their computer.  This is a how passwords are phished.  Users who rarely, it at all, use their password are unlikely to provide it.  Password prompts are no longer the norm.
+
+### 3. Transition into a password-less deployment
+Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world.  A world where:
+  - the user never types their password
+  - the user never changes their password
+  - the user does not know their password
+
+In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources.  If the user is forced to authenticate, their authentication uses Windows Hello for Business.
+
+### 4. Eliminate passwords from the identity directory
+The final step of the password-less story is where passwords simply do not exist.  At this step, identity directories no longer persist any form of the password.  This is where Microsoft achieves the long-term security promise of a truly password-less environment.
+
+## Methodology
+The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less.  But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands.  While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations.
+
+### Prepare for the Journey 
+The road to password-less is a journey.  The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey.
+
+The most intuitive answer is the size of the organization, and that would be correct.  However, what exactly determines size.  One way to break down the size of the organization is:
+- Number of departments
+- Organization or department hierarchy  
+- Number and type of applications and services
+- Number of work personas
+
+- Organization's IT structure
+
+#### Number of departments 
+The number of departments within an organization varies.  Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing.  Other organizations will have those departments and additional ones such research and development or support.  Small organizations may not segment their departments this explicitly while larger ones may.  Additionally, there may be sub-departments, and sub-departments of those sub-departments as well.
+
+You need to know all the departments within your organization and you need to know which departments use computers and which do not.  It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself.  Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less.
+
+Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less.  Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time.  This is why you need to inventory all of them.  Also, do not forget to include external departments such as vendors or federated partners.  If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy.  
+
+#### Organization or department hierarchy
+Organization and department hierarchy is the management layers within the departments or the organization as a whole.  How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization.  An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device.
+
+#### Number and type of applications and services
+The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate.  Applications and services are the most critical item in your password-less assessment.  Applications and services take considerable effort to move to a different type of authentication.  That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
+
+Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders.  In this approach, you should have an organized list of departments and the hierarchy in each.  You can now associate the applications that are used by all levels within each department.  You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS).  If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications.
+
+#### Number of work personas
+Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application.  From this you want to create a work persona.
+
+A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas.  These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name.
+
+Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales.  If the organization levels are common across departments then decide on a first name that represents the common levels in a department.  For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
+
+Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring.  Also, if possible, try to keep the references as names of people.  After all, you are talking about a person, who is in that department, who uses that specific software.
+
+#### Organization's IT structure
+IT department structures can vary more than the organization.  Some IT departments are centralized while others are decentralized.  Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues.  Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded.
+
+#### Assess your Organization
+You have a ton of information.  You have created your work personas, you identified your stakeholders throughout the different IT groups.  Now what?
+
+By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas.  Once you identified the password surfaces, you need to mitigate them.  Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment.  That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems.  Those types of projects take time and need dedicated cycles.  This same sentiment is true with in-house software development.  Even with agile development methodologies, changing the way someone authenticates to an application is critical.  Without the proper planning and testing, it has the potential to severely impact productivity.  
+
+How long does it take to reach password-less?  The answer is "it depends". It depends on the organizational alignment of a password-less strategy.  Top-down agreement that password-less is the organization's goal makes conversations much easier.  Easier conversations means less time spent convincing people and more time spent moving forward toward the goal.  Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations.  After these organizational discussions, modern project management techniques are used to continue the password-less effort.  The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will:
+- work through the work personas
+- organize and deploy user acceptance testing
+- evaluate user acceptance testing results for user-visible password surfaces
+- work with stakeholders to create solutions that mitigate user-visible password surfaces
+- add the solution to the project backlog and prioritize against other projects
+- deploy solution 
+- User acceptance testing to confirm the solution mitigates the user-visible password surface
+- Repeat as needed
+
+Your organization's journey to password-less may take some time to get there.  Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction.  As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders.  Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. 
+
+### Where to start?
+What is the best guidance for kicking off the journey to password-less?  You will want to show you management a proof of concept as soon as possible.  Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused.
+
+#### Work persona 
+You begin with your work personas. These were part of your preparation process.  They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined.  That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps.
+
+> [!IMPORTANT]
+> Avoid using any work personas from your IT department.  This is probably the worst way to start the password-less journey.  IT roles are very difficult and time consuming.  IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage.  It is better to save these work personas for the middle or end of your journey.
+
+Review your collection of work personas.  Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two.  These are the perfect work personas for your proof-of-concept or pilot.
+
+Most organizations host their proof of concept in a test lab or environment.  To do that with password-less may be more challenging and take more time.  To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona.  
+
+You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing.  If there are ways you can test in production with low or now risk, that may be advantageous to your time line.
+
+## The Process
+
+The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow.  The process looks something like 
+
+1. Password-less replacement offering (Step 1) 
+   1. Identify test users that represent the targeted work persona.
+   2. Deploy Windows Hello for Business to test users.
+   3. Validate password and Windows Hello for Business work.
+2. Reduce User-visible Password Surface (Step 2)
+   1. Survey test user workflow for password usage.
+   2. Identify password usage and plan, develop, and deploy password mitigations.
+   3. Repeat until all user password usage is mitigated.
+   4. Remove password capabilities from the Windows.
+   5. Validate **all** workflows do not need passwords. 
+3. Transition into a password-less (Step 3)
+   1. Awareness campaign and user education.  
+   2. Including remaining users that fit the work persona. 
+   3. Validate **all** users of the work personas do not need passwords.
+   4. Configure user accounts to disallow password authentication. 
+
+After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. 
+
+### Password-less replacement offering (Step 1)
+THe first step to password-less is providing an alternative to passwords.  Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+
+#### Identify test users that represent the targeted work persona
+A successful transition to password-less heavily relies on user acceptance testing.  It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them.  You need to enlist the help of users that fit the targeted work persona.  You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.    
+
+#### Deploy Windows Hello for Business to test users
+Next, you will want to plan your Windows Hello for Business deployment.  Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment.  Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+
+With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas.  The great news is you will only need to deploy the infrastructure once.  When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment.
+
+> [!NOTE]
+> There are many different ways to connect a device to Azure.  Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. 
+
+#### Validate password and Windows Hello for Business work
+In this first step, passwords and Windows Hello for Business must coexist.  You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed.  Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
+
+### Reduce User-visible Password Surface (Step 2)
+Before you move to step 2, ensure you have:
+- selected your targeted work persona.  
+- identified your test users that represented the targeted work persona.
+- deployed Windows Hello for Business to test users.
+- validated passwords and Windows Hello for Business both work for the test users.
+
+#### Survey test user workflow for password usage
+Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently.  This information is important as your further your progress through step 2.
+
+Test users create the workflows associated with the targeted work persona.  Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want.  The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is:
+- What is the name of the application that asked for a password?.
+- Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?).
+- What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.).
+- How frequently do you use this application in a given day? week?
+- Is the password you type into the application the same as the password you use to sign-in to Windows?  
+
+Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them.  An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory.  As previously mentioned, this information is critical.  You could miss one password prompt which could delay the transition to password-less.
+
+#### Identify password usage and plan, develop, and deploy password mitigations
+Your test users have provided you valuable information that describes the how, what, why and when they use a password.  It is now time for your team to identify each of these password use cases and understand why the user must use a password.
+
+Create a master list of the scenarios. Each scenario should have a clear problem statement.  Name the scenario with a one-sentence summary of the problem statement.  Include in the scenario the results of your team's investigation as to why the user is prompted by a password.  Include relevant, but accurate details.  If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
+
+Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios.  Remember to include scenarios like:
+- Provisioning a new brand new user without a password.
+- Users who forget the PIN or other remediation flows when the strong credential is unusable.
+
+Next, review your master list of scenarios.  You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker.  This will certainly vary by organization.
+
+Start mitigating password usages based on the workflows of your targeted personas.  Document the mitigation as a solution to your scenario.  Don't worry about the implementation details for the solution.  A overview of the changes needed to reduce the password usages is all you need.  If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation.  However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.  
+
+Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
+
+The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory.  Work with the applications vendors to have them add support for Azure identities.  For on-premises applications, have the application use Windows integrated authentication.  The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows.  Use this same strategy for applications that store their own identities in their own databases. 
+
+Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away.  Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible.  Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate. 
+
+#### Repeat until all user password usage is mitigated
+Some or all of your mitigations are in place.  You need to validate your solutions have solved their problem statements.  This is where you rely on your test users.  You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few.  Survey test users workflow for password usage.  If all goes well, you have closed most or all the gaps.  A few are likely to remain.  Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password.  If your stuck, others might be too.  Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it.  If your out of options, contact Microsoft for assistance.
+
+#### Remove password capabilities from the Windows
+You believe you have mitigates all the password usage for the targeted work persona.  Now comes the true test-- configure Windows so the user cannot use a password.
+
+Windows provides two ways to prevent your users from using passwords.  You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
+
+##### Security Policy 
+You can use Group Policy to deploy an interactive logon security policy setting to the computer.  This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.   The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
+![securityPolicyLocation](images/passwordless/00-securityPolicy.png)
+
+**Windows Server 2016 and earlier**
+The policy name for these operating systems is **Interactive logon: Require smart card**.
+![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png)
+
+**Windows 10, version 1703 or later using Remote Server Administrator Tools**
+The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
+![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png)
+
+When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password.  The password credential provider remains visible to the user.  If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
+
+#### Excluding the password credential provider
+You can use Group Policy to deploy an administrative template policy settings to the computer.  This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+![HideCredProvPolicy](images/passwordless/00-hidecredprov.png)
+
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. 
+![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png)
+
+Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it.  This prevents the user from entering a password using the credential provider.  However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
+
+#### Validate all workflows do not need passwords
+This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows.  In this configuration, your users will not be able to use a passwords.  Users will be blocked is any of their workflows ask them for a password.  Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage.  Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential.  Ensure those scenarios are validated as well. 
+
+### Transition into a password-less deployment (Step 3) 
+Congratulations!  You are ready to transition one or more portions of your organization to a password-less deployment.  You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success.
+
+#### Awareness and user education
+In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign.
+
+An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business.  The idea of the campaign is to positively promote the change to the users in advance. Explain  the value and why your company is changing.  The campaign should provide dates and encourage questions and feedback.  This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out.
+
+#### Including remaining users that fit the work persona
+You have implemented the awareness campaign for the targeted users.  These users are informed and ready to transition to password-less.  Add the remaining users that match the targeted work persona to your deployment. 
+
+#### Validate **all** users of the work personas do not need passwords.
+You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment.
+
+Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
+- Is the reporting user performing a task outside the work persona?
+- Is the reported issue affecting the entire work persona, or only specific users?
+- Is the outage a result of a misconfiguration?
+- Is the outage a overlooked gap from step 2?
+
+Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity.  With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements.  Reactive planning enables people to spend more time on the issue and resolving it and less time on process.
+
+Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface.  Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating.
+
+#### Configure user accounts to disallow password authentication.
+You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows.  The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+
+You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object.
+
+The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL).
+
+> [!NOTE]
+> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally).  A user account configured for SCRIL is enforced at the domain controller.
+
+![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png)
+**SCRIL setting for a user on Active Directory Users and Computers.**
+
+When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data.  Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password.  Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire.  The users is effectively password-less because:
+- the do not know their password.
+- their password is 128 random bits of data and is likely to include non-typable characters.
+- the user is not asked to change their password
+- domain controllers do not allow passwords for interactive authentication
+
+![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png)
+**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
+
+> [!NOTE]
+> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password.  However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
+
+![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png)
+**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
+
+> [!NOTE]
+> Windows Hello for Business was formerly known as Microsoft Passport.
+
+##### Automatic password change for SCRIL configured users
+Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. 
+
+In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings.  When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication.  What is great about this feature is your users do not experience any change password notifications or experience any authentication outages.
+![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png)
+
+> [!NOTE]
+> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password.  This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. 
+
+## The Road Ahead
+The information presented here is just the beginning.  We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you.  Your feedback is important.  Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
+
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
new file mode 100644
index 0000000000..ec19abbc74
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -0,0 +1,122 @@
+---
+title: How Windows Hello for Business works (Windows 10)
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 10/16/2017
+---
+# How Windows Hello for Business works
+
+**Applies to**
+-   Windows 10
+-   Windows 10 Mobile
+
+Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+
+## Register a new user or device
+
+A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
+ 
+> [!NOTE]
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.  
+
+ The registration process works like this: 
+ 
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 
+2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 
+3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately 
+
+The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
+
+- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
+
+## What’s a container?
+
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+
+The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. 
+
+It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
+
+The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+ 
+![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png)
+
+Containers can contain several types of key material:
+
+- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
+- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+    - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+    - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
+    
+## How keys are protected
+
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+
+Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+
+
+## Authentication
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+
+For example, the authentication process for Azure Active Directory works like this:
+
+1.	The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
+2.	The IDP returns a challenge, known as a nonce.
+3.	The device signs the nonce with the appropriate private key.
+4.	The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
+5.	The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
+6.	If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
+7.	The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
+8.	The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
+
+When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
+
+
+## The infrastructure
+
+Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities: 
+
+- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello. 
+- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required. 
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Windows Hello for Business](../hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md)
+- [Why a PIN is better than a password](../hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](../hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](../hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](../hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](../hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index ae838d1fcc..de55fa465e 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -2,6 +2,12 @@
 
 ## [Windows Hello for Business Overview](hello-overview.md)
 ## [How Windows Hello for Business works](hello-how-it-works.md)
+### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
+#### [Technology and Terminology](hello-how-it-works-technology.md)
+#### [Device Registration](hello-how-it-works-device-registration.md)
+#### [Provisioning](hello-how-it-works-provisioning.md)
+#### [Authentication](hello-how-it-works-authentication.md)
+
 ## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
 ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 ## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
@@ -14,7 +20,7 @@
 
 ## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
 ### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
 #### [New Installation Baseline](hello-hybrid-key-new-install.md)
 #### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
 #### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
@@ -28,6 +34,10 @@
 #### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
 #### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
 
+### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
+#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
+
 ### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 #### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
 #### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
@@ -44,4 +54,9 @@
 #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
 
 ## [Windows Hello for Business Features](hello-features.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
\ No newline at end of file
+### [Multifactor Unlock](feature-multifactor-unlock.md)
+
+## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md)
+### [Windows Hello for Business Videos](hello-videos.md)
+
+##[Password-less Strategy](passwordless-strategy.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
deleted file mode 100644
index 8b6124f000..0000000000
--- a/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: How hardware-based containers help protect Windows 10 (Windows 10)
-description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: justinha
-ms.date: 06/29/2017
----
-
-# How hardware-based containers help protect Windows 10
-
-Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. 
-Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. 
-
-Protecting system services and data with Windows Defender System Guard is an important first step, but is just the beginning of what we need to do as it doesn’t protect the rest of the operating system, information on the device, other apps, or the network. 
-Since systems are generally compromised through the application layer, and often though browsers, Windows 10 includes Windows Defender Application Guard to isolate Microsoft Edge from the operating system, information on the device, and the network. 
-With this, Windows can start to protect the broader range of resources.
-
-The following diagram shows Windows Defender System Guard and Windows Defender Application Guard in relation to the Windows 10 operating system.
-
-![Application Guard and System Guard](images/application-guard-and-system-guard.png)
-
-## What security threats do containers protect against
-
-Exploiting zero days and vulnerabilities are an increasing threat that attackers are attempting to take advantage of. 
-The following diagram shows the traditional Windows software stack: a kernel with an app platform, and an app running on top of it. 
-Let’s look at how an attacker might elevate privileges and move down the stack.
-
-![Traditional Windows software stack](images/traditional-windows-software-stack.png)
-
-In desktop operating systems, those apps typically run under the context of the user’s privileges. 
-If the app was malicious, it would have access to all the files in the file system, all the settings that you as a user Standard user have access to, and so on. 
-
-A different type of app may run under the context of an Administrator. 
-If attackers exploit a vulnerability in that app, they could gain Administrator privileges. 
-Then they can start turning off defenses. 
-
-They can poke down a little bit lower in the stack and maybe elevate to System, which is greater than Administrator. 
-Or if they can exploit the kernel mode, they can turn on and turn off all defenses, while at the same time making the computer look healthy. 
-SecOps tools could report the computer as healthy when in fact it’s completely under the control of someone else.
-
-One way to address this threat is to use a sandbox, as smartphones do. 
-That puts a layer between the app layer and the Windows platform services. 
-Universal Windows Platform (UWP) applications work this way. 
-But what if a vulnerability in the sandbox exists? 
-The attacker can escape and take control of the system.
-
-## How containers help protect Windows 10
-
-Windows 10 addresses this by using virtualization based security to isolate more and more components out of Windows (left side) over time and moving those components into a separate, isolated hardware container. 
-The container helps prevent zero days and vulnerabilities from allowing an attacker to take control of a device.
-
-Anything that's running in that container on the right side will be safe, even from Windows, even if the kernel's compromised. 
-Anything that's running in that container will also be secure against a compromised app. 
-Initially, Windows Defender System Guard will protect things like authentication and other system services and data that needs to resist malware, and more things will be protected over time.
-
-![Windows Defender System Guard](images/windows-defender-system-guard.png)
diff --git a/windows/security/identity-protection/images/windows-defender-system-guard.png b/windows/security/identity-protection/images/windows-defender-system-guard.png
deleted file mode 100644
index 865af86b19..0000000000
Binary files a/windows/security/identity-protection/images/windows-defender-system-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 7208a54485..1e0b600031 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -25,5 +25,4 @@ Learn more about identity annd access management technologies in Windows 10 and
 | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
 | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
 | [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
-| [Windows Firewall with Advanced Security](windows-firewall/windows-firewall-with-advanced-security.md) | Provides information about Windows Firewall with Advanced Security, which is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. |
 | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index e5ef6bfcf2..36ee129b4c 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -14,7 +14,7 @@ ms.date: 01/12/2018
 -   Windows 10
 -   Windows Server 2016
 
-Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. 
+Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
 
 Administrator credentials are highly privileged and must be protected. By using Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, if the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never passed over the network to the target device.
 
@@ -25,13 +25,13 @@ Administrator credentials are highly privileged and must be protected. By using
 
 ## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
 
-The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works: 
+The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
 
 ![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
 
          
 
-The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option: 
+The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
 ![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
@@ -55,31 +55,31 @@ Use the following table to compare different Remote Desktop connection security
 |**Network identity**|Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. |Remote Desktop session **connects to other resources as remote host’s identity**.|
 |**Multi-hop**|From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**.|Not allowed for user as the session is running as a local host account|
 |**Supported authentication** |Any negotiable protocol.| Kerberos only.|Any negotiable protocol|
-
           
+
          
 
-For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) 
+For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
 and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.aspx(d=robot))
 
-
           
+
          
 
 
 
 ## Remote Desktop connections and helpdesk support scenarios
- 
+
 For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
 
-Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
+Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
 
 To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks  facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899).
 
-For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). 
+For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx).
 
 
 
 
 ## Remote Credential Guard requirements
 
-To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements: 
+To use Windows Defender Remote Credential Guard, the Remote Desktop client and remote host must meet the following requirements:
 
 The Remote Desktop client device:
 
@@ -111,7 +111,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on
 1. Open Registry Editor on the remote host.
 2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
     - Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
-    - Add a new DWORD value named **DisableRestrictedAdmin**. 
+    - Add a new DWORD value named **DisableRestrictedAdmin**.
     - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
 3. Close Registry Editor.
 
@@ -134,14 +134,14 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
     ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
 
 3. Under **Use the following restricted mode**:
-    - If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
+    - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
 
         > **Note:**  Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
-        
+
     - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
-    
+
     - If you  want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.
-    
+
 4. Click **OK**.
 
 5. Close the Group Policy Management Console.
@@ -149,7 +149,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
 
 
-### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection 
+### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
 
 If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
 
@@ -162,7 +162,7 @@ mstsc.exe /remoteGuard
 
 - Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
 
-- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory. 
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
 
 - Remote Desktop Credential Guard only works with the RDP protocol.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 87d7ffeeff..cc4e495d4f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -49,7 +49,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C
 
 ## Debugging and tracing using WPP
 
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](http://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
 
 ### Enable the trace
 
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index b5020571a1..15f9ab184e 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: operate
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 09/19/2018
 ---
 
 # How User Account Control works
@@ -156,36 +156,40 @@ To better understand each component, review the table below:
 
          Check UAC slider level
          
 
           
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index c0e5e23158..0854da77c6 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -187,7 +187,7 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
 | Registry key | Group Policy setting | Registry setting |
 | - | - | - |
 | FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled
          1 = Enabled |
-| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
          1 = Enabled |
+| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled
          1 = Enabled |
 | ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting
          1 = Prompt for credentials on the secure desktop
          2 = Prompt for consent on the secure desktop
          3 = Prompt for credentials
          4 = Prompt for consent
          5 (Default) = Prompt for consent for non-Windows binaries
           |
 | ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests
          1 = Prompt for credentials on the secure desktop
          3 (Default) = Prompt for credentials |
 | EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home)
          0 = Disabled (default for enterprise) |
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 22c5b6361e..a57b762d3a 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -58,6 +58,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
 
 When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. 
 
+Preserving user Always On preference
+
+Windows has a feature to preserve a user’s AlwaysOn preference.  In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.  
+Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
+Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+Value: AutoTriggerDisabledProfilesList
+Type: REG_MULTI_SZ
+
+
 ## Trusted network detection
 
 This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
@@ -86,4 +95,4 @@ After you add an associated app, if you select the **Only these apps can use thi
 - [VPN and conditional access](vpn-conditional-access.md)
 - [VPN name resolution](vpn-name-resolution.md)
 - [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
+- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 01948e0ca4..3051e37b8b 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -304,7 +304,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
 5. Choose **Windows 10 and later** as the platform.
 6. Choose **Custom** as the profile type and click **Add**.
 8. Enter a name and (optionally) a description.
-9. Enter the OMA-URI **./user/vendor/MSFT/_VPN profile name_/ProfileXML**.
+9. Enter the OMA-URI **./user/vendor/MSFT/VPNv2/_VPN profile name_/ProfileXML**.
 10. Set Data type to **String (XML file)**.
 11. Upload the profile XML file.
 12. Click **OK**.
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index a5a77954c9..9ad00797a5 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -15,7 +15,7 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 
-This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](http://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx). 
+This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx).
 This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages:
 
 - Identify high-value assets
@@ -28,7 +28,7 @@ This guide explains how credential theft attacks occur and the strategies and co
 
 ## Attacks that steal credentials
 
-Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk. 
+Learn about the different types of attacks that are used to steal credentials, and the factors that can place your organization at risk.
 The types of attacks that are covered include:
 
 - Pass the hash
@@ -39,7 +39,7 @@ The types of attacks that are covered include:
 
 ## Credential protection strategies
 
-This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers. 
+This part of the guide helps you consider the mindset of the attacker, with prescriptive guidance about how to prioritize high-value accounts and computers.
 You'll learn how to architect a defense against credential theft:
 
 - Establish a containment model for account privileges
@@ -63,6 +63,6 @@ This sections covers how to detect the use of stolen credentials and how to coll
 
 ## Responding to suspicious activity
 
-Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach. 
+Learn Microsoft's recommendations for responding to incidents, including how to recover control of compromised accounts, how to investigate attacks, and how to recover from a breach.
 
 
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 05c303413e..ca0486b130 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -22,7 +22,7 @@ metadata:
 
   manager: brianlic
 
-  ms.date: 07/12/2018
+  ms.date: 08/01/2018
 
   ms.topic: article
 
@@ -78,17 +78,3 @@ sections:
 
       title: Information protection
 
-- title: Windows Defender Advanced Threat Protection
-  items:
-  - type: markdown
-    text: "
-      Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
-      
           
          
-      
          
   
          
     
-       
+       
         Read what's new in Windows 10
       
          What's New? 
          
     
          Yes
          		
 
          Yes
          		
 
          Yes
          
 
          
 
          [Enterprise Key Admins](#bkmk-enterprise-key-admins)
          		
 
          Yes
          		
 
          		
 
          		
 
          
 
          
 
          [Enterprise Read-only Domain Controllers](#bkmk-entrodc)
          		
 
          Yes
          		
-
          UAC has four levels of notification to choose from and a slider to use to select the notification level:
          
+
          UAC has a slider to select from four levels of notification.
          
 
            
-
          • 
-
            High
            
-
            If the slider is set to Always notify, the system checks whether the secure desktop is enabled.
            
-
            • 
-
          • 
-
            Medium
            
-
            If the slider is set to Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:
            
+
          • Always notify will:
            
 
              
-
            • 
-
              If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.
              
-
              • 
-
            • 
-
              If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.
              
-
              • 
+
            • Notify you when programs try to install software or make changes to your computer.
              • 
+
            • Notify you when you make changes to Windows settings.
              • 
+
            • Freeze other tasks until you respond.
              • 
 
            
+
            Recommended if you often install new software or visit unfamiliar websites.

            
 
            • 
-
          • 
-
            Low
            
-
            If the slider is set to Notify me only when apps try to make changes to my computer (do not dim by desktop), the CreateProcess is called.
            
-
            • 
-
          • 
-
            Never Notify
            
-
            If the slider is set to Never notify me when, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.
            
-
            Important  
            This setting is not recommended. This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.
            
-
            
-
             
            
-
            • 
+
          • Notify me only when programs try to make changes to my computer will:
            
+
              
+
            • Notify you when programs try to install software or make changes to your computer.
              • 
+
            • Not notify you when you make changes to Windows settings.
              • 
+
            • Freeze other tasks until you respond.
              • 
 
            
+
            Recommended if you do not often install apps or visit unfamiliar websites.

            
+
            • 
+
          • Notify me only when programs try to make changes to my computer (do not dim my desktop) will:
            
+
              
+
            • Notify you when programs try to install software or make changes to your computer.
              • 
+
            • Not notify you when you make changes to Windows settings.
              • 
+
            • Not freeze other tasks until you respond.
              • 
+
            
+
            Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.

            
+
            • 
+
          • Never notify (Disable UAC) will:
            
+
              
+
            • Not notify you when programs try to install software or make changes to your computer.
              • 
+
            • Not notify you when you make changes to Windows settings.
              • 
+
            • Not freeze other tasks until you respond.
              • 
+
            
+
            Not recommended due to security concerns.
            
+
          
           		
 
          
 
          
-      
-      
-      
-      
-      
-      
-      
          Attack surface reductionNext generation protectionEndpoint detection and responseAuto investigation and remediationSecurity posture
          [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)

          [Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

          [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

          [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

          [Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)

          [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)

          [Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)

          [Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)          		[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)

          [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)

          [Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)          		[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)

          [Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)

          [Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)

          [API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)

          [Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)

          [Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)

          [Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

          [Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)          		[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)

          [Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)

          [Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)

          [Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)          		[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

          [Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

          [Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

          [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)

          [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)

          [Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
          "
\ No newline at end of file
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index 636404ef31..00aaec6903 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -22,12 +22,12 @@
 ### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md)
 ### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md)
 ### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
-### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md)
-#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md)
-#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
-#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
+### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
 ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
 
+## [Encrypted Hard Drive](encrypted-hard-drive.md)
+
+## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
 
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@@ -53,3 +53,17 @@
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
 ### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)
 
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
+### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
+### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
+### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
+### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
+### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
+### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
+### [TPM recommendations](tpm/tpm-recommendations.md)
+
+
+
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 529ff6e574..cf809e8fc8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -23,7 +23,7 @@ BitLocker provides full volume encryption (FVE) for operating system volumes, as
 
 In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
 
-> **Note:**  For more info about using this tool, see [Bdehdcfg](http://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
+> **Note:**  For more info about using this tool, see [Bdehdcfg](https://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
  
 BitLocker encryption can be done using the following methods:
 
@@ -122,7 +122,7 @@ Encryption status displays in the notification area or within the BitLocker cont
 
 There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
 
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, 
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
 they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 
 ### Using BitLocker within Windows Explorer
@@ -179,7 +179,7 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
 
 ## Encrypting volumes using the manage-bde command line interface
 
-Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx).
+Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
 Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
 Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index e692472aa5..91d9c277db 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -7,137 +7,185 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 10/27/2017
+ms.date: 09/06/2018
 ---
+
 # BitLocker Countermeasures
 
 **Applies to**
 -   Windows 10
 
-Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
-BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
+Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks. 
+BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. 
+Data on a lost or stolen computer is vulnerable. 
+For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. 
 
--   **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
--   **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
+BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
 
-The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
+- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
+- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
+ 
+The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 10, Windows 8.1, and Windows 8.
 
-### Protection before startup
+For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). 
 
-Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
+## Protection before startup
 
-#### Trusted Platform Module
+Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot.
 
-Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
+### Trusted Platform Module
 
-A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process.
-By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
-For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
+A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. 
+On some platforms, TPM can alternatively be implemented as a part of secure firmware. 
+BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. 
+For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
 
-#### UEFI and Secure Boot
+### UEFI and Secure Boot
 
-No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
+Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. 
 
-The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](https://docs.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). 
+Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. 
 
-Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
+By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. 
+An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key.
 
-Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
-With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
+### BitLocker and reset attacks
 
-![the bios and uefi startup processes](images/bitlockerprebootprotection-bios-uefi-startup.jpg)
+To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory. 
 
-**Figure 1.** The BIOS and UEFI startup processes
+>[!NOTE]
+>This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
 
-With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature. 
-Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
+## Security policies
 
-If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
+The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker.
 
-Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
+### Pre-boot authentication
 
--   They must have Secure Boot enabled by default.
--   They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
--   They must allow the user to configure Secure Boot to trust other signed bootloaders.
--   Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. 
+The Group Policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. 
 
-These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
+BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. 
+If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
 
--   **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of 
-Secure Boot on Windows-certified devices.
-
--   **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
--   **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
-
-To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
-Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
-UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
-
-For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](http://technet.microsoft.com/windows/dn168167.aspx).
-
-### Protection during pre-boot: Pre-boot authentication
-
-Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
-
-If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
-
-The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
+Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. 
+This helps mitigate DMA and memory remanence attacks.
 
 On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
 
--   **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
--   **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
--   **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
--   **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
+- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.  
+- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](https://docs.microsoft.com/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.  
+- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
 
-For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
+In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
 
-Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
+![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png)
 
-BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
-Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
+Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. 
+Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 
 
-You can mitigate the risk of booting to a malicious operating system:
+On the other hand, Pre-boot authentication prompts can be inconvenient to users. 
+In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. 
+Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. 
 
--   **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
--   **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
+To address these issues, you can deploy [BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock). 
+Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. 
+It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.  
 
-### Protection During Startup
+### Protecting Thunderbolt and other DMA ports
 
-During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
+There are a few different options to protect DMA ports, such as Thunderbolt™3. 
+Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. 
+This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. 
 
-**Trusted Boot**
+You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: 
 
-Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+![Kernel DMA protection](images/kernel-dma-protection.png)
 
-Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
+If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
 
-**Early Launch Antimalware**
+1.	Require a password for BIOS changes 
+2.	Intel Thunderbolt Security must be set to User Authorization in BIOS settings
+3.	Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607):
 
-Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
+    - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy 
+    - Group Policy: [Disable new DMA devices when this computer is locked](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.)
 
-Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
+For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+ 
+## Attack countermeasures
 
-Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
+This section covers countermeasures for specific types attacks. 
 
-To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
+### Bootkits and rootkits
 
-With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
-ELAM classifies drivers as follows:
+A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. 
+The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released. 
+This is the default configuration.
 
--   **Good.** The driver has been signed and has not been tampered with.
--   **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
--   **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
--   **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. 
+Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. 
+Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
 
-While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
+### Brute force attacks against a PIN
+Require TPM + PIN for anti-hammering protection. 
 
-### Protection After Startup: eliminate DMA availability
+### DMA attacks
 
-Windows Modern Standby–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
+See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic.
 
-## See also
--   [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
--   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
--   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
--   [BitLocker overview](bitlocker-overview.md)
+### Paging file, crash dump, and Hyberfil.sys attacks
+These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. 
+It also blocks automatic or manual attempts to move the paging file.
+
+### Memory remanence
+
+Enable Secure Boot and require a password to change BIOS settings. 
+For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+
+## Attacker countermeasures
+
+The following sections cover mitigations for different types of attackers.
+
+### Attacker without much skill or with limited physical access
+
+Physical access may be limited by a form factor that does not expose buses and memory. 
+For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. 
+This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.  
+
+Mitigation: 
+- Pre-boot authentication set to TPM only (the default)
+
+### Attacker with skill and lengthy physical access
+
+Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
+
+Mitigation:
+- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
+
+  -And-
+
+- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy:
+
+  - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu
+  - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in)
+  - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery)
+
+These settings are **Not configured** by default.
+
+For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol2aallow-enhanced-pins-for-startup) is:
+
+Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup
+
+This setting is **Not configured** by default.
+
+For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device.
+
+## See also 
+
+- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
+- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
+- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index ad44659819..64800a4fe1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -24,8 +24,8 @@ To control what drive encryption tasks the user can perform from the Windows Con
 BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
 Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
 
-If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group 
-Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](http://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
+If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
+Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
 
 ## BitLocker Group Policy settings
 
@@ -91,7 +91,7 @@ The following policies are used to support customized deployment scenarios in yo
 ### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN
 
 This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
- 
+
 @@ -116,7 +116,7 @@ This policy setting allows users on devices that are compliant with Modern Stand
 
-
@@ -133,15 +133,15 @@ This policy setting allows users on devices that are compliant with Modern Stand
  
 **Reference**
 
-The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. 
-But visually impaired users have no audible way to know when to enter a PIN. 
-This setting enables an exception to the PIN-required policy on secure hardware. 
+The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
+But visually impaired users have no audible way to know when to enter a PIN.
+This setting enables an exception to the PIN-required policy on secure hardware.
 
 ### Allow network unlock at startup
 
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. 
+This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
 This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
- 
+
 
          
 
 

 
          
 
          Conflicts
          This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware. 
+
          This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.
 
 
          		
 
          @@ -355,27 +355,27 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
  
 **Reference**
 
-This policy setting is applied when you turn on BitLocker. 
+This policy setting is applied when you turn on BitLocker.
 The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
 
-Originally, BitLocker allowed from 4 to 20 characters for a PIN. 
-Windows Hello has its own PIN for logon, which can be 4 to 127 characters. 
-Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. 
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. 
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
-The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. 
-For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. 
-A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. 
-This totals a maximum of about 4415 guesses per year. 
-If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. 
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 
-Increasing the PIN length requires a greater number of guesses for an attacker. 
+Increasing the PIN length requires a greater number of guesses for an attacker.
 In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
 
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. 
-To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. 
-If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. 
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
 
 ### Disable new DMA devices when this computer is locked
 
@@ -778,7 +778,7 @@ This policy setting is used to require, allow, or deny the use of passwords with
  
 **Reference**
 
-If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at 
+If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
 **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
 
 >**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
@@ -793,7 +793,7 @@ When set to **Do not allow complexity**, no password complexity validation will
 
 >**Note:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
  
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852211.aspx).
+For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852211.aspx).
 
 ### Validate smart card certificate usage rule compliance
 
@@ -1058,7 +1058,7 @@ This policy setting is used to prevent users from turning BitLocker on or off on
 
 This policy setting is applied when you turn on BitLocker.
 
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](http://technet.microsoft.com/library/dn383581.aspx).
+For information about suspending BitLocker protection, see [BitLocker Basic Deployment](https://technet.microsoft.com/library/dn383581.aspx).
 
 The options for choosing property settings that control how users can configure BitLocker are:
 
@@ -1108,11 +1108,11 @@ This policy setting is used to control the encryption method and cipher strength
  
 **Reference**
 
-The values of this policy determine the strength of the cipher that BitLocker uses for encryption. 
+The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
 Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
 
-If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. 
-For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. 
+If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
+For fixed and operating system drives, we recommend that you use the XTS-AES algorithm.
 For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later.
 
 Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
@@ -1486,7 +1486,7 @@ For more information about adding data recovery agents, see [BitLocker basic dep
 
 In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
 
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for 
+Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
 the drive are determined by the policy setting.
 
 In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
@@ -1706,10 +1706,10 @@ In **Configure user storage of BitLocker recovery information**, select whether
 
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. 
+In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
 Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
 
-For more information about the BitLocker repair tool, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx).
+For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
 
 Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
@@ -2445,7 +2445,7 @@ You can save the optional recovery key to a USB drive. Because recovery password
 
 You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
 
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](http://technet.microsoft.com/library/jj852197.aspx).
+For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852197.aspx).
 
 ## Power management Group Policy settings: Sleep and Hibernate
 
@@ -2466,10 +2466,10 @@ Changing from the default platform validation profile affects the security and m
 
 **About PCR 7**
 
-PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This 
+PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can leverage Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4 which have the measurements of the exact firmware and Bootmgr images loaded. This
 reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides you with greater flexibility to manage the preboot configuration.
 
-PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](http://msdn.microsoft.com/library/windows/hardware/jj923068.aspx).
+PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](https://msdn.microsoft.com/library/windows/hardware/jj923068.aspx).
 
 PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 0b99703f80..4643595543 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -351,6 +351,7 @@ The following steps can be used to configure Network Unlock on these older syste
 6.  [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix)
 
     Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic.
+
         certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
         reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
         reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 1e0f1fd1a8..430fd8fbe7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 07/18/2018
+ms.date: 09/17/2018
 ---
 
 # BitLocker Management for Enterprises
@@ -21,13 +21,11 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu
 
 Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
 
-Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. 
-
-Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution. 
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
 
 Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index effba5e206..68b1e25d31 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -36,7 +36,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
 
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 
--   On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
+-   On PCs that use BitLocker, or on devices such as tablets or phones that use Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
 -   On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
 -   Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 -   Failing to boot from a network drive before booting from the hard drive.
@@ -93,7 +93,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
 2.  At the command prompt, type the following command and then press ENTER:
     `manage-bde -forcerecovery `
 
-    
+
 **To force recovery for a remote computer**
 
 1.  On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
@@ -106,8 +106,8 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
 
 When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
 
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker 
-Administration and Monitoring](http://technet.microsoft.com/windows/hh826072.aspx).
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker
+Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx).
 
 After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
 
@@ -133,7 +133,7 @@ If the user does not have a recovery password in a printout or on a USB flash dr
 -   **Choose how BitLocker-protected operating system drives can be recovered**
 -   **Choose how BitLocker-protected fixed drives can be recovered**
 -   **Choose how BitLocker-protected removable drives can be recovered**
-In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD 
+In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD
 DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
 
 >**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
@@ -180,7 +180,7 @@ Because the recovery password is 48 digits long the user may need to record the
  
 ### Post-recovery analysis
 
-When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption 
+When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
 when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
 
 If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator can perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. See:
@@ -223,7 +223,7 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on
 **To prevent continued recovery due to an unknown PIN**
 
 1.  Unlock the computer using the recovery password.
-2.  Reset the PIN:  
+2.  Reset the PIN:
     1.  Right-click the drive and then click **Change PIN**
     2.  In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
     3.  In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
@@ -314,7 +314,7 @@ You can use the following sample script to create a VBScript file to reset the r
 strDriveLetter = "c:"
 ' Target computer name
 ' Use "." to connect to the local computer
-strComputerName = "." 
+strComputerName = "."
 ' --------------------------------------------------------------------------------
 ' Connect to the BitLocker WMI provider class
 ' --------------------------------------------------------------------------------
@@ -322,8 +322,8 @@ strConnectionStr = "winmgmts:" _
                  & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                  & strComputerName _
                  & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-                 
-                 
+
+
 On Error Resume Next 'handle permission errors
 Set objWMIService = GetObject(strConnectionStr)
 If Err.Number <> 0 Then
@@ -353,7 +353,7 @@ If nRC <> 0 Then
 WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
-' Removes the other, "stale", recovery passwords 
+' Removes the other, "stale", recovery passwords
 ' ----------------------------------------------------------------------------------
 nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
 nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
@@ -361,7 +361,7 @@ If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
-' Delete those key protectors other than the one we just added. 
+' Delete those key protectors other than the one we just added.
 For Each sKeyProtectorID In aKeyProtectorIDs
 If sKeyProtectorID <> sNewKeyProtectorID Then
 nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
@@ -405,7 +405,7 @@ You can use the following sample script to create a VBScript file to retrieve th
 Sub ShowUsage
    Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
    Wscript.Echo "If no computer name is specified, the local computer is assumed."
-   Wscript.Echo 
+   Wscript.Echo
    Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
    WScript.Quit
 End Sub
@@ -417,17 +417,17 @@ Select Case args.Count
   Case 1
     If args(0) = "/?" Or args(0) = "-?" Then
     ShowUsage
-    Else 
+    Else
       strFilePath = args(0)
-      ' Get the name of the local computer      
+      ' Get the name of the local computer
       Set objNetwork = CreateObject("WScript.Network")
-      strComputerName = objNetwork.ComputerName      
-    End If    
-      
+      strComputerName = objNetwork.ComputerName
+    End If
+
   Case 2
     If args(0) = "/?" Or args(0) = "-?" Then
       ShowUsage
-    Else 
+    Else
       strFilePath = args(0)
       strComputerName = args(1)
     End If
@@ -437,40 +437,40 @@ End Select
 ' --------------------------------------------------------------------------------
 ' Get path to Active Directory computer object associated with the computer name
 ' --------------------------------------------------------------------------------
-Function GetStrPathToComputer(strComputerName) 
+Function GetStrPathToComputer(strComputerName)
     ' Uses the global catalog to find the computer in the forest
     ' Search also includes deleted computers in the tombstone
     Set objRootLDAP = GetObject("LDAP://rootDSE")
-    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com    
+    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
     strBase = ""
- 
-    Set objConnection = CreateObject("ADODB.Connection") 
-    Set objCommand = CreateObject("ADODB.Command") 
-    objConnection.Provider = "ADsDSOOBject" 
-    objConnection.Open "Active Directory Provider" 
-    Set objCommand.ActiveConnection = objConnection 
+
+    Set objConnection = CreateObject("ADODB.Connection")
+    Set objCommand = CreateObject("ADODB.Command")
+    objConnection.Provider = "ADsDSOOBject"
+    objConnection.Open "Active Directory Provider"
+    Set objCommand.ActiveConnection = objConnection
     strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
-    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree" 
-    objCommand.CommandText = strQuery 
-    objCommand.Properties("Page Size") = 100 
+    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree"
+    objCommand.CommandText = strQuery
+    objCommand.Properties("Page Size") = 100
     objCommand.Properties("Timeout") = 100
-    objCommand.Properties("Cache Results") = False 
-    ' Enumerate all objects found. 
-    Set objRecordSet = objCommand.Execute 
+    objCommand.Properties("Cache Results") = False
+    ' Enumerate all objects found.
+    Set objRecordSet = objCommand.Execute
     If objRecordSet.EOF Then
       WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
       WScript.Quit 1
     End If
     ' Found object matching name
-    Do Until objRecordSet.EOF 
+    Do Until objRecordSet.EOF
       dnFound = objRecordSet.Fields("distinguishedName")
       GetStrPathToComputer = "LDAP://" & dnFound
-      objRecordSet.MoveNext 
-    Loop 
-    ' Clean up. 
-    Set objConnection = Nothing 
-    Set objCommand = Nothing 
-    Set objRecordSet = Nothing 
+      objRecordSet.MoveNext
+    Loop
+    ' Clean up.
+    Set objConnection = Nothing
+    Set objCommand = Nothing
+    Set objRecordSet = Nothing
 End Function
 ' --------------------------------------------------------------------------------
 ' Securely access the Active Directory computer object using Kerberos
@@ -495,8 +495,8 @@ For Each objFveInfo in objFveInfos
    strName = objFveInfo.Get("name")
    strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
    strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
-   WScript.echo 
-   WScript.echo "Recovery Object Name: " + strName 
+   WScript.echo
+   WScript.echo "Recovery Object Name: " + strName
    WScript.echo "Recovery Password: " + strRecoveryPassword
    ' Validate file path
    Set fso = CreateObject("Scripting.FileSystemObject")
@@ -506,23 +506,23 @@ WScript.Quit -1
    End If
    ' Save binary data to the file
    SaveBinaryDataText strFilePathCurrent, strKeyPackage
-   
+
    WScript.echo "Related key package successfully saved to " + strFilePathCurrent
    ' Update next file path using base name
    nCount = nCount + 1
    strFilePathCurrent = strFilePath & nCount
 Next
 '----------------------------------------------------------------------------------------
-' Utility functions to save binary data 
+' Utility functions to save binary data
 '----------------------------------------------------------------------------------------
 Function SaveBinaryDataText(FileName, ByteArray)
   'Create FileSystemObject object
   Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
-  
+
   'Create text stream object
   Dim TextStream
   Set TextStream = FS.CreateTextFile(FileName)
-  
+
   'Convert binary data To text And write them To the file
   TextStream.Write BinaryToString(ByteArray)
 End Function
@@ -551,7 +551,7 @@ The following sample script exports a new key package from an unlocked, encrypte
 ' --------------------------------------------------------------------------------
 Sub ShowUsage
    Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
-   Wscript.Echo 
+   Wscript.Echo
    Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
    WScript.Quit
 End Sub
@@ -563,7 +563,7 @@ Select Case args.Count
   Case 2
     If args(0) = "/?" Or args(0) = "-?" Then
       ShowUsage
-    Else 
+    Else
       strDriveLetter = args(0)
       strFilePath = args(1)
     End If
@@ -575,10 +575,10 @@ End Select
 ' --------------------------------------------------------------------------------
 ' Target computer name
 ' Use "." to connect to the local computer
-strComputerName = "." 
+strComputerName = "."
 ' Default key protector ID to use. Specify "" to let the script choose.
 strDefaultKeyProtectorID = ""
-' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample 
+' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample
 ' --------------------------------------------------------------------------------
 ' Connect to the BitLocker WMI provider class
 ' --------------------------------------------------------------------------------
@@ -586,8 +586,8 @@ strConnectionStr = "winmgmts:" _
                  & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                  & strComputerName _
                  & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-                 
-                 
+
+
 On Error Resume Next 'handle permission errors
 Set objWMIService = GetObject(strConnectionStr)
 If Err.Number <> 0 Then
@@ -634,8 +634,8 @@ End If
 ' No numerical passwords exist, save the first external key
 If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
 strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
-End If 
-' Fail case: no recovery key protectors exist. 
+End If
+' Fail case: no recovery key protectors exist.
 If strDefaultKeyProtectorID = "" Then
 WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
 WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
@@ -655,7 +655,7 @@ WScript.Quit -1
 End If
 ' what's a string that can be used to describe it?
 strDefaultKeyProtectorType = ""
-Select Case nDefaultKeyProtectorType 
+Select Case nDefaultKeyProtectorType
   Case nNumericalKeyProtectorType
       strDefaultKeyProtectorType = "recovery password"
   Case nExternalKeyProtectorType
@@ -701,16 +701,16 @@ WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
 WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
 End If
 '----------------------------------------------------------------------------------------
-' Utility functions to save binary data 
+' Utility functions to save binary data
 '----------------------------------------------------------------------------------------
 Function SaveBinaryDataText(FileName, ByteArray)
   'Create FileSystemObject object
   Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
-  
+
   'Create text stream object
   Dim TextStream
   Set TextStream = FS.CreateTextFile(FileName)
-  
+
   'Convert binary data To text And write them To the file
   TextStream.Write BinaryToString(ByteArray)
 End Function
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 08c6e11a72..d3ec59e360 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -106,7 +106,7 @@ The following limitations exist for Repair-bde:
 -   The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
 -   The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
 
-For more information about using repair-bde, see [Repair-bde](http://technet.microsoft.com/library/ff829851.aspx).
+For more information about using repair-bde, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
 
 ## BitLocker cmdlets for Windows PowerShell
 
@@ -283,7 +283,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath  -SkipHardwareTes
 
 ### Using the BitLocker Windows PowerShell cmdlets with data volumes
 
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a 
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
 SecureString value to store the user defined password.
 
 ``` syntax
diff --git a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md b/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
deleted file mode 100644
index c1b351b15e..0000000000
--- a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Choose the right BitLocker countermeasure (Windows 10)
-description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
-ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 10/27/2017
----
-
-# Choose the right BitLocker countermeasure
-
-**Applies to**
--   Windows 10
-
-This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
-You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
-
-Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
-
-
          
 
 

          
-----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
          




          
-
          Windows 8.1
          without TPM
          		
-
          Windows 8.1 Certified
          (with TPM)
          
-
          Bootkits and
          Rootkits
          Without TPM, boot integrity checking is not available
          Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings
          
-
          Brute Force
          Sign-in
          Secure by default, and can be improved with account lockout Group Policy
          Secure by default, and can be improved with account lockout and device lockout Group Policy settings
          
-
          DMA
          Attacks
          If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
          If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
          
-
          Hyberfil.sys
          Attacks
          Secure by default; hyberfil.sys secured on encrypted volume
          Secure by default; hyberfil.sys secured on encrypted volume
          
-
          Memory
          Remanence
          Attacks
          Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication
          Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication
          
-
-**Table 1.**  How to choose the best countermeasures for Windows 8.1

          
-
-
-----
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
          




          
-
          Windows 10
          without TPM
          		
-
          Windows 10 Certified
          (with TPM)
          
-
          Bootkits and
          Rootkits
          Without TPM, boot integrity checking is not available
          Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings
          
-
          Brute Force
          Sign-in
          Secure by default, and can be improved with account lockout Group Policy
          Secure by default, and can be improved with account lockout and device lockout Group Policy settings
          
-
          DMA
          Attacks
          If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
          Secure by default; certified devices do not expose vulnerable DMA busses.
          Can be additionally secured by deploying policy to restrict DMA devices:
          
-
-
          
-
          Hyberfil.sys
          Attacks
          Secure by default; hyberfil.sys secured on encrypted volume
          Secure by default; hyberfil.sys secured on encrypted volume
          
-
          Memory
          Remanence
          Attacks
          Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication
          Password protect the firmware and ensure Secure Boot is enabled.
          The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
          
-
-**Table 2.**  How to choose the best countermeasures for Windows 10
-
-The latest Modern Standby devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on Modern Standby devices because these port types are prohibited. The inclusion of DMA ports on even non-Modern Standby devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
-
-**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
-    
-Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
-
-Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.
-
-In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations 
-outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs.
-
-## See also
--   [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
--   [BitLocker Countermeasures](bitlocker-countermeasures.md)
--   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
--   [BitLocker overview](bitlocker-overview.md)
- 
- 
diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png
new file mode 100644
index 0000000000..297809afdc
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png differ
diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png
new file mode 100644
index 0000000000..94d0720c76
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png differ
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index eed67e922b..efa0edfef4 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -59,22 +59,22 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
 
 | Key protector | Description |
 | - | - |
-| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.| 
-| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.| 
-| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.| 
-| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.| 
-| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.| 
-| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.| 
+| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.|
+| PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
+| Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
+| Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
+| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
+| Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
  
 ### BitLocker authentication methods
 
 | Authentication method | Requires user interaction | Description |
 | - | - | - |
-| TPM only| No| TPM validates early boot components.| 
-| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.| 
+| TPM only| No| TPM validates early boot components.|
+| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
 | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
-| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.| 
-| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.| 
+| TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
+| Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|
  
 **Will you support computers without TPM version 1.2 or higher?**
 
@@ -161,7 +161,7 @@ BitLocker integrates with Active Directory Domain Services (AD DS) to provide ce
 
 Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
 
-By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/). 
+By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).
 
 The following recovery data is saved for each computer object:
 
@@ -179,7 +179,7 @@ Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLo
 
 >**Note:**  The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. 
  
-Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](http://support.microsoft.com/kb/947249).
+Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249).
 
 But on computers running these supported systems with BitLocker enabled:
 
diff --git a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md b/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
deleted file mode 100644
index d67cd69a82..0000000000
--- a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Protect BitLocker from pre-boot attacks (Windows 10)
-description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
-ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
----
-# Protect BitLocker from pre-boot attacks
-
-
-**Applies to**
--   Windows 10
-
-This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
-
-BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting 
-Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key.
-
-Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management.
-
-Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.
-
-If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time.
-
-Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use.
-
-## In this topic
-
-The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it.
-
--   [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
--   [BitLocker countermeasures](bitlocker-countermeasures.md)
--   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
-
-## See also
-
--   [BitLocker overview](bitlocker-overview.md)
- 
- 
diff --git a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
deleted file mode 100644
index d7abb90fbd..0000000000
--- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Types of attacks for volume encryption keys (Windows 10)
-description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
-ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 10/27/2017
----
-
-# Types of attacks for volume encryption keys
-
-**Applies to**
--   Windows 10
-
-There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
-
-The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations.
-
-### Bootkit and rootkit attacks
-
-Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys.
-
-Different types of bootkits and rootkits load at different software levels:
-
--   **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers.
--   **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications.
--   **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence.
--   **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor.
--   **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk.
-
-Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory.
-
-Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control.
-
-To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks.
-
-Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys.
-
-For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible.
-
-Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
-
-### Brute-force Sign-in Attacks
-
-Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method.
-
-Three opportunities for brute-force attacks exist:
-
--   **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key.
--   **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful.
--   **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical.
-
-In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts.
-
-### Direct Memory Access Attacks
-
-Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory.
-
-Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys.
-
-DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and 
-others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack.
-
-Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable:
-
--   FireWire
--   Thunderbolt
--   ExpressCard
--   PCMCIA
--   PCI
--   PCI-X
--   PCI Express
-
-To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software 
-scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents.
-
-A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time).
-
-Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any Modern Standby-certified devices. Modern Standby devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets.
-
-DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC.
-
-To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
-
-### Hyberfil.sys Attacks
-
-The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
-
-Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
-
-In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
-
-### Memory Remanence Attacks
-
-A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key.
-
-When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files.
-
-To acquire the keys, attackers follow this process:
-
-1.  Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray.
-2.  Restart the PC.
-3.  Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD.
-4.  The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys.
-5.  The attacker uses the encryption keys to access the drive’s data.
-
-If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard.
-
-Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008:
-
--   Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device.
--   Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented.
--   If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot.
--   The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks.
--   Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools.
-
-Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).
-
-The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication.
-
-## See also
-
--   [BitLocker countermeasures](bitlocker-countermeasures.md)
--   [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
--   [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
--   [BitLocker overview](bitlocker-overview.md)
diff --git a/windows/security/hardware-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
similarity index 96%
rename from windows/security/hardware-protection/encrypted-hard-drive.md
rename to windows/security/information-protection/encrypted-hard-drive.md
index 323e089979..68675bb3d6 100644
--- a/windows/security/hardware-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -39,7 +39,7 @@ Encrypted Hard Drives are supported natively in the operating system through the
 
 >**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
  
-If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](http://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
+If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
 
 ## System Requirements
 
@@ -70,7 +70,7 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
 
 -   **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process.
 -   **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work.
--   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](http://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
+-   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](https://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
 -   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.
 
 ### Encrypted Hard Drive Architecture
@@ -81,7 +81,7 @@ The Data Encryption Key is the key used to encrypt all of the data on the drive.
 
 The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK.
 
-When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data 
+When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data
 Encryption Key, read-write operations can take place on the device.
 
 When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive does not need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue.
diff --git a/windows/security/information-protection/images/device-details-tab.png b/windows/security/information-protection/images/device-details-tab.png
new file mode 100644
index 0000000000..4dfe33e156
Binary files /dev/null and b/windows/security/information-protection/images/device-details-tab.png differ
diff --git a/windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png
similarity index 100%
rename from windows/security/hardware-protection/images/dn168167.boot_process(en-us,MSDN.10).png
rename to windows/security/information-protection/images/dn168167.boot_process(en-us,MSDN.10).png
diff --git a/windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
similarity index 100%
rename from windows/security/hardware-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
rename to windows/security/information-protection/images/dn168167.measure_boot(en-us,MSDN.10).png
diff --git a/windows/security/information-protection/images/kernel-dma-protection-user-experience.png b/windows/security/information-protection/images/kernel-dma-protection-user-experience.png
new file mode 100644
index 0000000000..8949c51627
Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-user-experience.png differ
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 4da67275f3..5c7a8d5795 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 02/05/2018
+ms.date: 09/17/2018
 ---
 
 # Information protection
@@ -16,4 +16,8 @@ Learn more about how to secure documents and other data across your organization
 | Section | Description |
 |-|-|
 | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
+| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
+| [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. |
 | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
+| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
+| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.  |
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
new file mode 100644
index 0000000000..17127719eb
--- /dev/null
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -0,0 +1,111 @@
+---
+title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10)
+description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: aadake
+ms.date: 09/19/2018
+---
+
+# Kernel DMA Protection for Thunderbolt™ 3 
+
+**Applies to**
+-   Windows 10
+
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. 
+Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
+
+This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
+
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+
+## Background
+
+PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. 
+The DMA capability is what makes PCI devices the highest performing devices available today. 
+These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
+Access to these devices required the user to turn off power to the system and disassemble the chassis. 
+Today, this is no longer the case with Thunderbolt™. 
+
+Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs. 
+It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
+Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
+
+Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC. 
+A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
+
+## How Windows protects against DMA drive-by attacks
+
+Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). 
+Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. 
+Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
+
+## User experience
+
+![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
+
+A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. 
+Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. 
+The devices will continue to function normally if the user locks the screen or logs out of the system.
+
+## System compatibility
+
+Kernel DMA Protection requires new UEFI firmware support. 
+This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
+
+To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32). 
+Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
+
+>[!NOTE]
+>Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
+
+## Enabling Kernel DMA protection
+
+Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
+
+**To check if a device supports kernel DMA protection**
+
+1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
+2. Check the value of **Kernel DMA Protection**.
+   ![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png)
+3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
+   - Reboot into BIOS settings
+   - Turn on Intel Virtualization Technology.
+   - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures.
+   - Reboot system into Windows 10.
+4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.   
+
+## Frequently asked questions
+
+### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3?
+In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
+
+### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 
+
+### How can I check if a certain driver supports DMA-remapping?
+DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the following Property GUID (highlighted in red in the image below) in the Details tab of a device in Device Manager. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
+Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
+
+![Kernel DMA protection user experience](images/device-details-tab.png)
+
+### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
+If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
+
+### Do Microsoft drivers support DMA-remapping?
+In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.
+
+### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
+No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
+
+### How can an enterprise enable the “External device enumeration” policy?
+The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
+- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
+- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) 
+
+## Related topics
+
+- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
+- [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) 
diff --git a/windows/security/hardware-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
similarity index 96%
rename from windows/security/hardware-protection/secure-the-windows-10-boot-process.md
rename to windows/security/information-protection/secure-the-windows-10-boot-process.md
index b939898180..99a3d2d62b 100644
--- a/windows/security/hardware-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -1,5 +1,5 @@
 ---
-title: Secure the Windows 10 boot process 
+title: Secure the Windows 10 boot process
 description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications
 keywords: trusted boot, windows 10 boot proces
 ms.prod: w10
@@ -13,7 +13,7 @@ ms.date: 10/13/2017
 
 # Secure the Windows 10 boot process
 
-**Applies to:** 
+**Applies to:**
 -  Windows 10
 -  Windows 8.1
 
@@ -48,9 +48,9 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
 
 Figure 1 shows the Windows 10 startup process.
 
-  
+
 ![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
- 
+
 **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
 
 Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well.
@@ -78,7 +78,7 @@ These requirements help protect you from rootkits while allowing you to run any
 -  **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
 -  **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
 
-To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
+To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
 
 Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.
 
@@ -108,14 +108,14 @@ Depending on the implementation and configuration, the server can now determine
 
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
-   
+
 ![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
 
 **Figure 2. Measured Boot proves the PC’s health to a remote server**
 
 
-Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/).
+Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](https://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/).
 
 Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to confidently assess the trustworthiness of a client PC across the network.
 
diff --git a/windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
similarity index 94%
rename from windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
rename to windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 0f5768fe1c..ad48ae604e 100644
--- a/windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -6,7 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 04/19/2017
 ---
 
diff --git a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
similarity index 95%
rename from windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
rename to windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 85fc58c11a..1f879a21ea 100644
--- a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -6,7 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 04/19/2017
 ---
 
@@ -45,7 +46,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password
 
 ## Use the TPM cmdlets
 
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule).
 
 ## Related topics
 
diff --git a/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
similarity index 99%
rename from windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md
rename to windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 62a7797e04..1ff26cb46d 100644
--- a/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 10/27/2017
 ---
 
@@ -18,7 +19,7 @@ The Windows 10 operating system improves most existing security features in the
 
 **See also:**
 
-   - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) 
+   - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
 
    - [TPM Fundamentals](tpm-fundamentals.md)
 
@@ -66,17 +67,17 @@ In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently
 
 For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
 
-## Windows Hello for Business 
+## Windows Hello for Business
 
 Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices.
 
-The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889).
+The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889).
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
 •	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
 
-•	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. 
+•	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
 ![TPM Capabilities](images/tpm-capabilities.png)
 
@@ -100,7 +101,7 @@ Newer hardware and Windows 10 work better together to disable direct memory acce
 
 ## Device Encryption
 
-Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.    
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
 
 For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
 
@@ -118,7 +119,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
 
 •	**Remote Attestation**.  Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or*quote*) of the current measurements in the TPM. Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. Remote attestation is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. Figure 2 illustrates this process.
 
-When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.    
+When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
 ![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
 
@@ -143,10 +144,10 @@ The resulting solution provides defense in depth, because even if malware runs i
 
 The TPM adds hardware-based security benefits to Windows 10. When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
 
-                        
+
 |Feature | Benefits when used on a system with a TPM|
 |---|---|
-| Platform Crypto Provider |  •      If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
          •	        The TPM’s dictionary attack mechanism protects PIN values to use a certificate. 
+| Platform Crypto Provider |  •      If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
          •	        The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
 | Virtual Smart Card | 	•      Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.|
 | Windows Hello for Business | 	•      Credentials provisioned on a device cannot be copied elsewhere.  
           •	         Confirm a device’s TPM before credentials are provisioned. |
 | BitLocker Drive Encryption | 	•      Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
diff --git a/windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png b/windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
similarity index 100%
rename from windows/security/hardware-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
rename to windows/security/information-protection/tpm/images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png
diff --git a/windows/security/hardware-protection/tpm/images/tpm-capabilities.png b/windows/security/information-protection/tpm/images/tpm-capabilities.png
similarity index 100%
rename from windows/security/hardware-protection/tpm/images/tpm-capabilities.png
rename to windows/security/information-protection/tpm/images/tpm-capabilities.png
diff --git a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
similarity index 66%
rename from windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
rename to windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 3b52d2e805..37d77fa8e0 100644
--- a/windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,24 +1,23 @@
 ---
-title: View status, clear, or troubleshoot the TPM (Windows 10)
+title: Troubleshoot the TPM (Windows 10)
 description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
 ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 09/11/2018
 ---
 
-# View status, clear, or troubleshoot the TPM
+# Troubleshoot the TPM
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-This topic for the IT professional describes actions you can take through the Trusted Platform Module (TPM) snap-in, **TPM.msc**:
-
--   [View the status of the TPM](#view-the-status-of-the-tpm)
+This topic provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
 
 -   [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
 
@@ -32,15 +31,7 @@ For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](h
 
 ## About TPM initialization and ownership
 
-Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. Therefore, with Windows 10, in most cases, we recommend that you avoid configuring the TPM through **TPM.msc**. The one exception is that in certain circumstances you might use **TPM.msc** to clear the TPM. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
-
-## View the status of the TPM
-
-To view the status of the TPM, open the TPM Management console (TPM.msc). In the center pane, find the **Status** box.
-
-In most cases, the status will be **Ready**. If the status is ready but “**with reduced functionality**,” see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
-
-If the status is **Not ready**, you can try the steps in [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. If this does not bring it to a **Ready** state, contact the manufacturer, and see the troubleshooting suggestions in the next section.
+Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
 
 ## Troubleshoot TPM initialization
 
@@ -72,19 +63,13 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron
 
 ## Clear all the keys from the TPM
 
-With Windows 10, in most cases, we recommend that you avoid configuring the TPM through TPM.msc. The one exception is that you can use TPM.msc to clear the TPM, for example, as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, for example, attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
+You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
 
 Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows 10 operating system will automatically re-initialize it and take ownership again.
 
 > [!WARNING]
 > Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
 
-There are several ways to clear the TPM:
-
--   **Clear the TPM as part of a complete reset of the computer**: You might want to remove all files from the computer and completely reset it, for example, in preparation for a clean installation. To do this, we recommend that you use the **Reset** option in **Settings**. When you perform a reset and use the **Remove everything** option, it will clear the TPM as part of the reset. You might be prompted to press a key before the TPM can be cleared. For more information, see the “Reset this PC” section in [Recovery options in Windows 10](https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options).
-
--   **Clear the TPM to fix “reduced functionality” or “Not ready” TPM status**: If you open TPM.msc and see that the TPM status is something other than **Ready**, you can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section.
-
 ### Precautions to take before clearing the TPM
 
 Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
@@ -103,15 +88,19 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 
 **To clear the TPM**
 
-1.  Open the TPM MMC (tpm.msc).
+1. Open the Windows Defender Security Center app.
 
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. Click **Device security**.
 
-3.  Under **Actions**, click **Clear TPM**.
+3. Click **Security processor details**.
 
-4.  You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+4. Click **Security processor troubleshooting**.
 
-5.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
+5. Click **Clear TPM**.
+
+6.  You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+
+7.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
 
 ## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
 
@@ -149,20 +138,6 @@ If you want to stop using the services that are provided by the TPM, you can use
 
   -   If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
   
-### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
-
-If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
-
-1.  Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, click **Change the Owner Password**
-
-  -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
-
-  -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
-
-This capability was fully removed from TPM.msc in later versions of Windows.
-
 ## Use the TPM cmdlets
 
 You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
diff --git a/windows/security/hardware-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
similarity index 82%
rename from windows/security/hardware-protection/tpm/manage-tpm-commands.md
rename to windows/security/information-protection/tpm/manage-tpm-commands.md
index 0f681444d4..201fa3eafd 100644
--- a/windows/security/hardware-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -20,12 +20,6 @@ This topic for the IT professional describes how to manage which Trusted Platfor
 
 After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
 
-Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#configure-the-list-of-blocked-tpm-commands).
-
-Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.
-
-Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#ignore-the-default-list-of-blocked-tpm-commands).
-
 The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
 
 **To block TPM commands by using the Local Group Policy Editor**
diff --git a/windows/security/hardware-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
similarity index 98%
rename from windows/security/hardware-protection/tpm/manage-tpm-lockout.md
rename to windows/security/information-protection/tpm/manage-tpm-lockout.md
index b12ca2ea4c..db918c0ba6 100644
--- a/windows/security/hardware-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -79,7 +79,7 @@ For information about mitigating dictionary attacks that use the lockout setting
 
 ## Use the TPM cmdlets
 
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx).
 
 ## Related topics
 
diff --git a/windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
similarity index 99%
rename from windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
rename to windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index fabb1ccc07..164658f0a0 100644
--- a/windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -6,7 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 04/19/2017
 ---
 
diff --git a/windows/security/hardware-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
similarity index 95%
rename from windows/security/hardware-protection/tpm/tpm-fundamentals.md
rename to windows/security/information-protection/tpm/tpm-fundamentals.md
index 5b7969364b..0d44a4282a 100644
--- a/windows/security/hardware-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -6,7 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 08/16/2017
 ---
 
@@ -64,11 +65,11 @@ Virtual Smart Card must be issued to the user for each computer. A computer that
 
 ## TPM-based certificate storage
 
-The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](http://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
+The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](https://msdn.microsoft.com/library/windows/desktop/aa376210.aspx).
 
 ## TPM Cmdlets
 
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/).
 
 ## Physical presence interface
 
@@ -112,24 +113,24 @@ TPM 2.0 allows some keys to be created without an authorization value associate
 
 ### Rationale behind the defaults
 
-Originally, BitLocker allowed from 4 to 20 characters for a PIN. 
-Windows Hello has its own PIN for logon, which can be 4 to 127 characters. 
-Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. 
+Originally, BitLocker allowed from 4 to 20 characters for a PIN.
+Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
+Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. 
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
-The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. 
-For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. 
-A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. 
-This totals a maximum of about 4415 guesses per year. 
-If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. 
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
+For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
+A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
+This totals a maximum of about 4415 guesses per year.
+If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 
-Increasing the PIN length requires a greater number of guesses for an attacker. 
+Increasing the PIN length requires a greater number of guesses for an attacker.
 In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
 
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. 
-To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. 
-If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. 
+Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
 
 ### TPM-based smart cards
 
@@ -144,6 +145,6 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/)
 - [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
\ No newline at end of file
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
diff --git a/windows/security/hardware-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
similarity index 95%
rename from windows/security/hardware-protection/tpm/tpm-recommendations.md
rename to windows/security/information-protection/tpm/tpm-recommendations.md
index d2d690c0e6..7fa22e10ce 100644
--- a/windows/security/hardware-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
 ms.date: 05/16/2018
 ---
 
@@ -51,7 +52,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 
     -   For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
 
-    -   TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](http://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+    -   TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
 
     -   Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
 
@@ -101,10 +102,10 @@ The following table defines which Windows features require TPM support.
 |-------------------------|--------------|--------------------|--------------------|----------|
 | Measured Boot           | Yes          | Yes                | Yes                | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot         |
 | BitLocker               | Yes           | Yes                | Yes                | TPM 1.2 or 2.0 is required  |
-| Device Encryption       | Yes          | N/A                | Yes                | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | 
+| Device Encryption       | Yes          | N/A                | Yes                | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
 | Windows Defender Application Control (Device Guard)            | No           | Yes                | Yes                |          |
-| Windows Defender Exploit Guard | Yes   | Yes                | Yes                |           | 
-| Windows Defender System Guard | Yes   | Yes                | Yes                |           | 
+| Windows Defender Exploit Guard | No   | N/A                | N/A                |           |
+| Windows Defender System Guard | Yes   | No                | Yes                |           |
 | Credential Guard        | No           | Yes                | Yes                | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.   |
 | Device Health Attestation| Yes         | Yes                | Yes                |          |
 | Windows Hello/Windows Hello for Business| No | Yes          | Yes                | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.         |
@@ -112,7 +113,7 @@ The following table defines which Windows features require TPM support.
 | TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes                |          |
 | Virtual Smart Card      | Yes           | Yes               | Yes                |          |
 | Certificate storage     | No            | Yes               | Yes                | TPM is only required when the certificate is stored in the TPM. |
-                                                                                  
+
 ## OEM Status on TPM 2.0 system availability and certified parts
 
 Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. For more information, contact your OEM or hardware vendor.
diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
similarity index 91%
rename from windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
rename to windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 829d773086..1b4e9f6f6f 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -7,8 +7,9 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: brianlic-msft
-ms.date: 06/18/2018
+author: andreabichsel
+ms-author: v-anbic
+ms.date: 08/21/2018
 ---
 
 # Trusted Platform Module Technology Overview
@@ -68,17 +69,18 @@ Some things that you can check on the device are:
 -   Is SecureBoot supported and enabled?
 
 > [!NOTE]
-> The device must be running Windows 10 and it must support at least TPM 2.0.
+>  Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
 
-## Supported versions
+## Supported versions for device health attestation
+
+| TPM version | Windows 10  | Windows Server 2016 |
+|-------------|-------------|---------------------|
+| TPM 1.2     | >= ver 1607 | >= ver 1607         |
+| TPM 2.0     | X           | X                   |
 
-| TPM version | Windows 10 | Windows Server 2016 |
-|-------------|------------|---------------------|
-| TPM 1.2     | X          | X                   |
-| TPM 2.0     | X          | X                   |
 
 ## Related topics
 
 - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
--   [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx)
+-   [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx)
 -   [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)
diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
similarity index 76%
rename from windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
rename to windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 41d6404f4b..0b2740ff70 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -6,15 +6,16 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 06/29/2018
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 10/02/2018
 ---
 
 # TPM Group Policy settings
 
 **Applies to**
 -   Windows 10
--   Windows Server 2016
+-   Windows Server 2016 and later
 
 This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
@@ -22,39 +23,7 @@ The Group Policy settings for TPM services are located at:
 
 **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
 
-The following Group Policy settings were introduced in Window 10.
-
-## Configure the list of blocked TPM commands
-
-This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
-
-If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc** to open the TPM Management Console and navigate to the **Command Management** section.
-
-If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows.
-
--   You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
-
--   The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface.
-
-## Ignore the default list of blocked TPM commands
-
-This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
-
-The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column. 
-
-If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list.
-
-If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
-
-## Ignore the local list of blocked TPM commands
-
-This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
-
-The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) 
-
-If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
-
-If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
+The following Group Policy settings were introduced in Windows 10.
 
 ## Configure the level of TPM owner authorization information available to the operating system
 
@@ -115,7 +84,7 @@ For each standard user, two thresholds apply. Exceeding either threshold prevent
 
 -   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
 If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
 
@@ -127,7 +96,7 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 
 An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
 
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
 If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
 
@@ -139,7 +108,7 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 
 An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
 
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
 If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
 
@@ -157,6 +126,17 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
 > -  Disable it from group policy
 > -  Clear the TPM on the system
 
+# TPM Group Policy settings in the Windows Security app
+
+You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
+
+**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security** 
+
+## Disable the Clear TPM button
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
+
+## Hide the TPM Firmware Update recommendation
+If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
 
 ## Related topics
 
diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
similarity index 69%
rename from windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md
rename to windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 90d82100a4..f66b65f12b 100644
--- a/windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -6,8 +6,9 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: brianlic-msft
-ms.date: 07/27/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 09/11/2018
 ---
 
 # Trusted Platform Module
@@ -26,9 +27,6 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
 | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
 | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
 | [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
-| [Manage TPM commands](manage-tpm-commands.md) | Describes methods by which a local or domain administrator can block or allow specific TPM commands. |
-| [Manage TPM lockout](manage-tpm-lockout.md) | Describes how TPM lockout works (to help prevent tampering or malicious attacks), and outlines ways to work with TPM lockout settings. |
-| [Change the TPM owner password](change-the-tpm-owner-password.md) | In most cases, applies to Windows 10, version 1511 and Windows 10, version 1507 only. Tells how to change the TPM owner password. |
-| [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
+| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
 | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
 | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows 10 features for which a TPM is required or recommended. |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 2a988c9641..06be6ec2fb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -8,7 +8,7 @@ ms.pagetype: security
 author: justinha
 ms.author: justinha
 ms.localizationpriority: medium
-ms.date: 07/10/2018
+ms.date: 09/19/2018
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -32,11 +32,11 @@ Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on
 Follow these steps to add a WIP policy using Intune.
 
 **To add a WIP policy**
-1.  Open Microsoft Intune and click **Mobile apps**.
+1.  Open Microsoft Intune and click **Client apps**.
 
-    ![Open Mobile apps](images/open-mobile-apps.png)
+    ![Open Client apps](images/open-mobile-apps.png)
 
-2. In **Mobile apps**, click **App protection policies**.
+2. In **Client apps**, click **App protection policies**.
 
     ![App protection policies](images/app-protection-policies.png)
 
@@ -348,14 +348,14 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 **To add your protection mode**
 
-1.	From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
+1.	From the **App protection policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
     
     The **Required settings** blade appears.
 
@@ -363,7 +363,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
     |Mode |Description |
     |-----|------------|
-    |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+    |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
     |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

          After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
index 1b084c9605..d75ea228ef 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.author: justinha
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 ms.localizationpriority: medium
 ---
 
@@ -308,11 +308,11 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Block**.
 
 |Mode |Description |
 |-----|------------|
-|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Block|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
          After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index e5590cd3ed..5d23640044 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.author: justinha
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 localizationpriority: medium
 ---
 
@@ -377,7 +377,7 @@ In the **Required settings** blade you must pick your Windows Information Protec
 ### Manage the WIP protection mode for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
+We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@@ -392,7 +392,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
     |Mode |Description |
     |-----|------------|
-    |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+    |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
     |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
     |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
     |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

          After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
@@ -420,7 +420,7 @@ In the **Advanced settings** blade you must specify where apps can access your c
 ### Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
 
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
 
 >[!Important]
 >Every WIP policy should include policy that defines your enterprise network locations.
          Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index 1c8de7d581..e766991a5a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/16/2017
+ms.date: 08/08/2018
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -340,14 +340,14 @@ If you're running into compatibility issues where your app is incompatible with
 ## Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
          After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
index fa52656359..26b5ff9472 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 09/11/2017
+ms.date: 08/08/2018
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index cc99d381bd..e91d6c96e7 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -32,7 +32,7 @@ Apps can be enlightened or unenlightened:
 
     -   Windows **Save As** experiences only allow you to save your files as enterprise.
 
-- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions. 
+- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions.
 
 ## List of enlightened Microsoft apps
 Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@@ -82,7 +82,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 |PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** Microsoft.Office.PowerPoint
          **App Type:** Universal app |
 |OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** Microsoft.Office.OneNote
          **App Type:** Universal app |
 |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** microsoft.windowscommunicationsapps
          **App Type:** Universal app |
-|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](http://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
          We don't recommend setting up Office by using individual paths or publisher rules.|
+|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
          We don't recommend setting up Office by using individual paths or publisher rules.|
 |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** Microsoft.Windows.Photos
          **App Type:** Universal app |
 |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** Microsoft.ZuneMusic
          **App Type:** Universal app |
 |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
          **Product Name:** Microsoft.ZuneVideo
          **App Type:** Universal app |
diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png
index ccc701332b..57c40a85d0 100644
Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png differ
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 1ad43ba3f3..6ebcf8b468 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -77,13 +77,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
 
     -   **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
 
-    - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+    - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
 
     -   **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
     
         You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
 
-    -   **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
+    -   **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 
     -   **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@@ -132,7 +132,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
 
 |Mode|Description|
 |----|-----------|
-|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
 |Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
 |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
 |Off |WIP is turned off and doesn't help to protect or audit your data.
          After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
          **Note**
          For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 87c74dd9a0..429aa1c479 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -1,101 +1,101 @@
----
-title: 
-# Fine-tune Windows Information Policy (WIP) with WIP Learning
-description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-ms.pagetype: security
-author: coreyp-at-msft
-ms.localizationpriority: medium
-ms.date: 04/18/2018
----
-
-# Fine-tune Windows Information Protection (WIP) with WIP Learning
-**Applies to:**
-
-- Windows 10, version 1703 and later
-- Windows 10 Mobile, version 1703 and later
-
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
-
-The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Hide overrides”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
-
-In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
-
+---
+title: 
+# Fine-tune Windows Information Policy (WIP) with WIP Learning
+description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+ms.pagetype: security
+author: coreyp-at-msft
+ms.localizationpriority: medium
+ms.date: 08/08/2018
+---
+
+# Fine-tune Windows Information Protection (WIP) with WIP Learning
+**Applies to:**
+
+- Windows 10, version 1703 and later
+- Windows 10 Mobile, version 1703 and later
+
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
+
+The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
+
+In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list.
+
 ## Access the WIP Learning reports
 
 1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
 
-2. Choose **Intune** > **Mobile Apps**.
+2. Choose **Intune** > **Mobile Apps**.
 
-3. Choose **App protection status**.
-
-4. Choose **Reports**. 
-
-    ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
-
-5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. 
-
-    ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
-
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
-
-## View the WIP app learning report in Microsoft Operations Management Suite
-
-From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
-
-![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) 
-
-If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
->[!NOTE]
->Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
-
-Once you have WIP policies in place, by using the WIP section of Device Health, you can:
-
-- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
-- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
-
-![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
-
-The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
-
-![Details view](images/WIPNEW1-chart-selected-sterile.png)
-
-In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
-    
-![Details view for a specific app](images/WIPappID-sterile.png)
-
-Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
-
-## Use OMS and Intune to adjust WIP protection policy
-
-1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
-
-2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
-
-3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-4. Click **Protected apps**, and then click **Add Apps**.
-
-5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
-
-    ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
-
-6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
-
-    ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
-
-7. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
-
-8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
-
-9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
-
-When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide overrides**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
-
->[!NOTE]
+3. Choose **App protection status**.
+
+4. Choose **Reports**. 
+
+    ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
+
+5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. 
+
+    ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
+
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
+
+## View the WIP app learning report in Microsoft Operations Management Suite
+
+From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
+
+![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) 
+
+If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
+
+>[!NOTE]
+>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
+
+Once you have WIP policies in place, by using the WIP section of Device Health, you can:
+
+- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
+- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
+
+![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png)
+
+The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
+
+![Details view](images/WIPNEW1-chart-selected-sterile.png)
+
+In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
+    
+![Details view for a specific app](images/WIPappID-sterile.png)
+
+Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
+
+## Use OMS and Intune to adjust WIP protection policy
+
+1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
+
+2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
+
+3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
+
+4. Click **Protected apps**, and then click **Add Apps**.
+
+5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
+
+    ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
+
+6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
+
+    ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
+
+7. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
+
+8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
+
+9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+
+When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
+
+>[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 9467fc2e6d..fdc4981748 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,42 +1,24 @@
 # [Threat protection](index.md)
 
-
-
-
-
-
 ## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
-### [Windows Defender Security Center](windows-defender-atp/windows-defender-security-center-atp.md)
-####Get started
-##### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
-##### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-##### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
-##### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
-##### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-##### [Onboard previous versions of Windows](windows-defender-atp\onboard-downlevel-windows-defender-advanced-threat-protection.md)
-##### [Onboard Windows 10 machines](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-###### [Onboard machines using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-####### [Onboard machines using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
-###### [Onboard machines using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-##### [Onboard servers](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-##### [Onboard non-Windows machines](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-##### [Run a detection test on a newly onboarded machine](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
-##### [Run simulated attacks on machines](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md)
-##### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-#### [Understand the portal ](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
-##### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
-##### [View the Security operations dashboard](windows-defender-atp\security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-##### [View the Secure Score dashboard and improve your secure score](windows-defender-atp\secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-##### [View the Threat analytics dashboard and take recommended mitigation actions](windows-defender-atp\threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
-####Investigate and remediate threats
-#####Alerts queue
+### [Overview](windows-defender-atp/overview.md)
+#### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)
+##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
+###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md)
+###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md)
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+##### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+##### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+##### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
+#### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+#### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
+##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+
+
+##### Alerts queue
 ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
@@ -45,13 +27,10 @@
 ###### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
 ###### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
 ###### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
-
-
-
-
-#####Machines list
+ 
+##### Machines list
 ###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Manage machine group and tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
 ###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
 ###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
 ####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
@@ -69,7 +48,7 @@
 ####### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
 ####### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
 ####### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-
+ 
 ###### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
 ####### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
 ####### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
@@ -77,18 +56,238 @@
 ####### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
 ####### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
 ####### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-######## [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-######## [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-######## [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+ 
 
-###### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting reference](windows-defender-atp\advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-####### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+#### [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
+##### [Learn about the automated investigation and remediation dashboard](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md)
 
-#### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
-####  [Protect users, data, and devices with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
 
-####API and SIEM support
+#### [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
+##### [Threat analytics](windows-defender-atp/threat-analytics.md)
+###### [Threat analytics for Spectre and Meltdown](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)
+##### [Query data using Advanced hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
+###### [Advanced hunting reference](windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+###### [Advanced hunting query language best practices](windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+##### [Custom detections](windows-defender-atp/overview-custom-detections.md)
+###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
+
+
+#### [Management and APIs](windows-defender-atp/management-apis.md)
+##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor
+####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts
+####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain
+########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File
+####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP
+####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines
+####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User
+####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+ 
+##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
+
+#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
+#####  [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
+##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md)
+
+
+
+#### [Portal overview](windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md)
+
+
+
+### [Get started](windows-defender-atp/get-started.md)
+#### [Minimum requirements](windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
+#### [Validate licensing and complete setup](windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md)
+#### [Preview features](windows-defender-atp/preview-windows-defender-advanced-threat-protection.md)
+#### [Data storage and privacy](windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md)
+#### [Assign user access to the portal](windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md)
+
+#### [Evaluate Windows Defender ATP](windows-defender-atp/evaluate-atp.md)
+#####Evaluate attack surface reduction
+###### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+###### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
+###### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
+###### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
+###### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+###### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+###### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+
+#### [Access the Windows Defender Security Center Community Center](windows-defender-atp/community-windows-defender-advanced-threat-protection.md)
+
+### [Configure and manage capabilities](windows-defender-atp/onboard.md)
+#### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md)
+##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
+###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) 
+##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
+####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
+###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
+###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
+##### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+###### [Customize controlled folder access](windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Attack surface reduction controls](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+###### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+
+
+#### [Configure next generation protection](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
+###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
+###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+##### [Antivirus compatibility](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+
+##### [Deploy, manage updates, and report on antivirus](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+###### [Report on antivirus protection](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
+###### [Manage updates and apply baselines](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+####### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
+####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
+####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
+####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+##### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+##### [Manage antivirus in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+##### [Manage scans and remediation](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+###### [Configure and validate exclusions in antivirus scans](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
+###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+##### [Manage next generation protection in your business](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+###### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+
+#### [Configure Secure score dashboard security controls](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) 
+
+
+#### Management and API support
+##### [Onboard machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
+###### [Onboard previous versions of Windows](windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md)
+###### [Onboard Windows 10 machines](windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Group Policy](windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using System Center Configuration Manager](windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Mobile Device Management tools](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+######## [Onboard machines using Microsoft Intune](windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+####### [Onboard machines using a local script](windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+####### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+###### [Onboard servers](windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Onboard non-Windows machines](windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+###### [Run a detection test on a newly onboarded machine](windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md)
+###### [Run simulated attacks on machines](windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md)
+###### [Configure proxy and Internet connectivity settings](windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+   
+##### API for custom alerts
+###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+####### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+####### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+####### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+####### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+####### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+####### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+ 
+
 ##### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
 ###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
 ###### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
@@ -97,263 +296,122 @@
 ###### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-##### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
-###### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
-###### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
-###### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
-###### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
-#######Actor
-######## [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-######## [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#######Alerts
-######## [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-######## [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-########Domain
-#########  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-######### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-######### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-######### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
-#######File
-######## [Block file](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-######## [Get FileActions collection](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Unblock file](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+##### Reporting
+###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
 
-#######IP
-######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#######Machines
-######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-######## [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-######## [Get FileMachineAction object](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-######## [Get FileMachineActions collection](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get MachineAction object](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-######## [Get MachineActions collection](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-######## [Get package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-######## [Request sample](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-######## [Stop and quarantine file](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+##### Role-based access control
+###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
+####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
+####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
+######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
+
+
+##### [Configure managed security service provider (MSSP) support](windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md)
+
+
+#### Configure Microsoft threat protection integration
+##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md)
+##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md)
 
 
 
-#######User
-######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-######## [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-####Reporting
-##### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
-
-####Check service health and sensor state
-##### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
-##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-##### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
-
-
-####[Configure Windows Defender Security Center settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
-#####General
-###### [Update data retention settings](windows-defender-atp\data-retention-settings-windows-defender-advanced-threat-protection.md)
-###### [Configure alert notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
-###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
-###### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
-###### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
-
-
-#####Permissions
-###### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
-###### [Create and manage machine groups](windows-defender-atp\machine-groups-windows-defender-advanced-threat-protection.md)
-
-#####APIs
-###### [Enable Threat intel](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-###### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
 
+#### [Configure Windows Defender Security Center settings](windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md)
+##### General
+###### [Update data retention settings](windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md)
+###### [Configure alert notifications](windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md)
+###### [Enable and create Power BI reports using Windows Defender Security center data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+###### [Enable Secure score security controls](windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md)
+###### [Configure advanced features](windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md)
+  
+##### Permissions
+###### [Use basic permissions to access the portal](windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md)
+###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
+####### [Create and manage roles](windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md)
+####### [Create and manage machine groups](windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md)
+######## [Create and manage machine tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
+  
+##### APIs
+###### [Enable Threat intel](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+  
 #####Rules
-###### [Manage suppression rules](windows-defender-atp\manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-###### [Manage automation allowed/blocked](windows-defender-atp\manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-###### [Manage automation file uploads](windows-defender-atp\manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-###### [Manage automation folder exclusions](windows-defender-atp\manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
-
+###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+  
 #####Machine management
-###### [Onboarding machines](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
-###### [Offboarding machines](windows-defender-atp\offboard-machines-windows-defender-advanced-threat-protection.md)
+###### [Onboarding machines](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
+###### [Offboarding machines](windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md)
+  
+##### [Configure Windows Defender Security Center time zone settings](windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md)
+  
 
-#### [Configure Windows Defender Security Center time zone settings](windows-defender-atp\time-settings-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot Windows Defender ATP](windows-defender-atp/troubleshoot-wdatp.md)
+####Troubleshoot sensor state
+##### [Check sensor state](windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md)
+##### [Fix unhealthy sensors](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+##### [Inactive machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+##### [Misconfigured machines](windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+##### [Review sensor events and errors on machines with Event Viewer](windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md)
 
-#### [Access the Windows Defender Security Center Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
-##### [Review events and errors on machines with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot Windows Defender ATP service issues](windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md)
+##### [Check service health](windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md)
 
-###	[Windows Defender Antivirus](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
-#### [Windows Defender AV in the Windows Defender Security app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
-#### [Windows Defender AV on Windows Server 2016](windows-defender-antivirus\windows-defender-antivirus-on-windows-server-2016.md)
+####Troubleshoot attack surface reduction
+##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
+##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+ 
+#### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
 
-#### [Windows Defender Antivirus compatibility](windows-defender-antivirus\windows-defender-antivirus-compatibility.md)
-##### [Use limited periodic scanning in Windows Defender AV](windows-defender-antivirus\limited-periodic-scanning-windows-defender-antivirus.md)
+## [Security intelligence](intelligence/index.md)
+### [Understand malware & other threats](intelligence/understanding-malware.md)
+#### [Prevent malware infection](intelligence/prevent-malware-infection.md)
+#### [Malware names](intelligence/malware-naming.md)
+#### [Coin miners](intelligence/coinminer-malware.md)
+#### [Exploits and exploit kits](intelligence/exploits-malware.md)
+#### [Fileless threats](intelligence/fileless-threats.md)
+#### [Macro malware](intelligence/macro-malware.md)
+#### [Phishing](intelligence/phishing.md)
+#### [Ransomware](intelligence/ransomware-malware.md)
+#### [Rootkits](intelligence/rootkits-malware.md)
+#### [Supply chain attacks](intelligence/supply-chain-malware.md)
+#### [Tech support scams](intelligence/support-scams.md)
+#### [Trojans](intelligence/trojans-malware.md)
+#### [Unwanted software](intelligence/unwanted-software.md)
+#### [Worms](intelligence/worms-malware.md)
+### [How Microsoft identifies malware and PUA](intelligence/criteria.md)
+### [Submit files for analysis](intelligence/submission-guide.md)
+### [Safety Scanner download](intelligence/safety-scanner-download.md)
+### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md)
+### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md)
+#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
+#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
+#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md)
+### [Information for developers](intelligence/developer-info.md)
+#### [Software developer FAQ](intelligence/developer-faq.md)
+#### [Software developer resources](intelligence/developer-resources.md)
 
+## More Windows 10 security
 
-#### [Evaluate Windows Defender Antivirus protection](windows-defender-antivirus\evaluate-windows-defender-antivirus.md)
-
-
-#### [Deploy, manage updates, and report on Windows Defender Antivirus](windows-defender-antivirus\deploy-manage-report-windows-defender-antivirus.md)
-##### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
-###### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
-##### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-###### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
-##### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](windows-defender-antivirus\manage-outdated-endpoints-windows-defender-antivirus.md)
-###### [Manage event-based forced updates](windows-defender-antivirus\manage-event-based-updates-windows-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](windows-defender-antivirus\manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-
-
-#### [Configure Windows Defender Antivirus features](windows-defender-antivirus\configure-windows-defender-antivirus-features.md)
-##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus\utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-###### [Enable cloud-delivered protection](windows-defender-antivirus\enable-cloud-protection-windows-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](windows-defender-antivirus\specify-cloud-protection-level-windows-defender-antivirus.md)
-###### [Configure and validate network connections](windows-defender-antivirus\configure-network-connections-windows-defender-antivirus.md)
-###### [Enable the Block at First Sight feature](windows-defender-antivirus\configure-block-at-first-sight-windows-defender-antivirus.md)
-###### [Configure the cloud block timeout period](windows-defender-antivirus\configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-##### [Configure behavioral, heuristic, and real-time protection](windows-defender-antivirus\configure-protection-features-windows-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus\detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus\configure-real-time-protection-windows-defender-antivirus.md)
-##### [Configure end-user interaction with Windows Defender AV](windows-defender-antivirus\configure-end-user-interaction-windows-defender-antivirus.md)
-###### [Configure the notifications that appear on endpoints](windows-defender-antivirus\configure-notifications-windows-defender-antivirus.md)
-###### [Prevent users from seeing or interacting with the user interface](windows-defender-antivirus\prevent-end-user-interaction-windows-defender-antivirus.md)
-###### [Prevent or allow users to locally modify policy settings](windows-defender-antivirus\configure-local-policy-overrides-windows-defender-antivirus.md)
-
-
-#### [Customize, initiate, and review the results of scans and remediation](windows-defender-antivirus\customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Configure and validate exclusions in Windows Defender AV scans](windows-defender-antivirus\configure-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus\configure-extension-file-exclusions-windows-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus\configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-###### [Configure exclusions in Windows Defender AV on Windows Server 2016](windows-defender-antivirus\configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning options in Windows Defender AV](windows-defender-antivirus\configure-advanced-scan-types-windows-defender-antivirus.md)
-##### [Configure remediation for scans](windows-defender-antivirus\configure-remediation-windows-defender-antivirus.md)
-##### [Configure scheduled scans](windows-defender-antivirus\scheduled-catch-up-scans-windows-defender-antivirus.md)
-##### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
-##### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
-##### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
-#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
-
-
-##### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
-
-
-
-##### [Manage Windows Defender AV in your business](windows-defender-antivirus\configuration-management-reference-windows-defender-antivirus.md)
-###### [Use Group Policy settings to configure and manage Windows Defender AV](windows-defender-antivirus\use-group-policy-windows-defender-antivirus.md)
-###### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](windows-defender-antivirus\use-intune-config-manager-windows-defender-antivirus.md)
-###### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md)
-###### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-### [Windows Defender Exploit Guard](windows-defender-exploit-guard\windows-defender-exploit-guard.md)
-#### [Evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\evaluate-windows-defender-exploit-guard.md)
-##### [Use auditing mode to evaluate Windows Defender Exploit Guard](windows-defender-exploit-guard\audit-windows-defender-exploit-guard.md)
-##### [View Exploit Guard events](windows-defender-exploit-guard\event-views-exploit-guard.md)
-#### [Exploit protection](windows-defender-exploit-guard\exploit-protection-exploit-guard.md)
-##### [Comparison with Enhanced Mitigation Experience Toolkit](windows-defender-exploit-guard\emet-exploit-protection-exploit-guard.md)
-##### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
-##### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
-##### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-###### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
-##### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
-###### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-###### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
-#### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
-#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
-#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
-#### [Customize Attack surface reduction](windows-defender-exploit-guard\customize-attack-surface-reduction.md)
-#### [Troubleshoot Attack surface reduction rules](windows-defender-exploit-guard\troubleshoot-asr.md)
-#### [Network Protection](windows-defender-exploit-guard\network-protection-exploit-guard.md)
-#### [Evaluate Network Protection](windows-defender-exploit-guard\evaluate-network-protection.md)
-#### [Enable Network Protection](windows-defender-exploit-guard\enable-network-protection.md)
-#### [Troubleshoot Network protection](windows-defender-exploit-guard\troubleshoot-np.md)
-#### [Controlled folder access](windows-defender-exploit-guard\controlled-folders-exploit-guard.md)
-#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
-#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
-#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
-
-
-
-
-### [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
-
-
-
-
-
-
-### [Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
-#### [System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
-#### [Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
-#### [Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
-#### [Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
-#### [Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
-
-
-## Other security features
 ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
 #### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
 #### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center\wdsc-windows-10-in-s-mode.md)
+#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md)
 #### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-#### [Account protection](windows-defender-security-center\wdsc-account-protection.md)
-#### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-#### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-#### [Device security](windows-defender-security-center\wdsc-device-security.md)
-#### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-#### [Family options](windows-defender-security-center\wdsc-family-options.md)
+#### [Account protection](windows-defender-security-center/wdsc-account-protection.md)
+#### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
+#### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
+#### [Device security](windows-defender-security-center/wdsc-device-security.md)
+#### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
+#### [Family options](windows-defender-security-center/wdsc-family-options.md)
 
 
-### [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
-#### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
-#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
+### [SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+#### [SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+#### [Set up and use SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
 
 
 ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
@@ -387,10 +445,10 @@
 ###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
 ###### [Audit system events](auditing/basic-audit-system-events.md)
 
-##### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-###### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-###### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-####### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+#### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
 
 ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
 ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
@@ -437,7 +495,7 @@
 ####### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
 ####### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
 ####### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
-####### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+####### [Event 4764 S: A group�s type was changed.](auditing/event-4764.md)
 ####### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
 ###### [Audit User Account Management](auditing/audit-user-account-management.md)
 ####### [Event 4720 S: A user account was created.](auditing/event-4720.md)
@@ -731,7 +789,7 @@
 
 
 
-#### [Security policy settings](security-policy-settings/security-policy-settings.md)
+### [Security policy settings](security-policy-settings/security-policy-settings.md)
 #### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
 ##### [Network List Manager policies](security-policy-settings/network-list-manager-policies.md)
 #### [Configure security policy settings](security-policy-settings/how-to-configure-security-policy-settings.md)
@@ -908,8 +966,8 @@
 
 
 ### [Windows security baselines](windows-security-baselines.md)
-### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-### [Get support](get-support-for-security-baselines.md)
+#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
+#### [Get support](get-support-for-security-baselines.md)
 
 ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
 
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index b45cf1d6fb..f9a028c36e 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index 68c258302e..80aac0ab42 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -48,7 +49,7 @@ The basic security audit policy settings in **Security Settings\\Local Policies\
 
 There are a number of additional differences between the security audit policy settings in these two locations.
 
-There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy 
+There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
 Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
 
 In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
@@ -78,7 +79,7 @@ The rules that govern how Group Policy settings are applied propagate to the sub
 | - | - | - | -|
 | Detailed File Share Auditing | Success | Failure | Success |
 | Process Creation Auditing | Disabled | Success | Disabled |
-| Logon Auditing | Success | Failure | Failure | 
+| Logon Auditing | Success | Failure | Failure |
 
 ## What is the difference between an object DACL and an object SACL?
 
@@ -170,7 +171,7 @@ In addition, there are a number of computer management products, such as the Aud
 
 Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources:
 
--   [Windows 8 and Windows Server 2012 Security Event Details](http://www.microsoft.com/download/details.aspx?id=35753)
+-   [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753)
 -   [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
 -   [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868)
 -   [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
@@ -180,7 +181,7 @@ Users who examine the security event log for the first time can be a bit overwhe
 To learn more about security audit policies, see the following resources:
 
 -   [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
--   [Security Monitoring and Attack Detection Planning Guide](http://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
+-   [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx)
 -   [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780)
 -   [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868)
  
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index d1512606c8..95b7643f60 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index 9c98ed3fe1..454c14422b 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index d772192059..8b1f8421eb 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 07/25/2018
 ---
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 831cb9ee9c..9cb1d5053c 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 07/16/2018
 ---
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index cd1ac383af..ad98239120 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 3a2fc3505b..5840b881a2 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index b0735ee0ca..a64e4c60e4 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 6046ee0176..9c4f4f01b9 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index 5641c9c572..d2a34b5e82 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index 024a2259ca..ce97191388 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 9b92554529..34094b45c4 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 62a01d3e22..9ba95826d4 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 95709c4776..1053fc3b3e 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index ffc71c1158..c20e709c3f 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 72734d1a85..512ffb1d82 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index e30c56fdb8..af3f219142 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index c454d36c11..30761993c8 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index db82ae0c8d..41ced142b1 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 82e9d57a4e..88a2692952 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 9b19a0afa1..8e927d07a5 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index caf010e6a3..6664fafb8d 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index c7b96db83b..133f3f2532 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index ea50e9d98c..d196239f6b 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index 56eb441cdd..0a55d6a91f 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index f56147cb4c..82e1e1f4d3 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index d35bf2344b..c503247f64 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index a6c151bdfa..032486cabe 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 698d063e78..1fb88b5fd4 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -6,8 +6,9 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 10/02/2018
 ---
 
 # Audit IPsec Driver
@@ -55,7 +56,7 @@ This subcategory is outside the scope of this document.
 
 ## 5478(S): IPsec Services has started successfully.
 
-## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
+## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
 
 ## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
 
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 40cec9f6a3..e9388ef13f 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -6,8 +6,9 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 10/02/2018
 ---
 
 # Audit IPsec Extended Mode
@@ -27,17 +28,17 @@ Audit IPsec Extended Mode subcategory is out of scope of this document, because
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
 
-## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
 
-## 4979: IPsec Main Mode and Extended Mode security associations were established.
+## 4979(S): IPsec Main Mode and Extended Mode security associations were established.
 
-## 4980: IPsec Main Mode and Extended Mode security associations were established.
+## 4980(S): IPsec Main Mode and Extended Mode security associations were established.
 
-## 4981: IPsec Main Mode and Extended Mode security associations were established.
+## 4981(S): IPsec Main Mode and Extended Mode security associations were established.
 
-## 4982: IPsec Main Mode and Extended Mode security associations were established.
+## 4982(S): IPsec Main Mode and Extended Mode security associations were established.
 
-## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
+## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
 
-## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
+## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
 
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index ce0f818a58..1a34ba32f3 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -6,8 +6,9 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 10/02/2018
 ---
 
 # Audit IPsec Main Mode
@@ -27,21 +28,21 @@ Audit IPsec Main Mode subcategory is out of scope of this document, because this
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
 
-## 4646: Security ID: %1
+## 4646(S): Security ID: %1
 
-## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
+## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
 
-## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
+## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
 
-## 4652: An IPsec Main Mode negotiation failed.
+## 4652(F): An IPsec Main Mode negotiation failed.
 
-## 4653: An IPsec Main Mode negotiation failed.
+## 4653(F): An IPsec Main Mode negotiation failed.
 
-## 4655: An IPsec Main Mode security association ended.
+## 4655(S): An IPsec Main Mode security association ended.
 
-## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
 
-## 5049: An IPsec Security Association was deleted.
+## 5049(S): An IPsec Security Association was deleted.
 
-## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
+## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
 
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 38545197ce..40aabcd719 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -6,8 +6,9 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 10/02/2018
 ---
 
 # Audit IPsec Quick Mode
@@ -27,9 +28,9 @@ Audit IPsec Quick Mode subcategory is out of scope of this document, because thi
 | Member Server     | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 | Workstation       | IF              | IF              | IF               | IF               | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
 
-## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
+## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
 
-## 5451: An IPsec Quick Mode security association was established.
+## 5451(S): An IPsec Quick Mode security association was established.
 
-## 5452: An IPsec Quick Mode security association ended.
+## 5452(S): An IPsec Quick Mode security association ended.
 
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 89da3df49c..fa45372c3e 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index bab3c845c3..555286d0f5 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 9fa2b580ab..e8bd06b601 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 9c9b76a014..521a5e8e0f 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 07/16/2018
 ---
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index a5e0c95234..4b4cc2f5de 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 3fb772b9df..f3bb9e035a 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 11287bd65d..31203993ba 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 1d4cac3e10..9f0a2a2a2f 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 522cbbbda0..8a13f5aac2 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index a4e42c2134..01d32dee4a 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 20c7e57792..06c1cec1ea 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 7a65861136..199192018a 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 05/29/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index caedc86292..08d287a0cb 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index 7bbf1b96ea..45be00eab8 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 66a9f4fa1a..e70d6e2681 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 3e7f6054e9..51f7778df1 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 91ce6e4269..39e53664c4 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 26bdfd3335..d1a88331d5 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 89c6e2069e..2acf898d3b 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index 40a3de6168..d47d436aa8 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 68fe08ab59..584b5fb9ff 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 68cbdf8de2..0c36ef5e56 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 20caac1504..7ce77ac37a 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 82b7442603..127b34b44a 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index dd197405eb..778abbd8c0 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index fee5387d6e..f9b696cb08 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index 4e565482ce..bfd47e55e9 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index d1ab5a9287..7690f62c37 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index db25e022e7..3315c7f053 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index d7a6965f65..988736426a 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index fb3376bbfa..8b87a565cb 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 927836fa61..5ae03bbe81 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index c8c80ce9d6..aea8e2c6a8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 64857a7afb..5ac16f81ca 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 38bb2e466d..564f09756f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index 19b0d6e645..d6fa0d9840 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 8aa5da56c9..12b823cf4e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index af9ea206a6..ada9f8ba66 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 06fa199863..1c30f0f216 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 9ad2959a47..87389a5d60 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 933f85b9dc..814491f237 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 7fbe7ab069..71a8cdfc2c 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: none
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index ac6f19eefe..8ae8a12264 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 6a067516da..cb164a63ca 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 0a8546990f..8108688794 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index a8476fff7b..25c17fe2ee 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 017af286c0..d726c93ad0 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 1e57fd65bd..cff87d7dea 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index 58520e1319..f06b332a6c 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 38c317122b..c306a73ee1 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 10c759d27c..4a380aceb6 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index fca623f333..1c2d522fd4 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 3b59808bcf..2f460fcef2 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 58f6621355..b05a075adc 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 7ad5986151..6f99221add 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index dfa9094672..1c4966789f 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 489d82cb44..9e406ae1b4 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index bb4d0dfde8..88890d35a3 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index a156058e1d..2a67c5bece 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d127aa0e92..00bdfbedbf 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 7b5753c8a2..4ce1a85b44 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index 4181c69829..364cc29898 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 11/20/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index f302b30dcb..ada815be96 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index c2d202fde2..79190f5271 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index f9e9bf8138..9214d1fc97 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 7410f05971..8c72de4fc2 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index 52063e6430..5ce80b0284 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 49fd39d667..2002ff7b1d 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 19abcd9404..02e32d0958 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 2a841eb423..e9be1c1106 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 76d00d60be..f784317663 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index bb6612c203..f3db0e1298 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 69474b2b12..22ec52f545 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 4c4b0f7b46..94bb9f707f 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index bb9b80ab81..eb364f29f6 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 5cc1a63520..9a9d51814e 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index f9573a09ae..5080043717 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index bca2e5f52e..113d7caac9 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 421b82fe4c..fa71f35477 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 0b7635c328..3739d330a3 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index d7f928b85c..e5ad7cdede 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index 708ad3f4b2..416593f25d 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index 5a62c9c916..b081552f9c 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 81042229eb..fa60a9afe7 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 139eeb2b7b..422a22d16d 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 0818b64f14..43660656d1 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 79b6f0de79..5b94789f6e 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index 9f33773c45..4297ae500c 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index bf57e86499..6ec3afd6b3 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index b5a3c2eb05..5a9d579d52 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 43d2d4038a..36bbbe2e12 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index a428e5d220..5488c0fe3f 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index 8e7d004bfd..e68e88564e 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index f4965a440b..04b87445fc 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 34dac9b054..499adb7003 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index e9d8f04685..9498cad12e 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 83bd4b2090..b90233b9f4 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index 00f7c4abc7..d1521c73e2 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index ef7889ed6a..15321679ec 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index b73f98ed27..2cfa10bcc4 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index 939496efb7..bd99198a79 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index 3c44c43d38..3d53dbfc66 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 627e3b0995..e250d2d76b 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index 586027ec44..fbe3204478 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 2717038a73..3886b9e04f 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 1da37f1754..9b2455527b 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 8fe04dc1e8..535c3ad26a 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 8cdab0a747..759bb70c79 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 2d4fc27242..94cad5dcb5 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index ccecd029bd..159cf6c977 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index d98ecec63c..666b390af6 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index 00b157f1a0..92453fda66 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index acf70d448c..5fc169586c 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index d7000fb020..2be7574075 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index a5b171538f..940ddf7318 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index cdacfc1a47..ca4f21d730 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 104f37e498..23c8e66bd6 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 0086eae7fe..41316ce8c9 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index d1a83fc01d..af0fcac973 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 74ca5aa2d4..5c05b0ef4a 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index ae5cc3aad8..e699566732 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 3dbff53ca0..0ab317604e 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index cf8fe2de93..1a1b7d54b9 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index 6fa7e4ad47..246c690505 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 1433514327..372e067fb1 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index bccd6fcfd1..5aad3931e8 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index e8aba8e488..faa65c3205 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 8723b71531..c7df1c49c3 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 2d2eccc064..7a531f94cb 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index 5c9dbc3e45..6bcb624195 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 8d5dcd247b..2e7b864ec7 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index bbce5d97f8..567d9d197e 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 142326fd82..eee391bee2 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 9c8f497da1..b7187f8d10 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index cfc91281f1..0dc1358a3d 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index ebe86ace57..91db8f35ee 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 612b71e2da..cf2e1d5c17 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index 1f809ff2f0..ed5f9bb1a0 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index e8304521fa..e88f833a6c 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index b8e498ff1a..e257e4610f 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 17c5196837..e748e1caf0 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 17d6d60001..ee412150ee 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 6b9b0ebb67..686af7ea86 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 27a1850d12..338bb36e87 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index ffaeeb0a6f..cd95a2f2a2 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 653ccce05c..acf0ea8014 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index 72fb865981..b41a078e08 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index bcd5b48e69..d34b62517d 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 20004e2404..d3bcd9301c 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index dfb877c452..52a95c2b18 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 5a93e06782..c8171085ac 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 36e68e0d64..48a8e41773 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 58137aaf46..84364654bc 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 7947029272..c57dedf1a6 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index f2d01eac46..0d10438bc8 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index aff1f0b7b8..fee398f114 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 90db648c38..b77a5db3be 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 681c20e5ce..f2443032d5 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 945ae256a1..7c2bc71dc5 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 02fc2b2dbe..17448acec2 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index 43d6cf33bb..0417800a87 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 6594212812..a59b9b843d 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 5cf74949cb..4f5095c9dc 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index 10367c56b8..c323c5ec14 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index c94bd3c5bb..ad1d71cdae 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index 4b1b1d10b6..c4c763c993 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 91c33a149b..c9f8c95d64 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 09c93dd96b..656f80f36d 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 6770563571..cbf73343da 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 1228c676e7..416ce22b6e 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 256b121950..a5cac875fe 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 42981b3496..caae02d594 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index a906f906e4..a21a9b132f 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index a905f4b664..8a78fdde05 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 53a5d024c1..4388e3db87 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 4c84b51785..0c0ff2b9bc 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index 540f77ac0f..efbf9fb2d0 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index f04e61bab7..782d76ece8 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index 1ab43a9df6..4525a536b0 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 888d65a13f..5481fec3bc 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index a444061003..a4ae0f6a9a 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index 7576f09c73..afc657cfe7 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index c04cd3c3f6..a666ac4295 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 1a6fe8601e..2541043735 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 05fcc3a155..62f13d85ab 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index b1e940a227..5b4960bfc9 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index e75fd5b89d..eba8ccd671 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 2ee2573635..21b7061a9b 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index f6e3914c39..3c43a64cd2 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 75dff8ca6c..6ab7f16f7f 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index 465f4e4f8e..af8020bcfa 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index 34f2003512..86b013392c 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index 661062f902..d9e05e9505 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index b1c36d493f..32dc73cc6e 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 2c36a9d208..0835e66b51 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 73484f44b8..743878ab0f 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index b244794b33..dbdb573ed5 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 5b7eb9a592..d9684e4ba7 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index fa45d31733..bb6d247e38 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 8e1b38f252..505c750a6f 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index da38bc5ac3..dafaf8db67 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index e669caf386..f1183ce7ac 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index 8771cc7974..43d42d9ad6 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 491f846ff8..7a02f1c187 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 6042fef617..51c3c3a7aa 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index daf0e0248e..cee2e5f678 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index bc11ab187c..4f42988a8c 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index f19a1c644a..e45a0beb04 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index 6be54f3206..0a95f4b688 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 6742336fcb..9c05c9b919 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 896fe4e94c..d45008ad7a 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index e65b0680cd..d7897db3b0 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index f05fd3be1c..6f2c76bbc8 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index ff00407e6e..1f420e0916 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index fe78230d8c..b32498cbac 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
@@ -16,7 +17,7 @@ ms.date: 04/19/2017
 -   Windows Server 2016
 
 
-This event should be generated when registry key was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
+This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
 
 This event occurs very rarely during standard LUAFV registry key virtualization.
 
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 4880ab3e11..b979c83969 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
@@ -16,7 +17,7 @@ ms.date: 04/19/2017
 -   Windows Server 2016
 
 
-This event should be generated when file was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
+This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
 
 This event occurs very rarely during standard LUAFV file virtualization.
 
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index 108eaf241b..9f120f6027 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index 4b26c92088..475cfcfab7 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index 50fdab44bf..3b1cb19b0a 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index c723a6e639..8d71b94dd4 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 984126866d..097b25ad56 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index bf37954b97..014ea71245 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index 47e1402ebb..7a8d60d333 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index 54bc56bdc4..ba5fcc95d5 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index c4d034a000..8fb4261204 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 8d81a7604f..57817b83de 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 25b595c19f..d32b399dc1 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index d2fc40cdf7..5232db2d68 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index dd27edc08d..54c1aa3f5f 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index eece0a1b44..59b441d6a9 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 14bf2b591e..2da4b27923 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index be3cebc546..653e8227b1 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 2811ea8260..1b3f5cb556 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 0b7bc8bdda..13390e20d8 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index ca1dcb8760..fcf72e490a 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index e026048c46..216fda1e69 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 3bba690ce9..4fb9ff313d 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index dade8d91b1..3a6937b68b 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index 766455cb88..10340b7e17 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 1ea7b1be36..65f92128dd 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 756dad0627..4b959c56eb 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 77116b9355..602cf56f41 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 05/29/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 8e64d233fb..991095fcd1 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 05/29/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 918be364cf..0ddcd6478e 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index d524a4bfcf..57b29c41cf 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index 794e03728c..ec9ffa6ee6 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index 6a80984c62..f2bb576647 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 7bf096f3d4..11a6a76441 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index b4bf0b06ec..59ddc54716 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index a9eade92a4..982fb26822 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 252e41c447..33b919c24b 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index b1faa28a26..9e5a7fbf6d 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 3d4b26fdc0..74fd606119 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 8905c824d3..c8eec57f75 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 9759e6d0c2..3714d2750a 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 5d2a1709d1..585ca469c6 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 3bd452b0c4..df9199e9fa 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 73a1f15abe..1e72720f03 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 29bdb8e39c..9ab4899bf0 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index 21fabc1686..6fcac6b719 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 65544e2603..be757a5bb8 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 0a962eb85a..7b9765b982 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index c17e01b947..258e121a80 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index fa696c09b1..fbc98bd144 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 1b7b6cbe26..85812bc35a 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index 5dd2b3ca8b..de7a63be42 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index aedaab33bb..837d239ea6 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index cfb77f2b3a..bdf323461d 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 3d2cdad2e8..c8fc24b94d 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 25ab43c57a..49d6839bdf 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index dc6488418a..30b311e730 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 8b687e9d61..a988484860 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index 7fc02c9412..57b7d78034 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 1dcb6e90d7..dd74c47896 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 1317d12b70..c6f8e25a6c 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 682546cef4..0aacfce3f1 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 133b879966..6bbe69fb2d 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index 7cd9614b30..f58b033971 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 3fcc8e37dd..d9667a2625 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index d185fb6e2c..e9582509f3 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 3c7d9aafa9..970c382ab7 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index e82d2c1cce..bddd6284b5 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index bbd690551c..38990177e5 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 6e9a3a1f54..f48d8e7d1b 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 3afa0bee64..d9f0466d51 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: none
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index d83ec4b427..7964ac323a 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 5bcc889fff..439c9c1b3f 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -18,7 +19,7 @@ ms.date: 04/19/2017
 This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
 Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced.
 
-Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index 410b771c8d..7aeb903d71 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -19,8 +20,8 @@ This topic for the IT professional describes how to monitor changes to claim typ
 
 Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
 
-Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic 
-Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic
+Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index 3b001b7e2a..c99548b8fd 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -20,7 +21,7 @@ Resource attribute definitions define the basic properties of resource attribute
 
 For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
 
-Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index a87230b143..a6c28921e2 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -21,7 +22,7 @@ This security audit policy and the event that it records are generated when the
 
 For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
 
-Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx).
+Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 54d4d33846..51df126e27 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -17,7 +18,7 @@ ms.date: 04/19/2017
 
 This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management.
 
-Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of central access policies on a file server. The following procedures assume that you have configured and deployed dynamic access control, including central access policies, and claims in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 **To configure settings to monitor changes to central access policies**
 
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index c272a341c2..94d8efbfe0 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -23,7 +24,7 @@ If your organization has a carefully thought out authorization configuration for
 -   Changing the Retention attribute of files that have been marked for retention.
 -   Changing the Department attribute of files that are marked as belonging to a particular department.
 
-Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](http://technet.microsoft.com/library/hh831717.aspx) .
+Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx) .
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index a2ce772425..27794f5009 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index 0134469570..3f49698848 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-
 ms.date: 04/19/2017
 ---
 
@@ -20,7 +20,7 @@ This topic for the IT professional describes how to monitor user and device clai
 
 Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token.
 
-Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](http://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
  
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index d67be8eaff..903d0ff8b6 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -5,6 +5,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: medium
 author: Mir0sh
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 31785c4181..8dee2ff70e 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -15,7 +16,7 @@ ms.date: 04/19/2017
 **Applies to**
 -   Windows 10
 
-This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit 
+This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit
 policies.
 
 Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them.
@@ -114,9 +115,9 @@ The following table provides an example of a resource analysis for an organizati
 
 | Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements |
 | - | - | - | - | - |
-| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
          Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| 
+| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
          Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
 | Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
          Lab Assistants: Write only on MedRec-2
          Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
-| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
          Public: Read only on Web-Ext-1| Low| Public education and corporate image| 
+| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
          Public: Read only on Web-Ext-1| Low| Public education and corporate image|
  
 ### Users
 
@@ -136,7 +137,7 @@ The following table illustrates an analysis of users on a network. Although our
 | - | - | - |
 | Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
 | Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
-| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.| 
+| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|
  
 ### Computers
 
@@ -145,10 +146,10 @@ Security and auditing requirements and audit event volume can vary considerably
 -   If the computers are servers, desktop computers, or portable computers.
 -   The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
 
-    >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](http://technet.microsoft.com/library/cc280386.aspx).
+    >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
      
 -   The operating system versions.
-    
+
     >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.
      
 -   The business value of the data.
@@ -159,20 +160,20 @@ The following table illustrates an analysis of computers in an organization.
 
 | Type of computer and applications | Operating system version | Where located |
 | - | - | - |
-| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU| 
-| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location| 
+| Servers hosting Exchange Server| Windows Server 2008 R2| ExchangeSrv OU|
+| File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
 | Portable computers  | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
-| Web servers | Windows Server 2008 R2 | WebSrv OU| 
+| Web servers | Windows Server 2008 R2 | WebSrv OU|
  
 ### Regulatory requirements
 
 Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
 
-For more info, see the [System Center Process Pack for IT GRC](http://technet.microsoft.com/library/dd206732.aspx).
+For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
 
 ## Mapping the security audit policy to groups of users, computers, and resources in your organization
 
-By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the 
+By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the
 following considerations for using Group Policy to apply security audit policy settings:
 
 -   The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
@@ -188,7 +189,7 @@ following considerations for using Group Policy to apply security audit policy s
 -   Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy.
 
     >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
-    
+
     If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
      
 
@@ -230,7 +231,7 @@ Depending on your goals, different sets of audit settings may be of particular v
  
 ### Data and resource activity
 
-For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be 
+For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be
 protected against any breach, the following settings can provide extremely valuable monitoring and forensic data:
 
 -   Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share.
@@ -241,7 +242,7 @@ protected against any breach, the following settings can provide extremely valua
     >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
      
 -   Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
-    
+
     Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
 
 -   **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
@@ -296,7 +297,7 @@ Not all versions of Windows support advanced audit policy settings or the use of
 
 The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization.
 
-For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](http://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
+For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events.
 
 In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
 
@@ -328,7 +329,7 @@ In addition, whether you choose to leave audit data on an individual computer or
 -   **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough.
 -   **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached.
 
-You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer 
+You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer
 Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include:
 
 -   **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index 175aee073f..ae9bb6e67a 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index 2ee5032e3b..8c5ba869ef 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 63da4cc404..f71f318cd8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -17,7 +18,7 @@ ms.date: 04/19/2017
 
 This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
 
-These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](http://technet.microsoft.com/library/hh831542.aspx).
+These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](https://technet.microsoft.com/library/hh831542.aspx).
 
 ## In this guide
 
@@ -29,12 +30,12 @@ Domain administrators can create and deploy expression-based security audit poli
 | - | - |
 | [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md) | This topic for the IT professional describes how to monitor changes to the central access policies that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. Central access policies are created on a domain controller and then applied to file servers through Group Policy management. |
 | [Monitor the use of removable storage devices](monitor-the-use-of-removable-storage-devices.md) | This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.| 
+| [Monitor resource attribute definitions](monitor-resource-attribute-definitions.md)| This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.|
 | [Monitor central access policy and rule definitions](monitor-central-access-policy-and-rule-definitions.md) | This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. |
 | [Monitor user and device claims during sign-in](monitor-user-and-device-claims-during-sign-in.md)| This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. |
 | [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. |
 | [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. |
-| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.| 
+| [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.|
  
 >**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
  
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index d491761c2a..5669c302b9 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index 0c5a957bec..8b97c1b72b 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index 79880c8d9b..dfa28ec177 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -1,81 +1,21 @@
 ---
-title: Change history for threat protection (Windows 10)
-description: This topic lists new and updated topics in the Windows 10 threat protection documentation for Windows 10 and Windows 10 Mobile.
+title: Change history for Windows Defender Advanced Threat Protection (Windows Defender ATP)
+description: This topic lists new and updated topics in the WWindows Defender ATP content set.
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 10/31/2017
+ms.date: 08/11/2018
+ms.localizationpriority: medium
 ---
 
 # Change history for threat protection
-This topic lists new and updated topics in the [Threat protection](index.md) documentation.
+This topic lists new and updated topics in the [Windows Defender ATP](windows-defender-atp/windows-defender-advanced-threat-protection.md) documentation.
 
-## February 2018
+## August 2018
 
 New or changed topic | Description
 ---------------------|------------
-[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
-[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
+[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform.
 
-## January 2018
-|New or changed topic |Description |
-|---------------------|------------|
-|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
-
-## November 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [How to enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI.  |
-
-
-## October 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md)|Added auto-recovery section.
-|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md)|New topic for MAM using the Azure portal.|
-| [TPM fundamentals](/windows/security/hardware-protection/tpm/tpm-fundamentals.md)
          [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md) | Explained the change to allow reducing the maximum PIN length from 6 characters to 4. |
-| [Windows security baselines](windows-security-baselines.md) | New. Security baselines added for Windows 10, versions 1703 and 1709. |
-| [Security Compliance Toolkit](security-compliance-toolkit-10.md) | New. Includes a link to tools for managing security baselines. |
-| [Get support for security baselines](get-support-for-security-baselines.md) | New. Explains supported versions for security baselines and other support questions.  |
-
-## August 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [BitLocker: Management recommendations for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md) | New BitLocker security topic. |
-| [Accounts: Block Microsoft accounts](security-policy-settings/accounts-block-microsoft-accounts.md) | Revised description |
-
-
-## July 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [How Windows 10 uses the Trusted Platform Module](/windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md) | New TPM security topic. |
-
-
-## June 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](\windows\security\information-protection\windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
-|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](\windows\security\information-protection\windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
-|[Secure the Windows 10 boot process](/windows/security/hardware-protection/secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content |
-
-## May 2017
-|New or changed topic |Description |
-|---------------------|------------|
-| [BitLocker Group Policy settings](/windows/security//information-protection/bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
-| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. |
-
-
-## March 2017
-|New or changed topic |Description |
-|---------------------|------------|
-|[How to collect Windows Information Protection (WIP) audit event logs](/windows/security//information-protection/windows-information-protection/collect-wip-audit-event-logs.md) |New |
-|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
-|[Limitations while using Windows Information Protection (WIP)](/windows/security//information-protection/windows-information-protection/limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
-|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |
-|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New |
-|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)|New |
-|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. |
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 31e6351c21..b56a7a46b9 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,44 +1,45 @@
 ---
-title: Windows Defender Device Guard - virtualization-based security and code integrity policies (Windows 10)
-description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
+description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: mdsakibMSFT
-ms.date: 04/19/2018
+ms.date: 09/07/2018
 ---
 
-# Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
+# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-With Windows 10, we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices. 
-In this configuration, Device Guard restricts devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
 
-Configurable CI has these advantages over other solutions:
+Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard. 
 
-1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
-2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
-3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. Then changing the policy requires administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy. 
-4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.
+Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
+
+1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
+2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
+4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
 
 ## (Re-)Introducing Windows Defender Application Control
 
-When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together. 
+When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. 
 
-However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately. 
-And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
+However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately. 
+Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
 
-As a result, many customers assumed that they couldn’t use configurable CI either. 
-But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability.
+As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. 
+But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
 
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. So we are promoting configurable CI within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
-We hope this branding change will help us better communicate options for adopting application control within an organization.
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
+We hope this change will help us better communicate options for adopting application control within an organization.
 
-Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario.
+Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png
new file mode 100644
index 0000000000..ff9c97c86e
Binary files /dev/null and b/windows/security/threat-protection/images/AH_icon.png differ
diff --git a/windows/security/threat-protection/images/AR_icon.png b/windows/security/threat-protection/images/AR_icon.png
new file mode 100644
index 0000000000..887498f7bc
Binary files /dev/null and b/windows/security/threat-protection/images/AR_icon.png differ
diff --git a/windows/security/threat-protection/images/ASR_icon.png b/windows/security/threat-protection/images/ASR_icon.png
new file mode 100644
index 0000000000..28b5b3156f
Binary files /dev/null and b/windows/security/threat-protection/images/ASR_icon.png differ
diff --git a/windows/security/threat-protection/images/EDR_icon.png b/windows/security/threat-protection/images/EDR_icon.png
new file mode 100644
index 0000000000..7e6df62bdf
Binary files /dev/null and b/windows/security/threat-protection/images/EDR_icon.png differ
diff --git a/windows/security/threat-protection/images/NGP_icon.png b/windows/security/threat-protection/images/NGP_icon.png
new file mode 100644
index 0000000000..df1b70e041
Binary files /dev/null and b/windows/security/threat-protection/images/NGP_icon.png differ
diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png
new file mode 100644
index 0000000000..95908405ce
Binary files /dev/null and b/windows/security/threat-protection/images/SS_icon.png differ
diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png
index 60725244e5..8a67d190b7 100644
Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and b/windows/security/threat-protection/images/wdatp-pillars2.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index b589ac9a69..be736a9d69 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,35 +1,132 @@
 ---
 title: Threat Protection (Windows 10)
-description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
+description: Learn how Windows Defender ATP helps protect against threats.
+keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, secure score, advanced hunting
+search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 02/05/2018
+author: dansimp
+ms.localizationpriority: medium
+ms.date: 09/07/2018
 ---
 
 # Threat Protection
-Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
 
-![Windows Defender ATP components](images/wdatp-pillars2.png)
+
          Windows Defender ATP
          
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
           
          Attack surface reduction

           Next generation protection

           Endpoint detection and response

           Automated investigation and remediation

          Secure score

          Advanced hunting
          
+
          Management and APIs
          Microsoft threat protection
          
+
          
 
-The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 
 
-**Attack surface reduction**
          
+
+
+**[Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)**
          
 The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 
-**Next generation protection**
          
+- [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) 
+- [Application control](windows-defender-application-control/windows-defender-application-control.md)
+- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
+- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+
+
+
+**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
          
 To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
 
-**Endpoint protection and response**
          
+- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) 
+- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) 
+- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+
+
+
+
+**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
          
 Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
 
-**Auto investigation and remediation**
          
+- [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+- [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+- [Response orchestration](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+- [Forensic collection](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+- [Threat intelligence](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Advanced detonation and analysis service](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+
+
+
+**[Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)**
          
 In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
 
-**Security posture**
          
-Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
+- [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
+- [Threat remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md#how-threats-are-remediated)
+- [Manage automated investigations](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md)
+- [Analyze automated investigation](windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md#analyze-automated-investigations)
+
+
+
+**[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**
          
+Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
+- [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)
+- [Threat analytics](windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+
+
+**[Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)**
          
+Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization.
+
+- [Custom detection](windows-defender-atp/overview-custom-detections.md)
+- [Realtime and historical hunting](windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md)
+
+
+
+**[Management and APIs](windows-defender-atp/management-apis.md)**
          
+Integrate Windows Defender Advanced Threat Protection into your existing workflows.
+- [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
+- [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+- [Exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+- [Role-based access control (RBAC)](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)
+- [Reporting and trends](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+
+
+**[Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)** 
          
+Bring the power of Microsoft threat protection to your organization.
+- [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
+- [O365 ATP](windows-defender-atp/threat-protection-integration.md)
+- [Azure ATP](windows-defender-atp/threat-protection-integration.md)
+- [Azure Security Center](windows-defender-atp/threat-protection-integration.md)
+- [Skype for Business](windows-defender-atp/threat-protection-integration.md) 
+- [Microsoft Cloud App Security](windows-defender-atp/microsoft-cloud-app-security-integration.md)
+
+
+
+
+
+
+
+
+
 
 
 
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
new file mode 100644
index 0000000000..db9e975f40
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/TOC.md
@@ -0,0 +1,53 @@
+# [Security intelligence](index.md)
+
+## [Understand malware & other threats](understanding-malware.md)
+
+### [Prevent malware infection](prevent-malware-infection.md)
+
+### [Malware names](malware-naming.md)
+
+### [Coin miners](coinminer-malware.md)
+
+### [Exploits and exploit kits](exploits-malware.md)
+
+### [Fileless threats](fileless-threats.md)
+
+### [Macro malware](macro-malware.md)
+
+### [Phishing](phishing.md)
+
+### [Ransomware](ransomware-malware.md)
+
+### [Rootkits](rootkits-malware.md)
+
+### [Supply chain attacks](supply-chain-malware.md)
+
+### [Tech support scams](support-scams.md)
+
+### [Trojans](trojans-malware.md)
+
+### [Unwanted software](unwanted-software.md)
+
+### [Worms](worms-malware.md)
+
+## [How Microsoft identifies malware and PUA](criteria.md)
+
+## [Submit files for analysis](submission-guide.md)
+
+## [Safety Scanner download](safety-scanner-download.md)
+
+## [Industry antivirus tests](top-scoring-industry-antivirus-tests.md)
+
+## [Industry collaboration programs](cybersecurity-industry-partners.md)
+
+### [Virus information alliance](virus-information-alliance-criteria.md)
+
+### [Microsoft virus initiative](virus-initiative-criteria.md)
+
+### [Coordinated malware eradication](coordinated-malware-eradication.md)
+
+## [Information for developers](developer-info.md)
+
+### [Software developer FAQ](developer-faq.md)
+
+### [Software developer resources](developer-resources.md)
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
new file mode 100644
index 0000000000..e74b6ea5f4
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -0,0 +1,47 @@
+---
+title: Coin miners
+description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself.
+keywords: security, malware, coin miners, protection, cryptocurrencies
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Coin miners
+
+Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.
+
+## How coin miners work
+
+Many infections start with:
+
+- Email messages with attachments that try to install malware.
+
+- Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners.
+
+- Websites taking advantage of computer processing power by running scripts while users browse the website.
+
+Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.
+
+Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources.
+
+Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources.
+
+### Examples
+
+DDE exploits, which have been known to distribute ransomware, are now delivering miners.
+
+For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.
+
+The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency.
+
+## How to protect against coin miners
+
+**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
+
+Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
+
+For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
new file mode 100644
index 0000000000..2f6a6ce43c
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -0,0 +1,35 @@
+---
+title: Coordinated Malware Eradication
+description: Information and criteria regarding CME
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 07/12/2018
+---
+# Coordinated Malware Eradication
+
+![coordinated-malware-eradication](images/CoordinatedMalware.png)
+
+Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
+
+CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses.
+
+## Combining our tools, information, and actions
+
+Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action.
+
+In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns.
+
+## Coordinated campaigns for lasting results
+
+Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive.
+
+## Join the effort
+
+Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
+
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
new file mode 100644
index 0000000000..ab053f956f
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -0,0 +1,170 @@
+---
+title: How Microsoft identifies malware and potentially unwanted applications
+description: criteria
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/01/2018
+---
+
+# How Microsoft identifies malware and potentially unwanted applications
+
+Microsoft aims to provide customers with the most delightful and productive Windows experience possible. To help achieve that, we try our best to ensure our customers are safe and in control of their devices.
+
+Microsoft gives you the information and tools you need when downloading, installing, and running software, as well as tools that protect you when we know that something unsafe is happening. Microsoft does this by identifying and analyzing software and online content against criteria described in this article.
+
+You can participate in this process by submitting software for analysis. Our analysts and intelligent systems can then help identify undesirable software and ensure they are covered by our security solutions.
+
+Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements.
+
+## Malware
+
+Malware is the overarching name for applications and other code, i.e. software, that Microsoft classifies more granularly as *malicious software* or *unwanted software*.
+
+### Malicious software
+
+Malicious software is an application or code that compromises user security. Malicious software might steal your personal information, lock your PC until you pay a ransom, use your PC to send spam, or download other malicious software. In general, malicious software tricks, cheats, or defrauds users, places users in vulnerable states, or performs other malicious activities.
+
+Microsoft classifies most malicious software into one of the following categories:
+
+* **Backdoor:** A type of malware that gives malicious hackers remote access to and control of your PC.
+
+* **Downloader:** A type of malware that downloads other malware onto your PC. It needs to connect to the internet to download files.
+
+* **Dropper:** A type of malware that installs other malware files onto your PC. Unlike a downloader, a dropper doesn’t need to connect to the internet to drop malicious files. The dropped files are typically embedded in the dropper itself.
+
+* **Exploit:** A piece of code that uses software vulnerabilities to gain access to your PC and perform other tasks, such as installing malware. [See more information about exploits](exploits-malware.md).
+
+* **Hacktool:** A type of tool that can be used to gain unauthorized access to your PC.
+
+* **Macro virus:** A type of malware that spreads through infected documents, such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
+
+* **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove.
+
+* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit.
+
+* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your PC. It then displays a ransom note stating you must pay money, complete surveys, or perform other actions before you can use your PC again. [See more information about ransomware](ransomware-malware.md).
+
+* **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your PC. It also tries to convince you to pay for its services.
+
+* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead it tries to look legitimate, tricking users into downloading and installing it. Once installed, trojans perform a variety of malicious activities, such as stealing personal information, downloading other malware, or giving attackers access to your PC.
+
+* **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your PC.
+
+* **Worm:** A type of malware that spreads to other PCs. Worms can spread through email, instant messaging, file sharing platforms, social networks, network shares, and removable drives. Sophisticated worms take advantage of software vulnerabilities to propagate.
+
+### Unwanted software
+
+Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your PC through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software".
+
+#### Lack of choice
+
+You must be notified about what is happening on your PC, including what software does and whether it is active.
+
+Software that exhibits lack of choice might:
+
+* Fail to provide prominent notice about the behavior of the software and its purpose and intent.
+
+* Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence.
+
+* Install, reinstall, or remove software without your permission, interaction, or consent.
+
+* Install other software without a clear indication of its relationship to the primary software.
+
+* Circumvent user consent dialogs from the browser or operating system.
+
+* Falsely claim to be software from Microsoft.
+
+Software must not mislead or coerce you into making decisions about your PC. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might:
+
+* Display exaggerated claims about your PC’s health.
+
+* Make misleading or inaccurate claims about files, registry entries, or other items on your PC.
+
+* Display claims in an alarming manner about your PC's health and require payment or certain actions in exchange for fixing the purported issues.
+
+Software that stores or transmits your activities or data must:
+
+* Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data.
+
+#### Lack of control
+
+You must be able to control software on your computer. You must be able to start, stop, or otherwise revoke authorization to software.
+
+Software that exhibits lack of control might:
+
+* Prevent or limit you from viewing or modifying browser features or settings.
+
+* Open browser windows without authorization.
+
+* Redirect web traffic without giving notice and getting consent.
+
+* Modify or manipulate webpage content without your consent.
+
+Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models will be considered non-extensible and should not be modified.
+
+#### Installation and removal
+
+You must be able to start, stop, or otherwise revoke authorization given to software. Software should obtain your consent before installing, and it must provide a clear and straightforward way for you to install, uninstall, or disable it.
+
+Software that delivers *poor installation experience* might bundle or download other "unwanted software" as classified by Microsoft.
+
+Software that delivers *poor removal experience* might:
+
+* Present confusing or misleading prompts or pop-ups while being uninstalled.
+
+* Fail to use standard install/uninstall features, such as Add/Remove Programs.
+
+#### Advertising and advertisements
+
+Software that promotes a product or service outside of the software itself can interfere with your computing experience. You should have clear choice and control when installing software that presents advertisements.
+
+The advertisements that are presented by software must:
+
+* Include an obvious way for users to close the advertisement. The act of closing the advertisement must not open another advertisement.
+
+* Include the name of the software that presented the advertisement.
+
+The software that presents these advertisements must:
+
+* Provide a standard uninstall method for the software using the same name as shown in the advertisement it presents.
+
+Advertisements shown to you must:
+
+* Be distinguishable from website content.
+
+* Not mislead, deceive, or confuse.
+
+* Not contain malicious code.
+
+* Not invoke a file download.
+
+#### Consumer opinion
+
+Microsoft maintains a worldwide network of analysts and intelligence systems where you can [submit software for analysis](https://www.microsoft.com/wdsi/filesubmission). Your participation helps us identify new malware quickly. After analysis, Microsoft creates definitions for software that meets the described criteria. These definitions identify the software as malware and are available to all users through Windows Defender Antivirus and other Microsoft antimalware solutions.
+
+## Potentially unwanted application (PUA)
+
+Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This optional protection, available to enterprises, helps deliver more productive, performant, and delightful Windows experiences.
+
+*PUAs are not considered malware.*
+
+Microsoft uses specific categories and the category definitions to classify software as a PUA.
+
+* **Advertising software:** Software that displays advertisements or promotions, or prompts the user to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
+
+* **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
+
+* **Cryptomining software:** Software that uses your computer resources to mine cryptocurrencies.
+
+* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.
+
+* **Marketing software:** Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.
+
+* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.
+
+* **Poor industry reputation:** Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
new file mode 100644
index 0000000000..52a769a8b5
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -0,0 +1,39 @@
+---
+title: Industry collaboration programs
+description: Describing the 3 industry collaboration programs
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 07/12/2018
+---
+# Industry collaboration programs
+
+Microsoft has several industry-wide collaboration programs with different objectives and requirements. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or assist in disrupting the malware ecosystem.
+
+## Virus Information Alliance (VIA)
+
+The VIA program gives members access to information that will help improve protection for Microsoft customers. Malware telemetry and samples can be provided to security teams to help identify gaps in their protection, prioritize new threat coverage, or better respond to threats.
+
+**You must be a member of VIA if you want to apply for membership to the other programs.**
+
+Go to the [VIA program page](virus-information-alliance-criteria.md) for more information.
+
+## Microsoft Virus Initiative (MVI)
+
+MVI is open to organizations who build and own a Real Time Protection (RTP) antimalware product of their own design, or one developed using a third-party antivirus SDK.
+
+Members get access to Microsoft client APIs for the Windows Defender Security Center, IOAV, AMSI, and Cloud Files, along with health data and other telemetry to help their customers stay protected. Antimalware products are submitted to Microsoft for performance testing on a regular basis.
+
+Go to the [MVI program page](virus-initiative-criteria.md) for more information.
+
+## Coordinated Malware Eradication (CME)
+
+CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting cybercrime.
+
+The program aims to bring organizations in cybersecurity and other industries together to pool tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our collective communities, customers, and businesses.
+
+Go to the [CME program page](coordinated-malware-eradication.md) for more information.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
new file mode 100644
index 0000000000..e6979a1851
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -0,0 +1,41 @@
+---
+title: Software developer FAQ
+description: This page provides answers to common questions we receive from software developers
+keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/01/2018
+---
+
+# Software developer FAQ
+
+This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
+
+## Does Microsoft accept files for a known list or false-positive prevention program?
+No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers.
+
+## How do I dispute the detection of my program?
+Submit the file in question as a software developer. Wait until your submission has a final determination. 
+
+If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
+
+We encourage all software vendors and developers to read about how Microsoft identifies malware and unwanted software. 
+
+## Why is Microsoft asking for a copy of my program?
+This can help us with our analysis. Participants of the Microsoft Active Protection Service (MAPS) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
+
+## Why does Microsoft classify my installer as a software bundler?
+It contains instructions to offer a program classified as unwanted software. You can review the criteria we use to check applications for behaviors that are considered unwanted.
+
+## Why is the Windows Firewall blocking my program?
+This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more about Windows Firewall from the Microsoft Developer Network.
+
+## Why does the Windows Defender SmartScreen say my program is not commonly downloaded?
+This is not related to Windows Defender Antivirus and other Microsoft antimalware. You can find out more from the SmartScreen website.
+
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
new file mode 100644
index 0000000000..43c679345e
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/developer-info.md
@@ -0,0 +1,25 @@
+---
+title: Information for developers
+description: This page provides answers to common questions we receive from software developers and other useful resources
+keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/13/2018
+---
+
+# Information for developers
+Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
+
+## In this section 
+Topic | Description 
+:---|:---
+[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
+[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest definitions and cloud protection from Microsoft.
+
+
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
new file mode 100644
index 0000000000..612338fcad
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -0,0 +1,43 @@
+---
+title: Software developer resources
+description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against definitions.
+keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/13/2018
+---
+
+# Software developer resources
+
+Concerned about the detection of your software?
+If you believe that your application or program has been incorrectly detected by Microsoft security software, submit the relevant files for analysis.
+
+Check out the following resources for information on how to submit and view submissions:
+- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
+- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
+
+## Additional resources
+
+### Detection criteria
+
+To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating malicious or potentially harmful code.
+
+For more information, see
+
+### Developer questions
+
+Find more guidance about the file submission and detection dispute process in our FAQ for software developers.
+
+For more information, see
+
+### Scan your software
+
+Use Windows Defender Antivirus to check your software against the latest definitions and cloud protection from Microsoft.
+
+For more information, see
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
new file mode 100644
index 0000000000..252dc72d31
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -0,0 +1,56 @@
+---
+title: Exploits and exploit kits
+description: Learn about exploits, how they can infect devices, and what you can do to protect yourself.
+keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Exploits and exploit kits
+
+Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
+
+## How exploits and exploit kits work
+
+Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations.
+
+Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java.
+
+The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
+
+The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited.
+
+![example of how exploit kits work](./images/ExploitKit.png)
+
+*Example of how exploit kits work*
+
+Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
+
+Examples of exploit kits:
+
+- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle)
+
+- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino)
+
+- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu)
+
+To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/)
+
+## How we name exploits
+
+We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
+
+A project called "Common Vulnerabilities and Exposures (CVE)" is used by many security software vendors. The project gives each vulnerability a unique number, for example, CVE-2016-0778.
+The portion "2016" refers to the year the vulnerability was discovered. The "0778" is a unique ID for this specific vulnerability.
+
+You can read more on the [CVE website](https://cve.mitre.org/).
+
+## How to protect against exploits
+
+The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
new file mode 100644
index 0000000000..ec5da8fb32
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -0,0 +1,96 @@
+---
+title: Fileless threats
+description: Learn about fileless threats, its categories, and how it runs
+keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: eravena
+author: eavena
+ms.date: 09/14/2018
+---
+
+#Fileless threats
+
+What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. 
+
+Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
+
+To shed light on this loaded term, we grouped fileless threats into different categories.
+
+![Comprehensive diagram of fileless malware](images/fileless-malware.png)
          
+*Figure 1. Comprehensive diagram of fileless malware*
+
+We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. 
+
+Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. 
+
+Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
+
+This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. 
+
+From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines. 
+
+##Type I: No file activity performed
+
+A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. 
+
+Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. 
+
+Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
+
+##Type II: Indirect file activity
+
+There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. 
+
+It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
+
+##Type III: Files required to operate
+
+Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
+
+![Image of Kovter's registry key](images/kovter-reg-key.png)
          
+*Figure 2. Kovter’s registry key*
+
+When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. 
+
+Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
+
+##Categorizing fileless threats by infection host
+
+Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
+
+###Exploits
+
+**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
+
+**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory. 
+
+###Hardware
+
+**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
+
+**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
+
+**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. 
+
+**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). 
+
+**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
+
+###Execution and injection
+
+**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
+
+**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
+
+**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
+
+**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
+
+##Defeating fileless malware
+
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+
+To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png b/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png
new file mode 100644
index 0000000000..fb4ba80cec
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/CoordinatedMalware.png differ
diff --git a/windows/security/threat-protection/intelligence/images/ExploitKit.png b/windows/security/threat-protection/intelligence/images/ExploitKit.png
new file mode 100644
index 0000000000..9d0bb2f96a
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/ExploitKit.png differ
diff --git a/windows/security/threat-protection/intelligence/images/NamingMalware1.png b/windows/security/threat-protection/intelligence/images/NamingMalware1.png
new file mode 100644
index 0000000000..8d1e936879
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/NamingMalware1.png differ
diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png
new file mode 100644
index 0000000000..8e2221a40b
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png differ
diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png
new file mode 100644
index 0000000000..8e3fb0cfde
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png differ
diff --git a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png b/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png
new file mode 100644
index 0000000000..9e011c0e6a
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png differ
diff --git a/windows/security/threat-protection/intelligence/images/RealWorld0818.png b/windows/security/threat-protection/intelligence/images/RealWorld0818.png
new file mode 100644
index 0000000000..f1768f8187
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/RealWorld0818.png differ
diff --git a/windows/security/threat-protection/intelligence/images/SupplyChain.png b/windows/security/threat-protection/intelligence/images/SupplyChain.png
new file mode 100644
index 0000000000..491b55a690
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/SupplyChain.png differ
diff --git a/windows/security/threat-protection/intelligence/images/URLhover.png b/windows/security/threat-protection/intelligence/images/URLhover.png
new file mode 100644
index 0000000000..d307a154e0
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/URLhover.png differ
diff --git a/windows/security/threat-protection/intelligence/images/WormUSB_flight.png b/windows/security/threat-protection/intelligence/images/WormUSB_flight.png
new file mode 100644
index 0000000000..b1ad7c994f
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/WormUSB_flight.png differ
diff --git a/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png b/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png
new file mode 100644
index 0000000000..d7d3835e87
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/av-comparatives-logo-3.png differ
diff --git a/windows/security/threat-protection/intelligence/images/av-test-logo.png b/windows/security/threat-protection/intelligence/images/av-test-logo.png
new file mode 100644
index 0000000000..cc8704dc7f
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/av-test-logo.png differ
diff --git a/windows/security/threat-protection/intelligence/images/fileless-malware.png b/windows/security/threat-protection/intelligence/images/fileless-malware.png
new file mode 100644
index 0000000000..2aa502e144
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/fileless-malware.png differ
diff --git a/windows/security/threat-protection/intelligence/images/kovter-reg-key.png b/windows/security/threat-protection/intelligence/images/kovter-reg-key.png
new file mode 100644
index 0000000000..456f0956fa
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/kovter-reg-key.png differ
diff --git a/windows/security/threat-protection/intelligence/images/netflix.png b/windows/security/threat-protection/intelligence/images/netflix.png
new file mode 100644
index 0000000000..446542e62a
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/netflix.png differ
diff --git a/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png b/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png
new file mode 100644
index 0000000000..8a67d190b7
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/wdatp-pillars2.png differ
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
new file mode 100644
index 0000000000..1b234b902e
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -0,0 +1,24 @@
+---
+title: Security intelligence
+description: Safety tips about malware and how you can protect your organization
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Security intelligence
+
+Here you will find information about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs
+
+* [Understand malware & other threats](understanding-malware.md)
+* [How Microsoft identifies malware and PUA](criteria.md)
+* [Submit files for analysis](submission-guide.md)
+* [Safety Scanner download](safety-scanner-download.md)
+
+Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+
+Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
new file mode 100644
index 0000000000..27bccb2f06
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -0,0 +1,43 @@
+---
+title: Macro malware
+description: Learn about how macro malware works, how it can infect devices, and what you can do to protect yourself.
+keywords: security, malware, macro, protection
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Macro malware
+
+Macros are a powerful way to automate common tasks in Microsoft Office and can make people more productive. However, macro malware uses this functionality to infect your device.
+
+## How macro malware works
+
+Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
+
+Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.
+
+We've seen macro malware download threats from the following families:
+
+* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
+* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
+* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
+* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) 
+* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
+* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
+
+## How to protect against macro malware
+
+* Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
+    * [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents
+
+* Don’t open suspicious emails or suspicious attachments.
+
+* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
+
+* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
new file mode 100644
index 0000000000..35db2cac2b
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -0,0 +1,176 @@
+---
+title: Malware names
+description: Identifying malware vocabulary
+keywords: security, malware, names
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Malware names
+
+We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
+
+![coordinated-malware-eradication](images/NamingMalware1.png)
+
+When our analysts research a particular threat, they will determine what each of the components of the name will be.
+
+## Type
+
+Describes what the malware does on your computer. Worms, viruses, trojans, backdoors, and ransomware are some of the most common types of malware.
+
+* Adware
+* Backdoor
+* Behavior
+* BrowserModifier
+* Constructor
+* DDoS
+* Exploit
+* Hacktool
+* Joke
+* Misleading
+* MonitoringTool
+* Program
+* PWS
+* Ransom
+* RemoteAccess
+* Rogue
+* SettingsModifier
+* SoftwareBundler
+* Spammer
+* Spoofer
+* Spyware
+* Tool
+* Trojan
+* TrojanClicker
+* TrojanDownloader
+* TrojanNotifier
+* TrojanProxy
+* TrojanSpy
+* VirTool
+* Virus
+* Worm
+
+## Platforms
+
+Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work on. The platform is also used to indicate programming languages and file formats.
+
+### Operating systems
+
+* AndroidOS: Android operating system
+* DOS: MS-DOS platform
+* EPOC: Psion devices
+* FreeBSD: FreeBSD platform
+* iPhoneOS: iPhone operating system
+* Linux: Linux platform
+* MacOS: MAC 9.x platform or earlier
+* MacOS_X: MacOS X or later
+* OS2: OS2 platform
+* Palm: Palm operating system
+* Solaris: System V-based Unix platforms
+* SunOS: Unix platforms 4.1.3 or lower
+* SymbOS: Symbian operating system
+* Unix: general Unix platforms
+* Win16: Win16 (3.1) platform
+* Win2K: Windows 2000 platform
+* Win32: Windows 32-bit platform
+* Win64: Windows 64-bit platform
+* Win95: Windows 95, 98 and ME platforms
+* Win98: Windows 98 platform only
+* WinCE: Windows CE platform
+* WinNT: WinNT
+
+### Scripting languages
+
+* ABAP: Advanced Business Application Programming scripts
+* ALisp: ALisp scripts
+* AmiPro: AmiPro script
+* ANSI: American National Standards Institute scripts
+* AppleScript: compiled Apple scripts
+* ASP: Active Server Pages scripts
+* AutoIt: AutoIT scripts
+* BAS: Basic scripts
+* BAT: Basic scripts
+* CorelScript: Corelscript scripts
+* HTA: HTML Application scripts
+* HTML: HTML Application scripts
+* INF: Install scripts
+* IRC: mIRC/pIRC scripts
+* Java: Java binaries (classes)
+* JS: Javascript scripts
+* LOGO: LOGO scripts
+* MPB: MapBasic scripts
+* MSH: Monad shell scripts
+* MSIL: .Net intermediate language scripts
+* Perl: Perl scripts
+* PHP: Hypertext Preprocessor scripts
+* Python: Python scripts
+* SAP: SAP platform scripts
+* SH: Shell scripts
+* VBA: Visual Basic for Applications scripts
+* VBS: Visual Basic scripts
+* WinBAT: Winbatch scripts
+* WinHlp: Windows Help scripts
+* WinREG: Windows registry scripts
+
+### Macros
+
+* A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros
+* HE: macro scripting
+* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
+* PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
+* V5M: Visio5 macros
+* W1M: Word1Macro
+* W2M: Word2Macro
+* W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros
+* WM: Word 95 macros
+* X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros
+* XF: Excel formulas
+* XM: Excel 95 macros
+
+### Other file types
+
+* ASX: XML metafile of Windows Media .asf files
+* HC: HyperCard Apple scripts
+* MIME: MIME packets
+* Netware: Novell Netware files
+* QT: Quicktime files
+* SB: StarBasic (Staroffice XML) files
+* SWF: Shockwave Flash files
+* TSQL: MS SQL server files
+* XML: XML files
+
+## Family
+
+Grouping of malware based on common characteristics, including attribution to the same authors. Security software providers sometimes use different names for the same malware family.
+
+## Variant letter
+
+Used sequentially for every distinct version of a malware family. For example, the detection for the variant ".AF" would have been created after the detection for the variant ".AE".
+
+## Suffixes
+
+Provides extra detail about the malware, including how it is used as part of a multicomponent threat. In the example above, "!lnk" indicates that the threat component is a shortcut file used by Trojan:Win32/Reveton.T.
+
+* .dam: damaged malware
+* .dll: Dynamic Link Library component of a malware
+* .dr: dropper component of a malware
+* .gen: malware that is detected using a generic signature
+* .kit: virus constructor
+* .ldr: loader component of a malware
+* .pak: compressed malware
+* .plugin: plug-in component
+* .remnants: remnants of a virus
+* .worm: worm component of that malware
+* !bit: an internal category used to refer to some threats
+* !cl: an internal category used to refer to some threats
+* !dha: an internal category used to refer to some threats
+* !pfn: an internal category used to refer to some threats
+* !plock: an internal category used to refer to some threats
+* !rfn: an internal category used to refer to some threats
+* !rootkit: rootkit component of that malware
+* @m: worm mailers
+* @mm: mass mailer worm
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
new file mode 100644
index 0000000000..7449644117
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -0,0 +1,139 @@
+---
+title: Phishing
+description: Learn about how phishing work, deliver malware do your devices, and  what you can do to protect yourself
+keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+
+# Phishing
+
+Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals.
+
+The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces.  
+
+## How phishing works
+
+Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information.
+
+Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
+
+Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you.
+
+## Phishing trends and techniques
+
+### Invoice phishing
+
+In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
+
+### Payment/delivery scam
+
+You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier.  The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them.
+
+### Tax-themed phishing scams
+
+A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
+
+### Downloads
+
+Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in.
+
+### Phishing emails that deliver other threats
+
+Phishing emails can be very effective, and so attackers can using them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
+
+We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
+
+## Targeted attacks against enterprises
+
+### Spear phishing
+
+Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target.
+
+Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
+
+The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
+
+### Whaling
+
+Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT.  
+
+### Business email compromise
+
+Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers.
+
+## How to protect against phishing attacks
+
+Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
+
+### Awareness
+
+The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
+
+Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately.
+
+Here are several telltale signs of a phishing scam:
+
+* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
+    ![example of how exploit kits work](./images/URLhover.png)
+
+* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
+
+* **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters.
+
+* The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
+
+* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this.
+
+* The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information.
+
+* The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com.
+
+* There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients.
+
+* The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious.
+
+* The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites.
+
+* The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials.
+
+If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
+
+For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
+
+### Software solutions for organizations
+
+* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
+
+* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.  Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
+
+* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
+
+For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
+
+## What do I do if I've already been a victim of a phishing scam?
+
+If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc.
+
+### Reporting spam
+
+Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/en-us/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+
+For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676).
+
+Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved.
+
+## Where to find more information about phishing attacks
+
+For information on the latest Phishing attacks, techniques, and trends, you can read these entries on the [Windows Security blog](https://cloudblogs.microsoft.com/microsoftsecure/?product=windows,windows-defender-advanced-threat-protection):
+
+* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
+
+* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
+
+* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
new file mode 100644
index 0000000000..731b7e0e95
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -0,0 +1,117 @@
+---
+title: Prevent malware infection
+description: Malware prevention best practices
+keywords: security, malware, prevention, infection, tips
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Prevent malware infection
+
+Malware authors are always looking for new ways to infect computers. Follow the simple tips below to stay protected and minimize threats to your data and accounts.
+
+You can also browse the many [software and application solutions](https://review.docs.microsoft.com/en-us/windows/security/intelligence/prevent-malware-infection?branch=wdsi-migration-stuff#software-solutions) available to you.
+
+## Keep software up-to-date
+
+[Exploits](exploits-malware.md) typically use vulnerabilities in popular software such as web browsers, Java, Adobe Flash Player, and Microsoft Office to infect devices. Software updates patch vulnerabilities so they aren't available to exploits anymore.
+
+To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.
+
+## Be wary of links and attachments
+
+Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails will give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
+
+* Use an email service that provides protection against malicious attachments, links, and abusive senders. [Microsoft Office 365](https://support.office.com/article/Anti-spam-and-anti-malware-protection-in-Office-365-5ce5cf47-2120-4e51-a403-426a13358b7e) has built-in antimalware, link protection, and spam filtering.
+
+For more information, see [Phishing](phishing.md).
+
+## Watch out for malicious or compromised websites
+
+By visiting malicious or compromised sites, your device can get infected with malware automatically or you can get tricked into downloading and installing malware.  See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
+
+To identify potentially harmful websites, keep the following in mind:
+
+* The initial part (domain) of a website address should represent the company that owns the site you are visiting. Check the domain for misspellings. For example, malicious sites commonly use domain names that swap the letter O with a zero (0) or the letters L and I with a one (1). If example.com is spelled examp1e.com, the site you are visiting is suspect.
+
+* Sites that aggressively open popups and display misleading buttons often trick users into accepting content through constant popups or mislabeled buttons.
+
+To block malicious websites, use a modern web browser like [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge?ocid=cx-wdsi-articles) which identifies phishing and malware websites and checks downloads for malware.
+
+If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).
+
+### Pirated material on compromised websites
+
+Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware.
+
+Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
+
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/windows-10-s?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+
+## Don't attach unfamiliar removable drives
+
+Some types of malware can spread by copying themselves to USB flash drives or other removable drives. There are malicious individuals that intentionally prepare and distribute infected drives—leaving these drives in public places to victimize unsuspecting individuals.
+
+Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.
+
+## Use a non-administrator account
+
+At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.
+
+By default, Windows uses [User Account Control (UAC)](https://docs.microsoft.com/windows/access-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can simply override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
+
+To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.
+
+Whenever necessary, log in as an administrator to install apps or make configuration changes that require admin privileges.
+
+[Read about creating user accounts and giving administrator privileges](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
+
+## Other safety tips
+
+To further ensure that data is protected from malware as well as other threats:
+
+* Backup files. Follow the 3-2-1 rule: make **3 copies**, store in at least **2 locations**, with at least **1 offline copy**. Use [OneDrive](https://onedrive.live.com/about/?ocid=cx-wdsi-articles) for reliable cloud-based copies that allows access to files from multiple devices and helps recover damaged or lost files, including files locked by ransomware.
+
+* Be wary when connecting to public hotspots, particularly those that do not require authentication.
+
+* Use [strong passwords](https://support.microsoft.com/help/12410/microsoft-account-help-protect-account) and enable multi-factor authentication.
+
+* Do not use untrusted devices to log on to email, social media, and corporate accounts.
+
+## Software solutions
+
+Microsoft provides comprehensive security capabilities that help protect against threats. We recommend:
+
+* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up-to-date to get the latest protections.
+
+* [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+
+* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
+
+* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
+
+* [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
+
+* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/#pivot=itadmin&panel=it-security) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
+
+* [Office 365 Advanced Threat Protection](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
+
+* [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
+
+* [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Windows Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Windows Defender ATP free of charge.
+
+* [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
+
+### Earlier than Windows 10 (not recommended)
+
+* [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) provides real-time protection for your home or small business device that guards against viruses, spyware, and other malicious software.
+
+## What to do with a malware infection
+
+Windows Defender ATP antivirus capabilities helps reduce the chances of infection and will automatically remove threats that it detects.
+
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
new file mode 100644
index 0000000000..484ae796f1
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -0,0 +1,61 @@
+---
+title: Ransomware
+description: Learn about ransomware, how it works, and what you can do to protect yourself.
+keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Ransomware
+
+Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims by asking for money, usually in form of cryptocurrencies, in exchange for the decryption key. But cybercriminals won't always follow through and unlock the files they encrypted.  
+
+The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms especially susceptible to ransomware attacks.
+
+## How ransomware works
+
+Most ransomware infections start with:
+
+* Email messages with attachments that try to install ransomware.
+
+* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
+
+Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
+
+Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses.
+
+### Examples
+
+Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry), and **Petya** (also known as NotPetya) spread to other computers via network shares or exploits.
+
+* Spora drops ransomware copies in network shares.
+
+* WannaCrypt exploits the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to infect other computers. 
+
+* A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks.
+
+Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware".
+
+Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom  to recover files.
+
+**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
+
+## How to protect against ransomware
+
+ Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms.
+
+We recommend:
+
+* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.  
+
+* Apply the latest updates to your operating systems and apps.
+
+* Educate your employees so they can identify social engineering and spear-phishing attacks.
+
+* [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). It can stop ransomware from encrypting files and holding the files for ransom.
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
new file mode 100644
index 0000000000..24d7b3ca8a
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -0,0 +1,59 @@
+---
+title: Rootkits
+description: Learn about rootkits, how they hide malware on your device, and what you can do to protect yourself.
+keywords: security, malware, rootkit, hide, protection, hiding
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Rootkits
+
+Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal information and resources.
+
+## How rootkits work
+
+Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself.
+
+For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
+
+Many modern malware families use rootkits to try and avoid detection and removal, including:
+
+* [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
+
+* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
+
+* [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
+
+* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
+
+* [Sinowal](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
+
+* [Sirefef](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
+
+## How to protect against rootkits
+
+Like any other type of malware, the best way to avoid rootkits is to prevent it from being installed in the first place.
+
+* Apply the latest updates to operating systems and apps.
+
+* Educate your employees so they can be wary of suspicious websites and emails.
+
+* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+
+### What if I think I have a rootkit on my device?
+
+Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment.
+
+[Windows Defender Offline](https://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection.
+
+[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity.
+
+### What if I can’t remove a rootkit?
+
+If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup.
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
new file mode 100644
index 0000000000..907f9c9a3a
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -0,0 +1,43 @@
+---
+title: Microsoft Safety Scanner Download
+description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: dansimp
+author: dansimp
+ms.date: 08/01/2018
+---
+# Microsoft Safety Scanner
+Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
+
+- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) 
+
+- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732)
+
+Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
+
+> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/en-us/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
+
+## System requirements
+Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/en-us/lifecycle).
+
+## How to run a scan
+1. Download this tool and open it.
+2. Select the type of scan you want run and start the scan.
+3. Review the scan results displayed on screen. The tool lists all identified malware.
+
+To remove this tool, delete the executable file (msert.exe by default).
+
+For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/en-us/kb/2520970).
+
+## Related resources
+
+- [Troubleshooting Safety Scanner](https://support.microsoft.com/en-us/kb/2520970)
+- [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender)
+- [Microsoft Security Essentials](https://support.microsoft.com/en-us/help/14210/security-essentials-download)
+- [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection)
+- [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission)
+- [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
new file mode 100644
index 0000000000..b72568d223
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -0,0 +1,76 @@
+---
+title: How Microsoft identifies malware and potentially unwanted applications
+description: criteria
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/01/2018
+---
+
+# Submit files for analysis
+
+If you have a file that you suspect might be malware or is being incorrectly detected, you can submit it to us for analysis. This page has answers to some common questions about submitting a file for analysis.
+
+## How do I send a malware file to Microsoft?
+
+You can send us files that you think might be malware or files that have been incorrectly detected through the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+
+We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file.
+
+If you sign in before you submit a sample, you will be able to track your submissions.
+
+## Can I send a sample by email?
+
+No, we only accept submissions through our [sample submission portal](https://www.microsoft.com/wdsi/filesubmission).
+
+## Can I submit a sample without signing in?
+
+Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view the status of the submission.
+
+If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance.
+
+## What is the Software Assurance ID (SAID)?
+
+The [Software Assurance ID (SAID)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx) is for enterprise customers to track support entitlements. The submission portal accepts and retains SAID information and allows customers with valid SAIDs to make higher priority submissions.
+
+### How do I dispute the detection of my program?
+
+[Submit the file](https://www.microsoft.com/wdsi/filesubmission) in question as a software developer. Wait until your submission has a final determination.
+
+If you’re not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary.
+
+We encourage all software vendors and developers to read about [how Microsoft identifies malware and unwanted software](criteria.md).
+
+## How do I track or view past sample submissions?
+
+You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
+
+If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission.
+
+## What does the submission status mean?
+
+Each submission is shown to be in one of the following status types:
+
+* Submitted—the file has been received
+
+* In progress—an analyst has started checking the file
+
+* Closed—a final determination has been given by an analyst
+
+If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
+
+## How does Microsoft prioritize submissions
+
+Processing submissions take dedicated analyst resource. Because we regularly receive a large number of submissions, we handle them based on a priority. The following factors affect how we prioritize submissions:
+
+* Prevalent files with the potential to impact large numbers of computers are prioritized.
+
+* Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given priority.
+
+* Submissions flagged as high priority by SAID holders are given immediate attention.
+
+Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. Note that the same file may have already been processed by an analyst. To check for updates to the determination, select rescan on the submission details page.
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
new file mode 100644
index 0000000000..ce1112d198
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -0,0 +1,57 @@
+---
+title: Supply chain attacks
+description: Learn about how supply chain attacks work, deliver malware do your devices, and  what you can do to protect yourself
+keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+
+# Supply chain attacks
+
+Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.  
+
+## How supply chain attacks work
+
+Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.  
+
+Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.  
+
+The number of potential victims is significant, given the popularity of some apps. A case occurred where a free file compression app was poisoned and deployed to customers in a country where it was the top utility app.
+
+### Types of supply chain attacks
+
+* Compromised software building tools or updated infrastructure
+
+* Stolen code-sign certificates or signed malicious apps using the identity of dev company
+
+* Compromised specialized code shipped into hardware or firmware components
+
+* Pre-installed malware on devices (cameras, USB, phones, etc.)
+
+To learn more about supply chain attacks, read this blog post called [attack inception: compromised supply chain within a supply chain poses new risks](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/).
+
+## How to protect against supply chain attacks
+
+* Deploy strong code integrity policies to allow only authorized apps to run.
+
+* Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities.
+
+### For software vendors and developers
+
+* Take steps to ensure your apps are not compromised.
+
+* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
+  * Immediately apply security patches for OS and software.
+
+  * Require multi-factor authentication for admins.
+
+* Build secure software update processes as part of the software development lifecycle.
+
+* Develop an incident response process for supply chain attacks.
+
+For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
new file mode 100644
index 0000000000..821900539a
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -0,0 +1,63 @@
+---
+title: Tech Support Scams
+description: Learn about how supply chain attacks work, deliver malware do your devices, and  what you can do to protect yourself
+keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Tech support scams
+
+Tech support scams are an industry-wide issue where scammers use scare tactics to trick users into paying for unnecessary technical support services that supposedly fix contrived device, platform, or software problems.
+
+## How tech support scams work
+
+Scammers may call you directly on your phone and pretend to be representatives of a software company. They might even spoof the caller ID so that it displays a legitimate support phone number from a trusted company. They can then ask you to install applications that give them remote access to your device. Using remote access, these experienced scammers can misrepresent normal system output as signs of problems.
+
+Scammers might also initiate contact by displaying fake error messages on websites you visit, displaying support numbers and enticing you to call. They can also put your browser on full screen and display pop-up messages that won't go away, essentially locking your browser. These fake error messages aim to trick you into calling an indicated technical support hotline. Note that Microsoft error and warning messages never include phone numbers.
+
+When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in the form of a one-time fee or subscription to a purported support service.
+
+**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams).**
+
+## How to protect against tech support scams
+
+Share and implement the general tips on how to [prevent malware infection](prevent-malware-infection.md).
+
+It is also important to keep the following in mind:
+
+* Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer.
+
+* Any communication with Microsoft has to be initiated by you.
+
+* Don’t call the number in the pop-ups. Microsoft’s error and warning messages never include a phone number.
+
+* Download software only from official vendor websites or the Microsoft Store. Be wary of downloading software from third-party sites, as some of them might have been modified without the author’s knowledge to bundle support scam malware and other threats.
+
+* Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
+
+* Enable Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
+
+## What to do if information has been given to a tech support person
+
+* Uninstall applications that scammers asked to be install. If access has been granted, consider resetting the device
+
+* Run a full scan with Windows Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.
+
+* Change passwords.
+
+* Call your credit card provider to reverse the charges, if you have already paid.
+
+* Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you would not normally access.
+
+### Reporting tech support scams
+
+Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
+
+**www.microsoft.com/reportascam**
+
+You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
new file mode 100644
index 0000000000..e984e5abab
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -0,0 +1,78 @@
+---
+title: Top scoring in industry antivirus tests
+description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis.
+keywords: security, malware, av-comparatives, av-test, av, antivirus
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 09/05/2018
+---
+
+# Top scoring in industry antivirus tests
+
+[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** in independent tests, displaying how it is a top choice in the antivirus market.
+
+We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections.
+
+In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender AV is  part of the  [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender AV detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. 
+
+> [!TIP]
+> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).
+
+



          
+![AV-TEST logo](./images/av-test-logo.png)
+
+## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test
+
+
+The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
+
+### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**
+
+ Windows Defender AV achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. With the latest results, Windows Defender AV has achieved 100% on 10 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware").
+
+### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)
+
+ Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate).
+
+### January-February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)
+
+Windows Defender AV achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested.
+
+|||
+|---|---|
+|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware-67-percent.png)|
+

          
+
+![AV-Comparatives Logo](./images/av-comparatives-logo-3.png)
+
+## AV-Comparatives: Perfect protection rating of 100% in the latest test
+
+AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
+
+### Real-World Protection Test July (Consumer): [Protection Rate 100%](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest**
+
+The results are based on testing against 186 malicious URLs that have working exploits or point directly to malware.
+
+### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/)
+
+This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online.
+
+### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/)
+
+This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution.
+
+[Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/)
+
+## To what extent are tests representative of protection in the real world?
+
+It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender AV encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
+
+The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender AV missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+
+![ATP](./images/wdatp-pillars2.png)
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
new file mode 100644
index 0000000000..f3974e7341
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -0,0 +1,42 @@
+---
+title: Trojan malware
+description: Learn about how trojans work, deliver malware do your devices, and  what you can do to protect yourself.
+keywords: security, malware, protection, trojan, download, file, infection 
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+
+# Trojans
+
+Trojans are a common type of malware which, unlike viruses, can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them.
+
+Trojans often use the same file names as real and legitimate apps. It is easy to accidentally download a trojan thinking that it is a legitimate app.
+
+## How trojans work
+
+Trojans can come in many different varieties, but generally they do the following:
+
+- Download and install other malware, such as viruses or [worms](worms-malware.md).
+
+- Use the infected device for click fraud.
+
+- Record keystrokes and websites visited.
+
+- Send information about the infected device to a malicious hacker including passwords, login details for websites, and browsing history.
+
+- Give a malicious hacker control over the infected device.
+
+## How to protect against trojans
+
+Use the following free Microsoft software to detect and remove it:
+
+- [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
+
+- [Microsoft Safety Scanner](https://www.microsoft.com/wdsi/products/scanner)
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
new file mode 100644
index 0000000000..f2ed89b560
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -0,0 +1,39 @@
+---
+title: Understanding malware & other threats
+description: Learn about the different types of malware, how they work, and what you can do to protect yourself.
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Understanding  malware & other threats
+
+Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more.
+
+Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
+
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP), businesses can stay protected with next-generation protection and other security capabilities.
+
+For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
+
+There are many types of malware, including:
+
+- [Coin miners](coinminer-malware.md)
+- [Exploits and exploit kits](exploits-malware.md)
+- [Macro malware](macro-malware.md)
+- [Phishing](phishing.md)
+- [Ransomware](ransomware-malware.md)
+- [Rootkits](rootkits-malware.md)
+- [Supply chain attacks](supply-chain-malware.md)
+- [Tech support scams](support-scams.md)
+- [Trojans](trojans-malware.md)
+- [Unwanted software](unwanted-software.md)
+- [Worms](worms-malware.md)
+
+Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+
+Learn more about [Windows security](https://docs.microsoft.com/en-us/windows/security/index).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
new file mode 100644
index 0000000000..bff16819a8
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -0,0 +1,60 @@
+---
+title: Unwanted software
+description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself.
+keywords: security, malware, protection, unwanted, software, alter, infect
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+# Unwanted software
+
+Unwanted software are programs that alter the Windows experience without your consent or control. This can take the form of modified browsing experience, lack of control over downloads and installation, misleading messages, or unauthorized changes to Windows settings.
+
+## How unwanted software works
+
+Unwanted software can be introduced when a user searches for and downloads applications from the internet. Some applications are software bundlers, which means that they are packed with other applications. As a result, other programs can be inadvertently installed when the original application is downloaded.
+
+Here are some indications of unwanted software:
+
+- There are programs that you did not install and that may be difficult to uninstall
+
+- Browser features or settings have changed, and you can’t view or modify them
+
+- There are excessive messages about your device's health or about files and programs
+
+- There are ads that cannot be easily closed
+
+Some indicators are harder to recognize because they are less disruptive, but are still unwanted. For example, unwanted software can modify web pages to display specific ads, monitor browsing activities, or remove control of the browser.
+
+Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria) to identify unwanted software.
+
+## How to protect against unwanted software
+
+To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites.
+
+Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index) (also used by Internet Explorer).
+
+Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+
+Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+
+### What should I do if my device is infected? 
+
+If you suspect that you have unwanted software, you can [submit files for analysis](https://www.microsoft.com/wdsi/filesubmission).
+
+Some unwanted software adds uninstallation entries, which means that you can **remove them using Settings**.
+1. Select the Start button
+2. Go to **Settings > Apps > Apps & features**.
+3. Select the app you want to uninstall, then click **Uninstall**.
+
+If you only recently noticed symptoms of unwanted software infection, consider sorting the apps by install date, and then uninstall the most recent apps that you did not install.
+
+You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
+
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
new file mode 100644
index 0000000000..10e99ef924
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -0,0 +1,49 @@
+---
+title: Virus Information Alliance
+description: Information and criteria regarding VIA
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 07/12/2018
+---
+# Virus Information Alliance
+
+The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime.
+
+Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers.
+
+## Better protection for customers against malware
+
+The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage.
+
+Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
+
+Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers.
+
+## Becoming a member of VIA
+
+Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers.
+
+Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
+
+VIA has an open enrollment for potential members.
+
+### Initial selection criteria
+
+To be eligible for VIA your organization must:
+
+1. Be willing to sign a non-disclosure agreement with Microsoft.
+
+2. Fit into one of the following categories:
+   * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
+   * Your organization provides security services to Microsoft customers or for Microsoft products.
+   * Your organization publishes antimalware testing reports on a regular basis.
+   * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
+
+3. Be willing to sign and adhere to the VIA membership agreement.
+
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
new file mode 100644
index 0000000000..26f3bbce30
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -0,0 +1,57 @@
+---
+title: Microsoft Virus Initiative
+description: Information and criteria regarding MVI
+keywords: security, malware
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 07/12/2018
+---
+
+# Microsoft Virus Initiative
+
+The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
+
+Like the [Virus Information Alliance (VIA)](virus-information-alliance-criteria.md) and the [Coordinated Malware Eradication (CME) program](coordinated-malware-eradication.md), MVI aims to share information about the threat landscape that can help your organization protect its customers.
+
+MVI members will receive access to Windows APIs (such as those used by Windows Defender Security Center, IOAV, AMSI and Cloud Files), malware telemetry and samples, and invitations to security related events and conferences.
+
+MVI adds to VIA by requiring members to develop and own antimalware technology, and to be present in the antimalware industry community.
+
+## Join MVI
+
+A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology.
+
+The base criteria for MVI membership are the same as for VIA, but your organization must also offer an antimalware or antivirus product.
+
+### Initial selection criteria
+
+Your organization must meet the following eligibility requirements to participate in the MVI program:
+
+1. Offer an antimalware or antivirus product that is one of the following:
+
+   * Your organization's own creation.
+   * Licensed from another organization, but your organization adds value such as additional definitions to its signatures.
+   * Developed by using an SDK (engine and other components) from another MVI Partner AM company and your organization adds a custom UI and/or other functionality (white box versions).
+
+2. Have your own malware research team unless you distribute a Whitebox product.
+
+3. Be active and have a positive reputation in the antimalware industry. Your organization is:
+
+   * Certified through independent testing by an industry standard organization such as [ICSA Labs](https://www.icsalabs.com/), [West Coast Labs](http://www.westcoastlabs.com/), [PCSL IT Consulting Institute](https://www.pitci.net/), or [SKD Labs](http://www.skdlabs.com/html/english/).
+   * Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner.
+
+4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
+
+5. Be willing to sign a program license agreement.
+
+6. Be willing to adhere to program requirements for AM apps. These requirements define the behavior of AM apps necessary to ensure proper interaction with Windows.
+
+7. Submit your AM app to Microsoft for periodic performance testing.
+
+### Apply to MVI
+
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
new file mode 100644
index 0000000000..f1e88eb03c
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -0,0 +1,48 @@
+---
+title: Worms
+description: Learn about worms, how they infect devices, and what you can do to protect yourself.
+keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+ms.date: 08/17/2018
+---
+
+# Worms
+
+A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.
+
+## How worms work
+
+Worms represent a large category of malware. Different worms use different methods to infect devices.  Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
+
+Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics.
+
+* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.
+
+* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
+
+* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
+
+Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
+
+* [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
+
+This image shows how a worm can quickly spread through a shared USB drive.
+
+![Worm example](./images/WormUSB_flight.png)
+
+### *Figure worm spreading from a shared USB drive*
+
+## How to protect against worms
+
+Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+
+Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
+
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
+
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index e786911e28..18ed7cdaff 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -8,6 +8,7 @@ ms.mktglfcycl: deploy
 ms.pagetype: security
 ms.sitesec: library
 ms.date: 04/19/2017
+ms.localizationpriority: medium
 ---
 
 
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index f9f2c541a5..6095365e62 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -10,6 +10,7 @@ ms.pagetype: security, devices
 author: arnaudjumelet
 
 ms.date: 10/13/2017
+ms.localizationpriority: medium
 ---
 
 # Control the health of Windows 10-based devices
@@ -366,7 +367,7 @@ The following table details the hardware requirements for both virtualization-ba
 
 
 
          Trusted Platform Module (TPM) 
          
-
          Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.
          
+
          Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)
          
 
 
 
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index 57d0ce525d..c8c5edd48a 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index adc562d497..00f750f49c 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index 7da0245da9..c86030f41b 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index c0380358d5..b85e285e97 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -25,8 +26,8 @@ The following topics provide a discussion of each policy setting's implementatio
 
 | Topic | Description |
 | - | - |
-| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
 | [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
+| [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
 | [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
  
 ## Related topics
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 73c16a319d..1023c1e03f 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index 28bda81eec..6108d6b607 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
index 9328293eb5..69c08ad276 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/01/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index 8a75825556..8a72fe5f92 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/10/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index 6025b06bc7..7f99611e70 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index a46b765862..be82562767 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index a37109ddc4..ddb53a6141 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index e4c76cf159..a40ed288a9 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index 9703104c06..13a891b6a7 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
index a784ec1b27..723fd057b5 100644
--- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 19363b3e59..b84c11a4b2 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index d8074abc4f..ef91abb02b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -80,7 +81,7 @@ Over time, new ways to manage security policy settings have been introduced, whi
 
 
 
          Software Restriction Policies
          
-
          See [Administer Software Restriction Policies](http://technet.microsoft.com/library/hh994606.aspx).
          
+
          See [Administer Software Restriction Policies](https://technet.microsoft.com/library/hh994606.aspx).
          
 
          Gpedit.msc
          
 
          Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.
          
 
@@ -135,7 +136,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
 
 ## Using the Security Configuration Wizard
 
-The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. 
+The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy.
 SCW is a role-based tool: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles. For example, a server might be a file server, a print server, or a domain controller.
 
 The following are considerations for using SCW:
@@ -158,13 +159,13 @@ The SCW can be accessed through Server Manager or by running scw.exe. The wizard
 
 The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings.
 
-For more information about SCW, including procedures, see [Security Configuration Wizard](http://technet.microsoft.com/library/cc754997.aspx).
+For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx).
 
 ## Working with the Security Configuration Manager
 
 The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
 
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](http://technet.microsoft.com/library/cc758219(WS.10).aspx).
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx).
 
 The following table lists the features of the Security Configuration Manager.
 
@@ -212,7 +213,7 @@ The state of the operating system and apps on a device is dynamic. For example,
 
 Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time.
 
-Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security 
+Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security
 Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals.
 
 ### Security configuration
@@ -282,7 +283,7 @@ If you modify the security settings on your local device by using the local secu
 
 ### Using the Security Configuration Manager
 
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](http://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
 
 -   [Applying security settings](#bkmk-applysecsettings)
 -   [Importing and exporting security templates](#bkmk-impexpsectmpl)
@@ -306,7 +307,7 @@ For security settings that are defined by more than one policy, the following or
 3.  Site Policy
 4.  Local computer Policy
 
-For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override 
+For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
 both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
 > **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
 For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 7dc894bdc7..6b377b9dfa 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -50,7 +51,7 @@ By default, the members of the following groups have this right on domain contro
 
 ### Location
 
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 
 ### Default values
 
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index f03676f04f..f2aff6558e 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index edf83067c0..63c0113000 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index 88fb383f82..32b6e39da1 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 1bf9663ec0..321a577f5e 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md
index 9dedcad594..e0330e6edf 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index fd3dfb48ce..5b63d093b8 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index e35bdba108..5c444a35f5 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 27869c656f..142040f18f 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index 6d8bbb9216..4536e9d634 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index 3ea2370308..c9d0ba95b7 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 6970d1da6a..f1bfda3737 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index d8fb3590da..f19009955d 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index b8a4c7c248..f89ff1f37f 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index e934ed4cd0..4cff161fe5 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index 25890fd436..73ae7b6fc0 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index f59c6c8bcd..f8daf37229 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 1fb8892b80..e88c9397bb 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-
 ms.date: 04/19/2017
 ---
 
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index 2859c4bbe7..5bd7b3951b 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 7f442354a9..659f95a2b8 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index de37314441..8d227032ee 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index ed2f25dd74..156963e0e5 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 66f3796a26..8db35c7d85 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index b04d06b392..092ab076ff 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index 9ec5cd6013..88275821af 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index 0fb15e5558..4994799f27 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index 2f97023f61..e41c0c5067 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 23b2d882a6..b15160364d 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index c3738380c8..2a3bb79a6f 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index 7d02b9d124..66bdcc3368 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 2528f5af05..f138f45684 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 6dd76544ba..f6e9ee94a1 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index 8a661f02cc..4f45c4dc2d 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index c1502c4e4a..70d087e8d7 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index e9fb1c3dc5..4ca8bd53b8 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index c6a7699292..e54ec081e3 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index c9cb9862fb..78d2942171 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 05/31/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index 16f9f08ed7..a07c07bfbc 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index 42a984338a..8f0fbcb870 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index de7e1af7ba..085a3a3c54 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index e01fcbf962..5b79cc17d6 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index 29afe2f595..07d249dcd0 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 6f88087bae..b74521a317 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 17b8bfcec6..7653e023d7 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 31ab10b629..e07c18c86d 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 34706bd79f..7ce527ad66 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
index 871e2e7d7f..1ae321bd87 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 07/13/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index 6efa45a50a..897e2f2549 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -66,7 +67,7 @@ Clients that run Windows 10 version 1607 will not show details on the sign-in sc
 If the **Privacy** setting is turned on, details will show.
 
 The **Privacy** setting cannot be changed for clients in bulk.
-Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. 
+Instead, apply [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
 Clients that run later versions of Windows 10 do not require a hotfix.
 
 There are related Group Policy settings:
@@ -83,7 +84,7 @@ If **Block user from showing account details on sign-in** is enabled, then only
 Users will not be able to show details.
 
 If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
-In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
+In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
 Users will not be able to hide additional details.
 
 If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 30ac4426eb..e3afc8ee01 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index a0e2d4207d..e39fec421b 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index cf495671ea..dd30bc56ba 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index b2dfa5f7dc..babebadd11 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index f3cadccfc5..fa9637e81f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -6,8 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 09/18/2018
 ---
 
 # Interactive logon: Machine inactivity limit
@@ -25,7 +26,7 @@ Beginning with Windows Server 2012 and Windows 8, Windows detects user-input ina
 
 The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).
 
-If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session.
+If **Machine will be locked after** is set to zero (0) or has no value (blank), the policy setting is disabled and a user sign-in session is never locked after any inactivity.
 
 ### Best practices
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index 3134a03c07..fb7ddb1250 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index 1e37715589..e98f13cc83 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 6b8b3f2fad..403f7249a8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -6,8 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 08/27/2018
 ---
 
 # Interactive logon: Number of previous logons to cache (in case domain controller is not available)
@@ -41,7 +42,7 @@ encrypting the information and keeping the cached credentials in the system's re
 
 ### Best practices
 
-It is advisable to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers. If the value is set to 0, users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations might want to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 2 for end-user systems, especially for mobile users. Setting this value to 2 means that the user's logon information will still be in the cache even if a member of the IT department has recently logged on to their device to perform system maintenance. This way, those users will be able to log on to their devices when they are not connected to the corporate network.
+The [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) do not recommend configuring this setting. 
 
 ### Location
 
@@ -56,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | Default Domain Policy| Not defined| 
 | Default Domain Controller Policy | Not defined| 
 | Stand-Alone Server Default Settings | 10 logons| 
-| DC Effective Default Settings | 10 logons| 
+| DC Effective Default Settings | No effect| 
 | Member Server Effective Default Settings | 10 logons| 
 | Client Computer Effective Default Settings| 10 logons| 
  
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index b32948c986..da69589771 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index 19bfe5c981..b7dd20ed15 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index eafc069b2f..42081cd402 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 3540a9f09f..636bd2ec6f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index 3d1366b626..ac070c7702 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index fdc92d8744..75fb5939bd 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index b95d2d4210..4e94af24de 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index 6669963069..1636ce5414 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index 602b204581..57568063b4 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index 8a2d799d66..b49be1c41c 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index 087dc4ed6c..84ae8e5274 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index 09d483458c..f1397bc889 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 218c85c6c7..412af6ec04 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 7057705ad8..0cd52584a2 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index b8541be161..cf13ab2714 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 779be1af43..14202023a8 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.date: 06/28/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 55e4e0410e..7427a0898e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index bed0312e47..72ceae633e 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index 082fce0199..ac82806b49 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index 740aad436d..cd24f66c87 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/21/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index 2efe7661e7..f966580dff 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index febb391d27..e5b6a658ce 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index a21530fb60..6028668431 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -19,7 +20,7 @@ Describes the best practices, location, values, policy management, and security
 
 ## Reference
 
-The **Minimum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If [Maximum password age](maximum-password-age.md) is between 1 and 999 days, the minimum password age must be less than the maximum password age. If Maximum password age is set to 0, **Minimum password age** can be any value between 0 and 998 days.
+The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
 
 ### Possible values
 
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 91b22ce8ae..9a65820d67 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index 9bc859d8ef..da8d2ab5cf 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index 1ea9cb284b..f4abcd62e5 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index b684158c99..f18bfcb85a 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index b56cb79eab..ed0c582609 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 8a24119ceb..dba5ef3e9d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-
 ms.date: 04/19/2017
 ---
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 7c017c5b0c..6ca86aeb84 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 0b5d5d3df4..d767ea7088 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index 4db7cdc5d5..d99e3aded9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index cfec2fafb7..eafe932536 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index 0297e485f5..0207f7e66b 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 9a858f2da5..fce80319bb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index b672362f53..1ad7ec6aeb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -6,8 +6,9 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
+ms.localizationpriority: medium
 author: justinha
-ms.date: 07/27/2017
+ms.date: 09/17/2018
 ---
 
 # Network access: Restrict clients allowed to make remote calls to SAM
@@ -129,7 +130,7 @@ Compare the security context attempting to remotely enumerate accounts with the
 ### Event Throttling
 A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
 
-|Registry Path|System\CurrentControlSet\Control\Lsa\ 
+|Registry Path|HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ |
 |---|---|
 Setting |RestrictRemoteSamEventThrottlingWindow|
 Data Type |DWORD|
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index b5e5008271..aa5c1ab5dd 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index 3674843d0e..a6a303f5bf 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
index e2e72db46d..e5215a392c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index a962ec3cc3..27d191495c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -26,7 +27,7 @@ When a service connects with the device identity, signing and encryption are sup
 ### Possible values
 
 | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 |
-| - | - |
+| - | - | - | 
 | Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
 | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
 |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index da0ccc7bb9..21de9aeec4 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 77d4038a3d..be635dcfef 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index c4dd4a08f4..3874bf7655 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -21,18 +22,18 @@ Describes the best practices, location, values and security considerations for t
 
 This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted.
 
-For more information, see [article 977321](http://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base.
+For more information, see [article 977321](https://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base.
 
 The following table lists and explains the allowed encryption types.
 
 | Encryption type | Description and version support |
 | - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
          Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default. 
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
          Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default.
 | DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
          Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
          Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.| 
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
          Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.|
 | AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
          Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
 | AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
          Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.| 
+| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
  
 ### Possible values
 
@@ -59,12 +60,12 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 ### Default values
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
-| Default domain policy| Not defined| 
-| Default domain controller policy| Not defined| 
-| Stand-alone server default settings | Not defined| 
-| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| 
-| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| 
-| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.| 
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.|
+| Member server effective default settings | None of these encryption types that are available in this policy are allowed.|
+| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.|
  
 ## Security considerations
 
@@ -72,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running 
+Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
 Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
 
 ### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index a33fcc6cfe..42f411a872 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 572d2ac031..3b064f6908 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index f4ae3d7ec6..1b73389dbb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -55,10 +56,14 @@ authentication level that servers accept. The following table identifies the pol
 
 -   Best practices are dependent on your specific security and authentication requirements.
 
-### Location
+### Policy Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
 
+### Registry Location
+
+HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
+
 ### Default values
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index f22f62b0b2..428b113fe1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index fd7b375759..94cd2f2a3b 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 07/27/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index a1a72b97d9..2b4aa59ac0 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 943d99b774..b3724d05f6 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index 2a7f3ce456..e3a706d5e9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index de492a6900..9007808fc8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 08335febc9..588e68efbb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index 841ed44541..1fdac0f27c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index cbef99d80f..6751800e93 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 59346ccb54..c5a14b24b3 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index bb0ef8c128..bfdf5f299a 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/08/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index c4974cf71c..49e90f010b 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index c382fb66e7..2eee65e68b 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index 5fbb3b3076..90776ad589 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index fa2a4609bc..9b538889f1 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index 1f8dabdc28..ad5a2f6f14 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 55fea42ddb..a513560166 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index c25cf8e2ba..43278adbbf 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index f002ef3118..afebd10193 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index 13163b2d93..e735885b8d 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index 856437c766..3b09600257 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
index 09c52294bb..ef50b18745 100644
--- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index b4d90dc74c..8a6cd11350 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.date: 06/28/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index 36c19f08f0..051808cb85 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 4f24fe003a..6711b70593 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index 3c7cbedb11..ef46b8301e 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index ef32c15b9a..b74494656b 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 8458d32a52..12b6755312 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/01/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index c8cb5783ba..988d211159 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/19/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index 707cdf82c8..16cffebd8d 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -6,8 +6,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-
 ms.date: 06/19/2018
 ---
 # SMBv1 Microsoft network client: Digitally sign communications (if server agrees)
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index cff5d35423..8e2cdd2740 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/19/201
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index 637fa2d2a5..654a737d1a 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/19/2018
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index 6b0bae4976..d7c75a3d4f 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 740d9d0593..16c68a6929 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 7e9d1f3acd..0398bbbc89 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 18de1ae022..bba7a2624e 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/29/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index 6f5095b542..7e0ca59069 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index e1466cb95c..c5de4856e1 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index c82b0dffa3..c81039c024 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 7bc764769a..63c46fc928 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index 50ee559766..ffa2941137 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index 827068144d..fa31fb16e4 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/08/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index ce00295661..64449e0bec 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index 41a9379d1f..27cfc0dcfb 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -6,6 +6,7 @@ ms.prod: ws10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/08/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 866d8ae86d..b8620f41a5 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index ab6b837747..de3df48df1 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 6d75c0225d..54ad96d58f 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index a56e37647a..80a4e5f969 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 1a79e80070..0e931e969d 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 2b87555ed9..40cce0498e 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index 7fba0a0991..d6ba8a9479 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 249e7ff426..931d388344 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index e42efc4ec8..61a5bb0ce0 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -8,6 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: tedhardyMSFT
 ms.date: 02/16/2018
+ms.localizationpriority: medium
 ---
 
 # Use Windows Event Forwarding to help with intrusion detection
@@ -19,7 +20,7 @@ Learn about an approach to collect events from devices in your organization. Thi
 
 Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
 
-To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The 
+To accomplish this, there are two different of subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The
 Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
 
 This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
@@ -73,7 +74,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen
 
 ### How is client progress tracked?
 
-The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a 
+The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
 WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
 
 ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
@@ -96,7 +97,7 @@ When the event log overwrites existing events (resulting in data loss if the dev
 
 ### What format is used for forwarded events?
 
-WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is 
+WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is
 “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate.
 
 A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility:
@@ -108,7 +109,7 @@ Wecutil ss “testSubscription” /cf:Events
 
 ### How frequently are WEF events delivered?
 
-Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Ciewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
+Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector.
 
 This table outlines the built-in delivery options:
 
@@ -118,7 +119,7 @@ This table outlines the built-in delivery options:
 | Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. |
 | Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |
  
-For more info about delivery options, see [Configure Advanced Subscription Settings](http://technet.microsoft.com/library/cc749167.aspx).
+For more info about delivery options, see [Configure Advanced Subscription Settings](https://technet.microsoft.com/library/cc749167.aspx).
 
 The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt:
 
@@ -640,15 +641,15 @@ Here are the minimum steps for WEF to operate:
     
- 
+
 ```
 ## Appendix G - Online resources
 
 You can get more info with the following links:
 
--   [Event Selection](http://msdn.microsoft.com/library/aa385231.aspx)
--   [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx)
--   [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
--   [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
+-   [Event Selection](https://msdn.microsoft.com/library/aa385231.aspx)
+-   [Event Queries and Event XML](https://msdn.microsoft.com/library/bb399427.aspx)
+-   [Event Query Schema](https://msdn.microsoft.com/library/aa385760.aspx)
+-   [Windows Event Collector](https://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
 
 
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 6e8c26d829..b07e349659 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -13,7 +13,7 @@ ms.date: 07/27/2017
 ---
 
 #   WannaCrypt ransomware worm targets out-of-date systems
- 
+
 
 On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
 
@@ -30,10 +30,10 @@ WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetsto
 The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
 
 We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
- 
+
 - Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
 - Infection through SMB exploit when an unpatched computer is addressable from other infected machines
- 
+
 ## Dropper
 
 The threat arrives as a dropper Trojan that has the following two components:
@@ -42,14 +42,14 @@ The threat arrives as a dropper Trojan that has the following two components:
 2. The ransomware known as WannaCrypt
 
 The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
- 
+
 - www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
 - www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
- 
+
 If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
 
 In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
- 
+
 ![Connection information from WannaCrypt code](images/wanna1.png)
 
 The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
@@ -58,7 +58,7 @@ Service Name: mssecsvc2.0
 Service Description: (Microsoft Security Center (2.0) Service)
 Service Parameters: '-m security'
 ```
- 
+
  ![Mssecsvc2.0 process details](images/wanna2.png)
 
 ## WannaCrypt ransomware
@@ -66,16 +66,16 @@ Service Parameters: '-m security'
 The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
 
 When run, WannaCrypt creates the following registry keys:
- 
+
 - *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\ = '\\tasksche.exe'*
 - *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\'*
- 
+
 It changes the wallpaper to a ransom message by modifying the following registry key:
- 
+
 - *HKCU\Control Panel\Desktop\Wallpaper: '\\\@WanaDecryptor@.bmp'*
- 
+
 It creates the following files in the malware's working directory:
- 
+
 - *00000000.eky*
 - *00000000.pky*
 - *00000000.res*
@@ -131,13 +131,13 @@ It creates the following files in the malware's working directory:
 - *taskdl.exe*
 - *taskse.exe*
 - *u.wnry*
- 
+
 WannaCrypt may also create the following files:
- 
+
 - *%SystemRoot%\tasksche.exe*
 - *%SystemDrive%\intel\\\\tasksche.exe*
 - *%ProgramData%\\\\tasksche.exe*
- 
+
 It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '\tasksche.exe'`.
 
 It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
@@ -152,15 +152,15 @@ After completing the encryption process, the malware deletes the volume shadow c
 It then replaces the desktop background image with the following message:
 
 ![Example background image of WannaCrypt](images/wanna3.png)
- 
+
 It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
- 
+
  ![Screenshot of WannaCrypt ransom notice](images/wanna4.png)
 
 The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
 
 The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
- 
+
  ![Screenshot of decryption window](images/wanna5.png)
 
 ## Spreading capability
@@ -168,15 +168,15 @@ The ransomware also demonstrates the decryption capability by allowing the user
 The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
 
 ![Spreading scanning activity](images/wanna6.png)
- 
+
 The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
 
 When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
- 
+
  ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png)
 
  ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png)
- 
+
 ## Protection against the WannaCrypt attack
 
 To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
@@ -185,20 +185,20 @@ We recommend customers that have not yet installed the security update [MS17-010
 
 - Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
 - Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
- 
+
 [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
 
 For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
 
 Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
 
-Monitor networks with [Windows Defender Advanced Threat Protection](http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
+Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
 
 ## Resources
 
 Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
 
-Download localized language security updates: [Windows Server 2003 SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
+Download localized language security updates: [Windows Server 2003 SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
 
 MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
 
@@ -209,12 +209,12 @@ General information on ransomware: [https://www.microsoft.com/en-us/security/por
 ## Indicators of compromise
 
 SHA1 of samples analyzed:
- 
+
 - 51e4307093f8ca8854359c0ac882ddca427a813c
 - e889544aff85ffaf8b0d0da705105dee7c97fe26
- 
+
 Files created:
- 
+
 - %SystemRoot%\mssecsvc.exe
 - %SystemRoot%\tasksche.exe
 - %SystemRoot%\qeriuwjhrf
@@ -240,12 +240,12 @@ Files created:
 - Taskse.exe
 - Files with '.wnry' extension
 - Files with '.WNCRY' extension
- 
+
 Registry keys created:
- 
+
 - HKLM\SOFTWARE\WanaCrypt0r\wd
- 
- 
- 
+
+
+
 *Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*
          *Microsoft Malware Protection Center*
- 
+
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 1abe679c9e..3e0f5269e9 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -17,13 +17,13 @@ ms.date: 10/13/2017
 
 >This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
 
-Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. 
+Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data.
 Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
--	**Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. 
+-	**Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
 -	**Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
--	**Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. 
+-	**Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
 
-This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. 
+This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
 
 **In this article:**
 -	Windows Hello for Business
@@ -32,25 +32,25 @@ This guide helps IT administrators better understand the security features in Wi
 
 ## Windows Hello
 
-Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a user’s identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords – particularly on a mobile device touch screen – that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation. 
+Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a user’s identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords – particularly on a mobile device touch screen – that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation.
 
-Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device. 
+Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device.
 
 Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services.
 
-Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors. 
+Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors.
 
->**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. 
+>**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
 
 ### Secured credentials
 
-Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a user’s credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPM’s own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it. 
+Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a user’s credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPM’s own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it.
 
 To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the user’s biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attacker’s window of opportunity for compromising a user’s credentials is greatly reduced.
 
 ### Support for biometrics
 
-Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.  
+Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
 
 Windows Hello supports three biometric sensor scenarios:
 -	**Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
@@ -71,9 +71,9 @@ A Windows Hello companion device enables a physical device, like a wearable, to
 
 In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
 
-### Standards-based approach 
+### Standards-based approach
 
-The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. 
+The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
 
 In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers.
 
@@ -81,7 +81,7 @@ In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifica
 
 Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised.
 
-Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. 
+Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
 
 Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
 -	Automatically tag personal and corporate data.
@@ -89,13 +89,13 @@ Windows 10 Mobile includes Windows Information Protection to transparently keep
 -	Control which apps can access corporate data.
 -	Control which apps can access a virtual private network (VPN) connection.
 -	Prevent users from copying corporate data to public locations.
--	Help ensure business data is inaccessible when the device is in a locked state. 
+-	Help ensure business data is inaccessible when the device is in a locked state.
 
 ### Enlightened apps
 
 Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing.
 
-Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. 
+Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
 
 When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
 -	Don’t use common controls for saving files.
@@ -104,14 +104,14 @@ When you do not want all data encrypted by default – because it would create a
 
 In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
 
-**When is app enlightenment required?** 
--	**Required** 
+**When is app enlightenment required?**
+-	**Required**
     -	App needs to work with both personal and enterprise data.
--	**Recommended** 
+-	**Recommended**
     -	App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps.
     -	App needs to access enterprise data, while protection under lock is activated.
 -	**Not required**
-    -	App handles only corporate data 
+    -	App handles only corporate data
     -	App handles only personal data
 
 ### Data leakage control
@@ -130,17 +130,17 @@ The extent to which users will be prevented from copying and pasting data from a
 
 Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data.
 
-Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless. 
+Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless.
 
 ### Encryption
 
 Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
 
 You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
--	Cryptography 
+-	Cryptography
     -	Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
     -	TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
--	BitLocker 
+-	BitLocker
     -	Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
 
 To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
@@ -218,7 +218,7 @@ UEFI can run internal integrity checks that verify the firmware’s digital sign
 
 When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
 
-All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
+All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
 
 ### Trusted Platform Module
 
@@ -264,7 +264,7 @@ In earlier versions of Windows, the biggest challenge with rootkits and bootkits
 
 Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
 
-Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health. 
+Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health.
 
 ### Device Health Attestation
 
@@ -327,7 +327,7 @@ You cannot configure CFG; rather, an application developer can take advantage of
 
 ### Protected Processes
 
-Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required. 
+Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required.
 If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system.
 
 ### AppContainer
@@ -352,13 +352,13 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap
 The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
 
 Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
--	**Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. 
+-	**Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
 -	**Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
 -	**Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
 
 ## Summary
 
-Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace. 
+Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper – multifactor authentication, data separation, and malware resistance – are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace.
 
 ## Revision History
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
index d0e001795a..2e776ea30d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -1,6 +1,6 @@
 ---
-title: Collect diagnostic data for Update Compliance and Windows Defender AV
-description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender AV Assessment add in
+title: Collect diagnostic data for Update Compliance and Windows Defender Windows Defender Antivirus
+description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender Antivirus Assessment add in
 keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,23 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 09/12/2017
+ms.date: 09/03/2018
 ---
 
 # Collect Update Compliance diagnostic data for Windows Defender AV Assessment
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- IT administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
 
-Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) topic, met all require pre-requisites, and taken any other suggested troubleshooting steps.
-
+Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require pre-requisites, and taken any other suggested troubleshooting steps.
 
 1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
 
@@ -57,21 +52,17 @@ Before attempting this process, ensure you have read the [Troubleshoot Windows D
 
 3. Send an email using the Update Compliance support email template, and fill out the template with the following information:
   
-    
     ```
-    I am encountering the following issue when using Windows Defender AV in Update Compliance: 
+    I am encountering the following issue when using Windows Defender Antivirus in Update Compliance:
     
     I have provided at least 2 support .cab files at the following location: 
 
-    My OMS workspace ID is: 
+    My OMS workspace ID is:
 
-    Please contact me at: 
+    Please contact me at:
     ```
 
-
-
-
 ## Related topics
 
-- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md)
+- [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md)
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 16ef07c3fd..5544020384 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Use the command line to manage Windows Defender AV
-description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection.
+title: Use the command line to manage Windows Defender Antivirus
+description: Run Windows Defender Antivirus scans and configure next gen protection with a dedicated command-line utility.
 keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,31 +11,24 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
-
-# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus
+# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe.
 
-- Enterprise security administrators
+This utility can be useful when you want to automate Windows Defender Antivirus use.
 
-
-You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. 
-
-This utility can be useful when you want to automate the use of Windows Defender Antivirus. 
-
-The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt.
 
 > [!NOTE]
 > You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
 
-
 The utility has the following commands:
 
 ```DOS
@@ -55,12 +48,7 @@ Command | Description
 \-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
 \-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates
 
-
-
-
 ## Related topics
 
 - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index 09fefe72e5..c11220d5fc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
 ---
-title: Manage Windows Defender AV in your business
+title: Manage Windows Defender  in your business
 description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV
 keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
 search.product: eADQiWindows 10XVcnh
@@ -11,36 +11,32 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 03/01/2018
+ms.date: 09/03/2018
 ---
 
-# Manage Windows Defender AV in your business
+# Manage Windows Defender Antivirus in your business
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can manage and configure Windows Defender Antivirus with the following tools:
 
+- Microsoft Intune
+- System Center Configuration Manager
 - Group Policy
-- System Center Configuration Manager and Microsoft Intune
 - PowerShell cmdlets
 - Windows Management Instruction (WMI)
 - The mpcmdrun.exe utility
 
-The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV.
+The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
 
 ## In this section
 
-Topic | Description 
+Topic | Description
 ---|---
-[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates
-[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV
-[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters
-[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties)
-[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV
-
+[Manage Windows Defender Antivirus with Microsoft Intune and System Center Configuration Manager](use-intune-config-manager-windows-defender-antivirus.md)|Information about using Intune and System Center Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
+[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
+[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
+[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-windows-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
+[Manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender Antivirus
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 77cc805406..59c2b970da 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -11,42 +11,37 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 10/02/2018
 
 ---
 
-# Configure scanning options in Windows Defender AV
+# Configure Windows Defender Antivirus scanning options
 
+**Applies to:**
 
-**Applies to**
--   Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+**Use Microsoft Intune to configure scanning options**
 
-- Enterprise security administrators
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
 
-**Manageability available with**
+
 
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager
-- Microsoft Intune
+**Use Configuration Manager to configure scanning options:**
 
+See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+
+**Use Group Policy to configure scanning options**
 
 To configure the Group Policy settings described in the following table:
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
 
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-
-For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
 
 Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
 ---|---|---|---
@@ -60,25 +55,27 @@ Scan removable drives during full scans only | Scan > Scan removable drives | Di
 Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
  Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 |  `-ScanAvgCPULoadFactor`
  Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+ Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
+ 
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
 
-**Use Configuration Manager to configure scanning options:**
+**Use PowerShell to configure scanning options**
 
-See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
+**Use WMI to configure scanning options**
 
-**Use Microsoft Intune to configure scanning options**
+For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
 
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-
-
-
-
 ### Email scanning limitations
+
 We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
 
 Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
 
-You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+
 - DBX
 - MBX
 - MIME
@@ -86,17 +83,19 @@ You can use this Group Policy to also enable scanning of older email files used
 PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
 
 If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
--   Email subject
--   Attachment name
+
+- Email subject
+- Attachment name
 
 >[!WARNING]
 >There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
--   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
--   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
+>
+> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
+> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
 
 ## Related topics
 
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
-- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
+- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index d5bdf282dc..eccace7a35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -11,27 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/02/2018
+ms.date: 09/03/2018
 ---
 
-# Enable the Block at First Sight feature
+# Enable block at first sight
 
-**Applies to**
+**Applies to:**
 
-- Windows 10, version 1703 and later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Intune
-- Group Policy
-- Windows Defender Security Center app
-
-
-Block at first sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. 
+Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds.
 
 It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
 
@@ -40,128 +29,117 @@ You can [specify how long the file should be prevented from running](configure-c
 You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
 
 > [!IMPORTANT]
-> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
-
+> There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
+>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 
 ## How it works
 
-When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. 
+When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
 
-In Windows 10, version 1803, the Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
 
-The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
+Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
 
-If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. 
+If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
 
-In many cases this process can reduce the response time for new malware from hours to seconds.
+In many cases, this process can reduce the response time for new malware from hours to seconds.
 
+## Confirm and validate that block at first sight is enabled
 
-## Confirm and validate Block at First Sight is enabled
+Block at first sight requires a number of Group Policy settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments.
 
-Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks.
-
-### Confirm Block at First Sight is enabled with Intune
+### Confirm block at first sight is enabled with Intune
 
 1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**.
 
-	> [!NOTE]
-	> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
+> [!NOTE]
+> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
 
 2. Verify these settings are configured as follows:
 
-	- **Cloud-delivered protection**: **Enable**
-	- **File Blocking Level**: **High**
-	- **Time extension for file scanning by the cloud**: **50**
-	- **Prompt users before sample submission**: **Send all data without prompting**
+   - **Cloud-delivered protection**: **Enable**
+   - **File Blocking Level**: **High**
+   - **Time extension for file scanning by the cloud**: **50**
+   - **Prompt users before sample submission**: **Send all data without prompting**
 
-For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
+For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
 
-For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
+For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus).
 
+### Confirm block at first sight is enabled with Group Policy
 
-### Confirm Block at First Sight is enabled with Group Policy
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
-    
-    1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
-    
-        1. Send safe samples (1)
-        
-        1. Send all samples (3)
+    1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+
+    2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+
+        - Send safe samples (1)
+        - Send all samples (3)
 
         > [!WARNING]
-        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function.
 
-    1. Click **OK**.
+    3. Click **OK**.
 
-1.  In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
-    
-    1.  Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**.
-    
-    1.  Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**.
+4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
+
+    1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**.
+
+    2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**.
 
 If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
 
+### Confirm block at first sight is enabled with the Windows Security app
 
-### Confirm Block at First Sight is enabled with the Windows Defender Security Center app
+You can confirm that block at first sight is enabled in Windows Settings.
 
-You can confirm that Block at First Sight is enabled in Windows Settings. 
-
-The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
+Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
 
 **Confirm Block at First Sight is enabled on individual clients**
 
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar.
 
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
 
- ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
-    
-3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+ ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
 > [!NOTE]
 > If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
+### Validate block at first sight is working
 
-### Validate Block at First Sight is working
+You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate).
 
-You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic.
-
-
-## Disable Block at First Sight
+## Disable block at first sight
 
 > [!WARNING]
-> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network.
+> Disabling block at first sight will lower the protection state of the endpoint and your network.
 
-You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
 
-**Disable Block at First Sight with Group Policy**
+**Disable block at first sight with Group Policy**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
+3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
 
-1.  Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**.
+4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
 
     > [!NOTE]
-    > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
-
+    > Disabling block at first sight will not disable or alter the pre-requisite group policies.
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 247e68bc23..c4712bd823 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -11,64 +11,40 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Configure the cloud block timeout period
 
-
-
 **Applies to:**
 
-- Windows 10, version 1703 and later
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-
-
-
-
-
-
-When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
-
-The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud.
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md).
 
+The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service.
 
 ## Prerequisites to use the extended cloud block timeout
 
-The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period. 
-    
+[Block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
+
 ## Specify the extended timeout period
 
 You can use Group Policy to specify an extended timeout for cloud checks.
 
-**Use Group Policy to specify an extended timeout period:**
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
 
-4.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
-    
-5.  Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
-    
-6. Click **OK**.
+4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
 
+5. Click **OK**.
 
 ## Related topics
 
-- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
index 8ff899a974..a4e4d1798a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
@@ -11,31 +11,23 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
 # Configure end-user interaction with Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
 
-This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
+This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
 
 ## In this section
 
 Topic | Description 
 ---|---
-[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
-[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
+[Configure notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
+[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users
 [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
index ce689900bf..05da87967e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
@@ -11,47 +11,30 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/27/2017
+ms.date: 09/03/2018
 ---
 
-# Configure and validate exclusions for Windows Defender AV scans (client)
-
+# Configure and validate exclusions for Windows Defender Antivirus scans
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager
-- Microsoft Intune
-- Windows Defender Security Center
-
-You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus. 
+You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans.
 
 The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
 
 Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
 
-Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender AV exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
+Windows Server 2016 also features automatic exclusions that are defined by the server roles you enable. See the [Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) topic for more information and a list of the automatic exclusions.
 
 >[!WARNING]
->Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+>Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
 
 ## In this section
 
 Topic | Description 
 ---|---
-[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location
-[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process
-[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions
-
+[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location
+[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | Exclude files from scans that have been opened by a specific process
+[Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined server role. You can also add custom exclusions.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 9381eb05f6..886f66d077 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Configure and validate exclusions based on extension, name, or location
-description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location.
+description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
 keywords: exclusions, files, extension, file type, folder name, file name, scans
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,34 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
 # Configure and validate exclusions based on file extension and folder location
 
-
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists.
 
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager
-- Microsoft Intune
-- Windows Defender Security Center
-
-You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. 
-
-Generally, you shouldn't need to apply exclusions. Windows Defender AV includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
 
 >[!TIP]
 >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
@@ -53,6 +37,7 @@ A specific file in a specific folder | The file c:\sample\sample.test only | Fil
 A specific process | The executable file c:\test\process.exe | File and folder exclusions
 
 This means the exclusion lists have the following characteristics:
+
 - Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
 - File extensions will apply to any file name with the defined extension if a path or folder is not defined.
 
@@ -61,70 +46,64 @@ This means the exclusion lists have the following characteristics:
 >
 >You cannot exclude mapped network drives. You must specify the actual network path.
 >
->Folders that are reparse points that are created after the Windows Defender AV service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
-
-
-
-
-To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic.
+>Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
 
+To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md).
 
 The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md).
 
 >[!IMPORTANT]
->Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). 
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
 >
->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+>Changes made in the Windows Security app **will not show** in the Group Policy lists.
 
-
-
-By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. 
+By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts.
 
 You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
 
- 
-
-
-
-
 ## Configure the list of exclusions based on folder name or file extension
 
-
+**Use Intune to configure file name, folder, or file extension exclusions:**
+
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+
+**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
 **Use Group Policy to configure folder or file extension exclusions:**
 
 >[!NOTE]
->If you specify a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
+>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
 
-
-6. Double-click the **Path Exclusions** setting and add the exclusions:
+4. Double-click the **Path Exclusions** setting and add the exclusions:
 
     1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
+    2. Under the **Options** section, click **Show...**.
     3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
 
-7. Click **OK**. 
+5. Click **OK**.
 
-![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
+    ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
 
-8. Double-click the **Extension Exclusions** setting and add the exclusions:
+6. Double-click the **Extension Exclusions** setting and add the exclusions:
 
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
+    1. Set the option to **Enabled**.
+    2. Under the **Options** section, click **Show...**.
     3. Enter each file extension on its own line under the **Value name** column.  Enter **0** in the **Value** column.
 
+7. Click **OK**.
 
-9. Click **OK**. 
-
-![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
-
+    ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
 
 
+
 **Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:**
 
 Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
@@ -139,9 +118,9 @@ The following are allowed as the \:
 
 Configuration action | PowerShell cmdlet
 ---|---
-Create or overwrite the list | `Set-MpPreference` 
-Add to the list | `Add-MpPreference` 
-Remove item from the list | `Remove-MpPreference` 
+Create or overwrite the list | `Set-MpPreference`
+Add to the list | `Add-MpPreference`
+Remove item from the list | `Remove-MpPreference`
 
 The following are allowed as the \:
 
@@ -150,10 +129,8 @@ Exclusion type | PowerShell parameter
 All files with a specified file extension | `-ExclusionExtension`
 All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
 
-
 >[!IMPORTANT]
->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. 
-
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
 
 For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
 
@@ -163,7 +140,6 @@ Add-MpPreference -ExclusionExtension ".test"
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
 **Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
 
 Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -176,24 +152,14 @@ ExclusionPath
 The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
 
 See the following for more information and allowed parameters:
+
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
-**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
-
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
-
-
-**Use Microsoft Intune to configure file name, folder, or file extension exclusions:**
-
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-
-
-**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:**
-
-See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
+**Use the Windows Security app to configure file name, folder, or file extension exclusions:**
 
+See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
 
 ## Use wildcards in the file name and folder path or extension exclusion lists
@@ -205,8 +171,7 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such
 >
 >- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
 >- You cannot use a wildcard in place of a drive letter.
->- The use of asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
-
+>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
 
 The following table describes how the wildcards can be used and provides some examples.
 
          
     
   
          
@@ -231,7 +196,7 @@ The following table describes how the wildcards can be used and provides some ex
         
-
 
          
             
            
                 
          1. C:\MyData\\notes.txt
            2. 
-                
          2. Any file in: 
+                
          3. Any file in:
                     
              
                         
            • C:\somepath\\Archives\Data and its subfolders
              • 
                         
            • C:\somepath\\Authorized\Data and its subfolders
              • 
@@ -246,7 +211,7 @@ The following table describes how the wildcards can be used and provides some ex
     
          
     
          
         
-            ? (question mark) 
+            ? (question mark)
         
         
             Replaces a single character. 
          
@@ -295,23 +260,23 @@ The following table describes how the wildcards can be used and provides some ex
 >
 >This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*.
 
-
 
+
 ## Review the list of exclusions
 
-You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
 
 >[!IMPORTANT]
->Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). 
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
 >
->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+>Changes made in the Windows Security app **will not show** in the Group Policy lists.
 
 If you use PowerShell, you can retrieve the list in two ways:
 
-- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
 - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
 
-**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
 
 Use the following cmdlet:
 
@@ -320,13 +285,11 @@ Get-MpPreference
 ```
 
 In the following example, the items contained in the `ExclusionExtension` list are highlighted:
-  
 
 ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
 **Retrieve a specific exclusions list:**
 
 Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -341,14 +304,10 @@ In the following example, the list is split into new lines for each use of the `
 
 ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
 
-
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
-
- 
-
 
+
 ## Validate exclusions lists with the EICAR test file
 
 You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
@@ -359,11 +318,11 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform
 Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
 ```
 
-If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
 
 You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
 
-```PowerShell 
+```PowerShell
 $client = new-object System.Net.WebClient
 $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
 ```
@@ -376,12 +335,10 @@ If you do not have Internet access, you can create your own EICAR test file by w
 
 You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
 
-
-
 ## Related topics
 
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 55f4c3f930..f35bf7b9bc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -11,57 +11,48 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Prevent or allow users to locally modify Windows Defender AV policy settings
+# Prevent or allow users to locally modify Windows Defender Antivirus policy settings
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-
-
-By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. 
+By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
 
 For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
 
-## Configure local overrides for Windows Defender AV settings
+## Configure local overrides for Windows Defender Antivirus settings
 
 The default setting for these policies is **Disabled**.
 
-If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
 
 The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
 
 To configure these settings:
 
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
 
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
 
-7. Deploy the Group Policy Object as usual.
+5. Deploy the Group Policy Object as usual.
 
 Location | Setting | Configuration topic
 ---|---|---|---
 MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
 Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
 Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md)
 Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
@@ -69,35 +60,30 @@ Scan | Configure local setting override for scheduled quick scan time | [Configu
 Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 
-
-
-
-
 
+
 ## Configure how locally and globally defined threat remediation and exclusions lists are merged
 
 You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
 
-By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence.
-
-You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.
+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
 
+You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
 
 **Use Group Policy to disable local list merging:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus**.
 
-6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. 
+4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**.
 
 > [!NOTE]
-> If you disable local list merging, it will override Controlled folder access settings in Windows Defender Exploit Guard. It also overrides any protected folders or allowed apps set by the local administrator. For more information about Controlled folder access settings, see [Enable Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
-
+> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard).
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
\ No newline at end of file
+- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index b4751e5cad..c7d6f246c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Configure and test Windows Defender Antivirus network connections
-description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service.
-keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
+title: Configure and validate Windows Defender Antivirus network connections
+description: Configure and test your connection to the Windows Defender Antivirus cloud protection service.
+keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,20 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Configure and validate network connections for Windows Defender Antivirus
-
+# Configure and validate Windows Defender Antivirus network connections
 
 **Applies to:**
 
-- Windows 10 (some instructions are only applicable for Windows 10, version 1703 or later)
-
-**Audience**
-
-- Enterprise security administrators
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
 
@@ -33,19 +27,20 @@ This topic lists the connections that must be allowed, such as by using firewall
 See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>
 >- Cloud-delivered protection
->- Fast learning (including Block at first sight)
+>- Fast learning (including block at first sight)
 >- Potentially unwanted application blocking
 
-## Allow connections to the Windows Defender Antivirus cloud
+## Allow connections to the Windows Defender Antivirus cloud service
 
-The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network.
+The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network.
 
->[!NOTE] 
+>[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
 
-See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
+See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
 
 After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
 
@@ -133,44 +128,43 @@ https://msdl.microsoft.com/download/symbols
 Universal Telemetry Client
           		
 
-Used by Windows to send client diagnostic data, Windows Defender Antivirus uses this for product quality monitoring purposes
+Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes
 
 
 This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:  
          • vortex-win.data.microsoft.com
          • settings-win.data.microsoft.com
          		
 
          
 
 
 
-
 ## Validate connections between your network and the cloud
 
-After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected.
+After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
 
 **Use the cmdline tool to validate cloud-delivered protection:**
 
-Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
+Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
 
 ```DOS
-MpCmdRun -ValidateMapsConnection 
+MpCmdRun -ValidateMapsConnection
 ```
-> [!NOTE]
-> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703.
 
-See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
+> [!NOTE]
+> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
+
+See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.
 
 **Attempt to download a fake malware file from Microsoft:**
 
-You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud.
+You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
 
 Download the file by visiting the following link:
 - http://aka.ms/ioavtest
 
->[!NOTE] 
+>[!NOTE]
 >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
 
-If you are properly connected, you will see a warning notification from Windows Defender Antivirus:
+If you are properly connected, you will see a warning Windows Defender Antivirus notification:
 
 ![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
 
@@ -182,30 +176,29 @@ A similar message occurs if you are using Internet Explorer:
 
 ![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
 
-You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
+You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
 
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
 
-    ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png)
-    
+    ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
+
 3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
 
-    ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png)
+    ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png)
 
 >[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
+>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
 
 The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
 
 >[!IMPORTANT]
->You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will  need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
-
+>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
+- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
 - [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 060372f38b..10132268ce 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Configure notifications for Windows Defender Antivirus
-description: Configure and customize notifications from Windows Defender AV.
-keywords: notifications, defender, endpoint, management, admin
+title: Configure Windows Defender Antivirus notifications
+description: Configure and customize Windows Defender Antivirus notifications.
+keywords: notifications, defender, antivirus, endpoint, management, admin
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,107 +11,93 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Configure the notifications that appear on endpoints
 
 **Applies to:**
 
-- Windows 10, version 1703 and later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
 
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- Windows Defender Security Center app
-
-In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
-
-Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
+Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
 
 You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
 
 ## Configure the additional notifications that appear on endpoints
 
-You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy.
 
 > [!NOTE]
-> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**.
+> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
 
 > [!IMPORTANT]
 > Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
 
-**Use the Windows Defender Security Center app to disable additional notifications:** 
+**Use the Windows Security app to disable additional notifications:**
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
 
-![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
-    
-3.	Scroll to the **Notifications** section and click **Change notification settings**.
+    ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Scroll to the **Notifications** section and click **Change notification settings**.
 
 4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
 
 **Use Group Policy to disable additional notifications:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Administrative templates**.
+3. Click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. 
-
-6.  Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
 
+5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
 
 ## Configure standard notifications on endpoints
 
 You can use Group Policy to:
+
 - Display additional, customized text on endpoints when the user needs to perform an action
 - Hide all notifications on endpoints
 - Hide reboot notifications on endpoints
 
-Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
+Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information.
 
 > [!NOTE]
 > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
 
-See the [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) topic for instructions to add custom contact information to the notifications that users see on their machines.
+See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
 
 **Use Group Policy to hide notifications:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
 
-6.  Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
+4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
 
 **Use Group Policy to hide reboot notifications:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. 
-
-6.  Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
+3. Click **Administrative templates**.
 
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
 
+5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 43501a9510..e3b8813972 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Configure exclusions for files opened by specific processes
 description: You can exclude files from scans if they have been opened by a specific process.
-keywords: process, exclusion, files, scans
+keywords: Windows Defender Antivirus, process, exclusion, files, scans
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,83 +11,73 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
 # Configure exclusions for files opened by processes
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager
-- Microsoft Intune
-- Windows Defender Security Center
-
-You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. 
+You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
 
 This topic describes how to configure exclusion lists for the following:
 
 
 
-Exclusion | Example 
+Exclusion | Example
 ---|---
 Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: 
          • c:\sample\test.exe
          • d:\internal\files\test.exe
            
 Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
          • c:\test\sample\test.exe
          • c:\test\sample\test2.exe
          • c:\test\sample\utility.exe
           
 Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
 
-When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
+When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
 
-The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
+The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
 
-Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
 
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
 
-You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. 
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
 
-
-By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. 
+By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
 
 You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
 
-
 ## Configure the list of exclusions for files opened by specified processes
 
-
 
+
+**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
+
+**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
 **Use Group Policy to exclude files that have been opened by specified processes from scans:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. 
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
 
+4. Double-click **Process Exclusions** and add the exclusions:
 
-6. Double-click the **Process Exclusions** setting and add the exclusions:
-
-    1. Set the option to **Enabled**. 
-    2. Under the **Options** section, click **Show...**
+    1. Set the option to **Enabled**.
+    2. Under the **Options** section, click **Show...**.
     3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions.  Enter **0** in the **Value** column for all processes.
 
-7. Click **OK**. 
+5. Click **OK**.
 
 ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
 
-
 
+
 **Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
 
 Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
@@ -102,14 +92,12 @@ The following are allowed as the \:
 
 Configuration action | PowerShell cmdlet
 ---|---
-Create or overwrite the list | `Set-MpPreference` 
-Add to the list | `Add-MpPreference` 
-Remove items from the list | `Remove-MpPreference` 
-
+Create or overwrite the list | `Set-MpPreference`
+Add to the list | `Add-MpPreference`
+Remove items from the list | `Remove-MpPreference`
 
 >[!IMPORTANT]
->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. 
-
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
 
 For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
 
@@ -117,9 +105,7 @@ For example, the following code snippet would cause Windows Defender AV scans to
 Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
 ```
 
-
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-
+See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
 **Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
 
@@ -132,26 +118,17 @@ ExclusionProcess
 The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
 
 See the following for more information and allowed parameters:
+
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
-**Use Configuration Manager to exclude files that have been opened by specified processes from scans:**
-
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
-
-
-**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
-
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-
-
-**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
-
-See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
+**Use the Windows Security app to exclude files that have been opened by specified processes from scans:**
 
+See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
 
 
+
 ## Use wildcards in the process exclusion list
 
 The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
@@ -166,20 +143,18 @@ Wildcard | Use | Example use | Example matches
 ? (question mark) | Not available | \- | \-
 Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  
          • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
           | 
          • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
          
 
-
-
-
 
+
 ## Review the list of exclusions
 
-You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
 
 If you use PowerShell, you can retrieve the list in two ways:
 
-- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
 - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
 
-**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
 
 Use the following cmdlet:
 
@@ -187,10 +162,8 @@ Use the following cmdlet:
 Get-MpPreference
 ```
 
-
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
 **Retrieve a specific exclusions list:**
 
 Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
@@ -200,18 +173,12 @@ $WDAVprefs = Get-MpPreference
 $WDAVprefs.ExclusionProcess
 ```
 
-
-
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
-
-
-
 ## Related topics
 
-- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
-- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
index 8eaf0cfc8f..61d9ada7c2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
 ---
-title: Enable and configure protection features in Windows Defender AV
+title: Enable and configure Windows Defender Antivirus protection features
 description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
 keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
 search.product: eADQiWindows 10XVcnh
@@ -11,18 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
 # Configure behavioral, heuristic, and real-time protection
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Defender Antivirus uses several methods to provide threat protection:
 
@@ -30,16 +26,15 @@ Windows Defender Antivirus uses several methods to provide threat protection:
 - Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
 - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
 
-You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
+You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
 
-This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. 
-
-See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection.
+This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
 
+See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection.
 
 ## In this section
 
- Topic | Description 
+ Topic | Description
 ---|---
 [Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
-[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features
\ No newline at end of file
+[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
index d97f720028..d5a83c1e36 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Configure always-on real-time protection in Windows Defender AV
-description: Enable and configure real-time protection features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV
-keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics
+title: Configure always-on real-time Windows Defender Antivirus protection
+description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
+keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,69 +11,45 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-
-
-# Enable and configure Windows Defender AV always-on protection and monitoring
-
-
+# Enable and configure antivirius always-on protection and monitoring
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-
-
-
-
-Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. 
+Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
 
 These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
 
-
 ## Configure and enable always-on protection
 
 You can configure how always-on protection works with the Group Policy settings described in this section.
 
 To configure these settings:
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
-
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
+3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
 
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK** and repeat for any other settings.
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
-Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
-Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
+Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled
+Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled
 Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
 Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled 
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) 
-Scan	| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled
-Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
-Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
-
-
-
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions)
+Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity | Enabled
+Root | Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled
 
 ## Disable real-time protection
 > [!WARNING]
@@ -83,15 +59,13 @@ The main real-time protection capability is enabled by default, but you can disa
 
 **Use Group Policy to disable real-time protection:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
-
-6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. 
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**.
 
+4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index c409e9402c..87ab0e1b1a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Remediate and resolve infections detected by Windows Defender AV
-description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+title: Remediate and resolve infections detected by Windows Defender Antivirus
+description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
 keywords: remediation, fix, remove, threats, quarantine, scan, restore
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,29 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
+# Configure remediation for Windows Defender Antivirus scans
 
+**Applies to:**
 
-# Configure remediation for Windows Defender AV scans
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Applies to**
--   Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager 
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- Microsoft Intune
-
-When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
+When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
 
 This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
 
@@ -45,40 +32,38 @@ You can configure how remediation works with the Group Policy settings described
 
 To configure these settings:
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
-
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
 
+4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
 
 Location | Setting | Description | Default setting (if not configured)
 ---|---|---|---
 Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
 Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
-Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
+Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
 Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
-Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
+Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
 Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
 
 >[!IMPORTANT]
->Windows Defender Antivirus detects and remediates files based on many factors.  Sometimes, completing a remediation requires a reboot.  Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
+>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
 >
          
->If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md).
+>If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md).
 >
          
->To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md).
+>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
 
-
-Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
+Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings.
 
 ## Related topics
 
-- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
 - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 1b9179c6b3..e2008c7eee 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016
-description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions.
-keywords: exclusions, server, auto-exclusions, automatic, custom, scans
+title: Configure Windows Defender Antivirus exclusions on Windows Server 2016
+description: Windows Server 2016 includes automatic exclusions, based on server role. You can also add custom exclusions.
+keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,46 +11,34 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 09/03/2018
 ---
 
-# Configure exclusions in Windows Defender AV on Windows Server
-
+# Configure Windows Defender Antivirus exclusions on Windows Server
 
 **Applies to:**
 
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
 
-- Enterprise security administrators
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
 
+You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
 
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Windows Management Instrumentation (WMI)
-
-If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are automatically enrolled in certain exclusions, as defined by your specified Windows Server Role. A list of these exclusions is provided at [the end of this topic](#list-of-automatic-exclusions).
-
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can still add or remove custom exclusions (in addition to the Server Role-defined automatic exclusions) as described in the other exclusion-related topics:
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
 
-Custom exclusions take precedence over the automatic exclusions.
+Custom exclusions take precedence over automatic exclusions.
 
 > [!TIP]
 > Custom and duplicate exclusions do not conflict with automatic exclusions.
 
-Windows Defender AV uses the Deployment Image Servicing and Management (DSIM) tools to determine which roles are installed on your computer.
-
+Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
 
 ## Opt out of automatic exclusions
 
-In Windows Server 2016 the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt-out of the automatic exclusions delivered in definition updates.
+In Windows Server 2016, the predefined exclusions delivered by definition updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, you need to opt out of the automatic exclusions delivered in definition updates.
 
 > [!WARNING]
 > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 roles.
@@ -58,17 +46,17 @@ In Windows Server 2016 the predefined exclusions delivered by definition updates
 > [!NOTE]
 > This setting is only supported on Windows Server 2016. While this setting exists in Windows 10, it doesn't have an effect on exclusions.
 
-You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
+You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
 
 **Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
 
-6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. 
+4. Double-click **Turn off Auto Exclusions** and set the option to **Enabled**. Click **OK**. 
 
 **Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
 
@@ -91,311 +79,305 @@ DisableAutoExclusions
 See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
-
 ## List of automatic exclusions
 The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
 
 ### Default exclusions for all roles
 This section lists the default exclusions for all Windows Server 2016 roles.
 
--   Windows "temp.edb" files:
+- Windows "temp.edb" files:
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
+  - *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
 
-    -   *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
+  - *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
 
--   Windows Update files or Automatic Update files:
+- Windows Update files or Automatic Update files:
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
+  - *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
+  - *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
+  - *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
+  - *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
 
-    -   *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
+  - *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
 
--   Windows Security files:
+- Windows Security files:
 
-    -   *%windir%*\Security\database\\*.chk
+  - *%windir%*\Security\database\\*.chk
 
-    -   *%windir%*\Security\database\\*.edb
+  - *%windir%*\Security\database\\*.edb
 
-    -   *%windir%*\Security\database\\*.jrs
+  - *%windir%*\Security\database\\*.jrs
 
-    -   *%windir%*\Security\database\\*.log
+  - *%windir%*\Security\database\\*.log
 
-    -   *%windir%*\Security\database\\*.sdb
+  - *%windir%*\Security\database\\*.sdb
 
--   Group Policy files:
+- Group Policy files:
 
-    -   *%allusersprofile%*\NTUser.pol
+  - *%allusersprofile%*\NTUser.pol
 
-    -   *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
+  - *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
 
-    -   *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
+  - *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
 
--   WINS files:
+- WINS files:
 
-    -   *%systemroot%*\System32\Wins\\*\\\*.chk
+  - *%systemroot%*\System32\Wins\\*\\\*.chk
 
-    -   *%systemroot%*\System32\Wins\\*\\\*.log
+  - *%systemroot%*\System32\Wins\\*\\\*.log
 
-    -   *%systemroot%*\System32\Wins\\*\\\*.mdb
+  - *%systemroot%*\System32\Wins\\*\\\*.mdb
 
-    -   *%systemroot%*\System32\LogFiles\
+  - *%systemroot%*\System32\LogFiles\
 
-    -   *%systemroot%*\SysWow64\LogFiles\
+  - *%systemroot%*\SysWow64\LogFiles\
 
--   File Replication Service (FRS) exclusions:
+- File Replication Service (FRS) exclusions:
 
-    -   Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
+  - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
 
-        -   *%windir%*\Ntfrs\jet\sys\\*\edb.chk
+    - *%windir%*\Ntfrs\jet\sys\\*\edb.chk
 
-        -   *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
+    - *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
 
-        -   *%windir%*\Ntfrs\jet\log\\*\\\*.log
+    - *%windir%*\Ntfrs\jet\log\\*\\\*.log
 
-    -   FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
+    - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
 
-        -   *%windir%*\Ntfrs\\*\Edb\*.log
+    -*%windir%*\Ntfrs\\*\Edb\*.log
 
-    -   The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
+    - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
 
-        -   *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
+      - *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
 
-    -   The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
+    - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
 
-        -   *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
+      - *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
 
-    -   The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
+    - The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
+      - *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
 
-        -   *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
+      - *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
 
-        -   *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
+      - *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\*.XML
+      - *%systemdrive%*\System Volume Information\DFSR\\*.XML
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
+      - *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
+      - *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
+      - *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
 
-        -   *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
+      - *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\*.frx
+      - *%systemdrive%*\System Volume Information\DFSR\\*.frx
 
-        -   *%systemdrive%*\System Volume Information\DFSR\\*.log
+      - *%systemdrive%*\System Volume Information\DFSR\\*.log
 
-        -   *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
+      - *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
 
-        -   *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
+      - *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
 
--   Process exclusions
+- Process exclusions
 
-    -   *%systemroot%*\System32\dfsr.exe
+  - *%systemroot%*\System32\dfsr.exe
 
-    -   *%systemroot%*\System32\dfsrs.exe
+  - *%systemroot%*\System32\dfsrs.exe
 
--   Hyper-V exclusions:
+- Hyper-V exclusions:
 
-    -   This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
+  - This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
 
-        -   File type exclusions:
+    - File type exclusions:
 
-            -   *.vhd
+      - *.vhd
 
-            -   *.vhdx
+      - *.vhdx
 
-            -   *.avhd
+      - *.avhd
 
-            -   *.avhdx
+      - *.avhdx
 
-            -   *.vsv
+      - *.vsv
 
-            -   *.iso
+      - *.iso
 
-            -   *.rct
+      - *.rct
 
-            -   *.vmcx
+      - *.vmcx
 
-            -   *.vmrs
+      - *.vmrs
 
-        -   Folder exclusions:
+    - Folder exclusions:
 
-            -   *%ProgramData%*\Microsoft\Windows\Hyper-V
+      - *%ProgramData%*\Microsoft\Windows\Hyper-V
 
-            -   *%ProgramFiles%*\Hyper-V
+      - *%ProgramFiles%*\Hyper-V
 
-            -   *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
+      - *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
 
-            -   *%Public%*\Documents\Hyper-V\Virtual Hard Disks
+      - *%Public%*\Documents\Hyper-V\Virtual Hard Disks
 
-        -   Process exclusions:
+    - Process exclusions:
 
-            -   *%systemroot%*\System32\Vmms.exe
+      - *%systemroot%*\System32\Vmms.exe
 
-            -   *%systemroot%*\System32\Vmwp.exe
+      -   *%systemroot%*\System32\Vmwp.exe
 
--   SYSVOL files:
+- SYSVOL files:
 
-    -   *%systemroot%*\Sysvol\Domain\\*.adm
+  - *%systemroot%*\Sysvol\Domain\\*.adm
 
-    -   *%systemroot%*\Sysvol\Domain\\*.admx
+  - *%systemroot%*\Sysvol\Domain\\*.admx
 
-    -   *%systemroot%*\Sysvol\Domain\\*.adml
+  - *%systemroot%*\Sysvol\Domain\\*.adml
 
-    -   *%systemroot%*\Sysvol\Domain\Registry.pol
+  - *%systemroot%*\Sysvol\Domain\Registry.pol
 
-    -   *%systemroot%*\Sysvol\Domain\\*.aas
+  - *%systemroot%*\Sysvol\Domain\\*.aas
 
-    -   *%systemroot%*\Sysvol\Domain\\*.inf
+  - *%systemroot%*\Sysvol\Domain\\*.inf
 
-    -   *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
+  - *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
 
-    -   *%systemroot%*\Sysvol\Domain\\*.ins
+  - *%systemroot%*\Sysvol\Domain\\*.ins
 
-    -   *%systemroot%*\Sysvol\Domain\Oscfilter.ini
+  - *%systemroot%*\Sysvol\Domain\Oscfilter.ini
 
 ### Active Directory exclusions
 This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
 
--   NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
+- NTDS database files. The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
 
-    -   %windir%\Ntds\ntds.dit
+  - %windir%\Ntds\ntds.dit
 
-    -   %windir%\Ntds\ntds.pat
+  - %windir%\Ntds\ntds.pat
 
--   The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
+- The AD DS transaction log files. The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files`
 
-    -   %windir%\Ntds\EDB*.log
+  - %windir%\Ntds\EDB*.log
 
-    -   %windir%\Ntds\Res*.log
+  - %windir%\Ntds\Res*.log
 
-    -   %windir%\Ntds\Edb*.jrs
+  - %windir%\Ntds\Edb*.jrs
 
-    -   %windir%\Ntds\Ntds*.pat
+  - %windir%\Ntds\Ntds*.pat
 
-    -   %windir%\Ntds\EDB*.log
+  - %windir%\Ntds\EDB*.log
 
-    -   %windir%\Ntds\TEMP.edb
+  - %windir%\Ntds\TEMP.edb
 
--   The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
+- The NTDS working folder. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
 
-    -   %windir%\Ntds\Temp.edb
+  - %windir%\Ntds\Temp.edb
 
-    -   %windir%\Ntds\Edb.chk
+  - %windir%\Ntds\Edb.chk
 
--   Process exclusions for AD DS and AD DS-related support files:
+- Process exclusions for AD DS and AD DS-related support files:
 
-    -   %systemroot%\System32\ntfrs.exe
+  - %systemroot%\System32\ntfrs.exe
 
-    -   %systemroot%\System32\lsass.exe
+  - %systemroot%\System32\lsass.exe
 
 ### DHCP Server exclusions
 This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
 
--   *%systemroot%*\System32\DHCP\\*\\\*.mdb
+- *%systemroot%*\System32\DHCP\\*\\\*.mdb
 
--   *%systemroot%*\System32\DHCP\\*\\\*.pat
+- *%systemroot%*\System32\DHCP\\*\\\*.pat
 
--   *%systemroot%*\System32\DHCP\\*\\\*.log
+- *%systemroot%*\System32\DHCP\\*\\\*.log
 
--   *%systemroot%*\System32\DHCP\\*\\\*.chk
+- *%systemroot%*\System32\DHCP\\*\\\*.chk
 
--   *%systemroot%*\System32\DHCP\\*\\\*.edb
+- *%systemroot%*\System32\DHCP\\*\\\*.edb
 
 ### DNS Server exclusions
 This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
 
--   File and folder exclusions for the DNS Server role:
+- File and folder exclusions for the DNS Server role:
 
-    -   *%systemroot%*\System32\Dns\\*\\\*.log
+  - *%systemroot%*\System32\Dns\\*\\\*.log
 
-    -   *%systemroot%*\System32\Dns\\*\\\*.dns
+  - *%systemroot%*\System32\Dns\\*\\\*.dns
 
-    -   *%systemroot%*\System32\Dns\\*\\\*.scc
+  - *%systemroot%*\System32\Dns\\*\\\*.scc
 
-    -   *%systemroot%*\System32\Dns\\*\BOOT
+  - *%systemroot%*\System32\Dns\\*\BOOT
 
--   Process exclusions for the DNS Server role:
+- Process exclusions for the DNS Server role:
 
-    -   *%systemroot%*\System32\dns.exe
-
-    
+  - *%systemroot%*\System32\dns.exe
 
 ### File and Storage Services exclusions
 This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
 
--   *%SystemDrive%*\ClusterStorage
+- *%SystemDrive%*\ClusterStorage
 
--   *%clusterserviceaccount%*\Local Settings\Temp
+- *%clusterserviceaccount%*\Local Settings\Temp
 
--   *%SystemDrive%*\mscs
+- *%SystemDrive%*\mscs
 
 ### Print Server exclusions
 This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
 
--   File type exclusions:
+- File type exclusions:
 
-    -   *.shd
+  - *.shd
 
-    -   *.spl
+  - *.spl
 
--   Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
+- Folder exclusions. This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
 
-    -   *%system32%*\spool\printers\\*
+  - *%system32%*\spool\printers\\*
 
--   Process exclusions:
+- Process exclusions:
 
-    -   spoolsv.exe
+  - spoolsv.exe
 
 ### Web Server exclusions
 This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
 
--   Folder exclusions:
+- Folder exclusions:
 
-    -   *%SystemRoot%*\IIS Temporary Compressed Files
+  - *%SystemRoot%*\IIS Temporary Compressed Files
 
-    -   *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
+  - *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
 
-    -   *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
+  - *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
 
-    -   *%systemDrive%*\inetpub\logs
+  - *%systemDrive%*\inetpub\logs
 
-    -   *%systemDrive%*\inetpub\wwwroot
+  - *%systemDrive%*\inetpub\wwwroot
 
--   Process exclusions:
+- Process exclusions:
 
-    -   *%SystemRoot%*\system32\inetsrv\w3wp.exe
+  - *%SystemRoot%*\system32\inetsrv\w3wp.exe
 
-    -   *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
+  - *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
 
-    -   *%SystemDrive%*\PHP5433\php-cgi.exe
+  - *%SystemDrive%*\PHP5433\php-cgi.exe
 
 ### Windows Server Update Services exclusions
 This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
 
--   *%systemroot%*\WSUS\WSUSContent
-
--   *%systemroot%*\WSUS\UpdateServicesDBFiles
-
--   *%systemroot%*\SoftwareDistribution\Datastore
-
--   *%systemroot%*\SoftwareDistribution\Download
+- *%systemroot%*\WSUS\WSUSContent
 
+- *%systemroot%*\WSUS\UpdateServicesDBFiles
 
+- *%systemroot%*\SoftwareDistribution\Datastore
 
+- *%systemroot%*\SoftwareDistribution\Download
 
 ## Related topics
 
-- [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
index ecc4190de1..03b6bf2fc1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md
@@ -1,7 +1,7 @@
 ---
-title: Configure Windows Defender Antivirus features (Windows 10)
-description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings.
-keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
+title: Configure Windows Defender Antivirus features
+description: You can configure Windows Defender Antivirus features with Intune, System Center Configuration Manager, Group Policy, and PowerShell.
+keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,28 +11,22 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
 # Configure Windows Defender Antivirus features
 
-
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+You can configure Windows Defender Antivirus with a number of tools, including:
 
-- Enterprise security administrators
-
-Windows Defender Antivirus can be configured with a number of tools, including:
-
-- Group Policy settings
+- Microsoft Intune
 - System Center Configuration Manager
+- Group Policy
 - PowerShell cmdlets
 - Windows Management Instrumentation (WMI)
-- Microsoft Intune
-
 
 The following broad categories of features can be configured:
 
@@ -40,17 +34,13 @@ The following broad categories of features can be configured:
 - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
 - How end-users interact with the client on individual endpoints
 
-The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools).
+The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
 
 You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help.
 
-
 ## In this section
 Topic | Description
 :---|:---
-[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
-[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV
-[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings
-
-
-
+[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
+[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
+[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 5c57af4d4c..fd8a577fc1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Run and customize scheduled and on-demand scans
-description: Customize and initiate scans using Windows Defender AV on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan
+description: Customize and initiate Windows Defender Antivirus scans on endpoints across your network.
+keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Windows Defender Antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,32 +11,24 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
-# Customize, initiate, and review the results of Windows Defender AV scans and remediation
+# Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus.
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans.
 
 ## In this section
 
-Topic | Description 
+Topic | Description
 ---|---
-[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
+[Configure and validate file, folder, and process-opened file exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
+[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
+[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
 [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app 
-[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using  System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
-
+[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using  System Center Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index 12275ec64d..4c1673e6f4 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Deploy, manage, and report on Windows Defender Antivirus
-description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune
+description: You can deploy and manage Windows Defender Antivirus with Intune, System Center Configuration Manager, Group Policy, PowerShell, or WMI
 keywords: deploy, manage, update, protection, windows defender antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,40 +11,36 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/19/2018
+ms.date: 09/03/2018
 ---
 
 # Deploy, manage, and report on Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+You can deploy, manage, and report on Windows Defender Antivirus in a number of ways.
 
-- IT administrators
+Because the Windows Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
 
-You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. 
-
-As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
-
-However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
+However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, System Center Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
 
 You'll also see additional links for:
+
 - Managing Windows Defender Antivirus protection, including managing product and protection updates
 - Reporting on Windows Defender Antivirus protection
 
 > [!IMPORTANT]
-> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-party antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. 
-
+> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Windows Defender Antivirus.
 
 Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options  
 ---|---|---|---  
-System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]  
 Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management)  
-Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
+System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]  
 Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
+PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
+Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
 Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
 
 1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
@@ -53,8 +49,6 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
 
 3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
 
-
-
 [Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role
 [default and customized antimalware policies]:  https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies
 [client management]:  https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients
@@ -79,13 +73,10 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
 [Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
 [Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md
 
-
 ## In this section
 
-Topic | Description 
+Topic | Description
 ---|---
 [Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
 [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
-
-
+[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use Microsoft Intune, System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
index dbd8572db4..6efcc0eeef 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 title: Deploy and enable Windows Defender Antivirus 
-description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI.
-keywords: deploy, enable, windows defender av
+description: Deploy Windows Defender Antivirus for protection of your endpoints with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
+keywords: deploy, enable, Windows Defender Antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,29 +11,22 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Deploy and enable Windows Defender Antivirus
 
-
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection.
 
-- Network administrators
-- IT administrators
+See the table in [Deploy, manage, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
 
+Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
 
-Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection.
-
-See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI).
-
-Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments.
-
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
+The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md).
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 41343abb5c..b0a425bb2b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -11,31 +11,20 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
 
-- Enterprise security administrators
+Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
 
-**Manageability available with**
-
-- System Center Configuration Manager (current branch)
-- Group Policy
-
-
-
-In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. 
-
-Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. 
-
-We recommend setting the following when deploying Windows Defender AV in a VDI environment:
+We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment:
 
 Location | Setting | Suggested configuration
 ---|---|---
@@ -46,17 +35,20 @@ Root | Randomize scheduled task times | Enabled
 Signature updates | Turn on scan after signature update | Enabled
 Scan | Turn on catch up quick scan | Enabled
 
-For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
+For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
 
 See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
 
 For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic.
 
-There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI:
+There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI:
+
+1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
+
+2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
+
+3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
 
-1.	[Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
-2.	[Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
-3.	[Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
     - [Randomize scheduled scans](#randomize-scheduled-scans)
     - [Use quick scans](#use-quick-scans)
     - [Prevent notifications](#prevent-notifications)
@@ -66,27 +58,29 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
 >[!IMPORTANT]
 > While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
 
->[!NOTE] 
->When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
+>[!NOTE]
+>When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
 
-
-
-## Create and deploy the base image 
+## Create and deploy the base image
 
 The main steps in this section include:
-1.	Create your standard base image according to your requirements
-2.	Apply Windows Defender AV protection updates to your base image
-3.	Seal or “lock” the image to create a “known-good” image
-4.	Deploy your image to your VMs
+
+1. Create your standard base image according to your requirements
+2. Apply Windows Defender AV protection updates to your base image
+3. Seal or “lock” the image to create a “known-good” image
+4. Deploy your image to your VMs
 
 ### Create the base image  
+
 First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
 
 ### Apply protection updates to the base image
-After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
+
+After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
 
 ### Seal the base image
-When the base image is fully updated, you should run a quick scan on the image. 
+
+When the base image is fully updated, you should run a quick scan on the image.
 
 After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
 
@@ -94,19 +88,19 @@ After running a scan and buliding the cache, remove the machine GUID that unique
 
 Remove the string found in the 'GUID' value
 
-This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
+This “sealing” or “locking” of the image helps Windows Defender Antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
 
 You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
 
->[!NOTE] 
+>[!NOTE]
 >Quick scan versus full scan
 >Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
->Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. 
+>Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only.
 >A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
 
+### Deploy the base image
 
-### Deploy the base image  
-You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. 
+You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
 
 The following references provide ways you can create and deploy the base image across your VDI:
 
@@ -116,58 +110,57 @@ The following references provide ways you can create and deploy the base image a
 - [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
 - [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx)
 
-
-
-
-
 ## Manage your VMs and base image
+
 How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
 
-Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
+Because Windows Defender Antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
 
 Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
 
-
 ### Manage updates for persistent VDIs
 
 If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:  
+
 1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
+
 2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
+
 3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
+
 4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
+
 5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
-5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
 
-A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. 
+6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
 
+A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
 
 ### Manage updates for non-persistent VDIs
 
 If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
 
 An example:  
+
 1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
+
 2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
 
-
-
-
 ## Configure endpoints for optimal performance
+
 There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
-    - [Randomize scheduled scans](#randomize-scheduled-scans)
-    - [Use quick scans](#use-quick-scans)
-    - [Prevent notifications](#prevent-notifications)
-    - [Disable scans from occurring after every update](#disable-scans-after-an-update)
-    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+
+- [Randomize scheduled scans](#randomize-scheduled-scans)
+- [Use quick scans](#use-quick-scans)
+- [Prevent notifications](#prevent-notifications)
+- [Disable scans from occurring after every update](#disable-scans-after-an-update)
+- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
 
 These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
 
-
-
-
 ### Randomize scheduled scans
 
-Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
+Windows Defender Antivirus supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
 
 Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
 
@@ -177,17 +170,17 @@ The start time of the scan itself is still based on the scheduled scan policy 
 
 **Use Group Policy to randomize scheduled scan start times:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender** and configure the following setting:
-    
-    1.  Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting  could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+4. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
 
-**Use Configuration Manager to randomize schedule scans:**
+    - Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting  could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
+
+**Use Configuration Manager to randomize scheduled scans:**
 
 See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
 
@@ -196,18 +189,19 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
 ### Use quick scans
 
 You can specify the type of scan that should be performed during a scheduled scan.
-Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. 
+Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
 
 **Use Group Policy to specify the type of scheduled scan:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-3.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-4.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
-    1.  Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**. 
+4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
+
+    - Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
 
 **Use Configuration Manager to specify the type of scheduled scan:**
 
@@ -217,34 +211,34 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
 
 ### Prevent notifications
 
-Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV.
+Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
 
 **Use Group Policy to hide notifications:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
-    
-1.	Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
-2.	Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
+4. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
 
+   - Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+   - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
 
 **Use Configuration Manager to hide notifications:**
 
-1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2.  Go to the **Advanced** section and configure the following settings:
+2. Go to the **Advanced** section and configure the following settings:
 
-1.	Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
-2.	Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
+   1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
 
-3. Click **OK**.
+   2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
 
-3.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+   3. Click **OK**.
+
+3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 ### Disable scans after an update
 
@@ -255,73 +249,63 @@ This setting will prevent a scan from occurring after receiving an update. You c
 
 **Use Group Policy to disable scans after an update:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
-    
-1.  Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
+4. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
 
+   - Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
 
 **Use Configuration Manager to disable scans after an update:**
 
-1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-
-2.  Go to the **Scheduled scans** section and configure the following setting:
-
-1.	Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
-
-3. Click **OK**.
-
-2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
+2. Go to the **Scheduled scans** section and configure the following setting:
 
+3. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update.
 
+4. Click **OK**.
 
+5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 ### Scan VMs that have been offline 
 
-This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. 
+This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
 
 **Use Group Policy to enable a catch-up scan:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
-    
-1.  Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
+3. Click **Policies** then **Administrative templates**.
 
+4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
 
+5. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
 
 **Use Configuration Manager to disable scans after an update:**
 
-1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2.  Go to the **Scheduled scans** section and configure the following setting:
+2. Go to the **Scheduled scans** section and configure the following setting:
 
-1.	Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
-
-3. Click **OK**.
-
-2.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+3. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
 
+4. Click **OK**.
 
+5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 ### Exclusions
-Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
+On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
 - [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender)
 
 ## Additional resources
 
 - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
-- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
+- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/)
 - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
-- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) 
+- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index fa6dae36c3..32898e862b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
-title: Block Potentially Unwanted Applications with Windows Defender AV
-description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware.
-keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender
+title: Block potentially unwanted applications with Windows Defender Antivirus
+description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware.
+keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Windows Defender Antivirus
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,76 +11,69 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 10/02/2018
 ---
 
-# Detect and block Potentially Unwanted Applications
+# Detect and block potentially unwanted applications
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Microsoft Intune
-
-The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
 
 These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
 
 Typical PUA behavior includes:
+
 - Various types of software bundling
-- Ad-injection into web browsers
+- Ad injection into web browsers
 - Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs)
 
 These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 ## How it works
 
 PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
+
 - The file is being scanned from the browser
 - The file is in a folder with "**downloads**" in the path
 - The file is in a folder with "**temp**" in the path
-- The file is on the user's Desktop
+- The file is on the user's desktop
 - The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
 
-The file is placed in the quarantine section so it won't run. 
+The file is placed in the quarantine section so it won't run.
 
 When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). 
 
-They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
-
+They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
 
 ## View PUA events
 
-PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. 
+PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
 
 Hoever, PUA detections will be reported if you have set up email notifications for detections.
 
 See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
 
+## Configure PUA protection
 
-## Configure the PUA protection feature
+You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets.
 
-You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune.
-
-You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. 
+You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
 
 This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
 
+**Use Intune to configure PUA protection**
 
-**Use Configuration Manager to configure the PUA protection feature:**
+See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
 
-PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. 
+**Use Configuration Manager to configure PUA protection:**
+
+PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
 
 See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch).
 
@@ -89,7 +82,21 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
 > [!NOTE]
 > PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.  
 
-**Use PowerShell cmdlets to configure the PUA protection feature:**
+**Use Group Policy to configure PUA protection:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+4. Double-click **Configure protection for potentially unwanted applications**.
+
+5. Click **Enabled** to enable PUA protection.
+
+6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**.
+
+**Use PowerShell cmdlets to configure PUA protection:**
 
 Use the following cmdlet:
 
@@ -103,16 +110,7 @@ Setting `AuditMode` will detect PUAs but will not block them.
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
-
-**Use Intune to configure the PUA protection feature**
-
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-
-
 ## Related topics
 
-- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
+- [Next gen protection](windows-defender-antivirus-in-windows-10.md)
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index da5b515967..f3392dab0d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -11,74 +11,72 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
-# Enable cloud-delivered protection in Windows Defender AV
-
-
+# Enable cloud-delivered protection
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+>[!NOTE]
+>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
 
-- Enterprise security administrators
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
 
-**Manageability available with**
+See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
 
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-- Microsoft Intune
-- Windows Defender Security Center app
-
-
->[!NOTE] 
->The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
-
-
-
-You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app.
-
-See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
-
-There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details.
+There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
 
 >[!NOTE]
 >In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
 
+**Use Intune to enable cloud-delivered protection**
 
-**Use Group Policy to enable cloud-delivered protection:**
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **All services > Intune**.
+3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
+4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
+5. On the **Cloud-delivered protection** switch, select **Enable**.
+6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 
+7. In the **Submit samples consent** dropdown, select one of the following:
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
-    
-1.  Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
-
-1.  Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following:
-    
-    1. **Send safe samples** (1)
-    1. **Send all samples** (3)
+    - **Send safe samples automatically**
+    - **Send all samples automatically**
 
         > [!WARNING]
-        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
-
-1. Click **OK**.
+        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 
+8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
 
+For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
 
 **Use Configuration Manager to enable cloud-delivered protection:**
 
 See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
 
+**Use Group Policy to enable cloud-delivered protection:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Administrative templates**.
+
+4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
+
+5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**.
+
+6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+
+    1. **Send safe samples** (1)
+    2. **Send all samples** (3)
+
+        > [!WARNING]
+        > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
+
+7. Click **OK**.
 
 **Use PowerShell cmdlets to enable cloud-delivered protection:**
 
@@ -88,10 +86,10 @@ Use the following cmdlets to enable cloud-delivered protection:
 Set-MpPreference -MAPSReporting Advanced
 Set-MpPreference -SubmitSamplesConsent Always
 ```
+
 >[!NOTE]
 >You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
 
-
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
 **Use Windows Management Instruction (WMI) to enable cloud-delivered protection:**
@@ -106,36 +104,18 @@ SubmitSamplesConsent
 See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
-**Use Intune to enable cloud-delivered protection**
+**Enable cloud-delivered protection on individual clients with the Windows Security app**
 
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All services > Intune**.
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
-5. On the **Cloud-delivered protection** switch, select **Enable**.
-6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 
-7. In the **Submit samples consent** dropdown, select one of the following:
-    1. **Send safe samples automatically**
-    2. **Send all samples automatically**
-
-        > [!WARNING]
-        > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function.
-8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
-
-For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
-  
-**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
 > [!NOTE]
 > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
 
-
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
 
-![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png)
-    
-3.	Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
+    ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+
+3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
 >[!NOTE]
 >If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable.
@@ -143,8 +123,8 @@ For more information about Intune device profiles, including how to create and c
 ## Related topics
 
 - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
-- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
-- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
+- [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
+- [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
 - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
 - [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
 - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
index 225ea553da..72996630cf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md
@@ -11,50 +11,41 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Evaluate Windows Defender Antivirus protection
-
+# Evaluate Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10, version 1703 and later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-
-If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
+Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
+>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
 >- Cloud-delivered protection
 >- Fast learning (including Block at first sight)
 >- Potentially unwanted application blocking
 
-
-It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
+It explains the important next generation protection features of Windows Defender Antivirus available for both small and large enterprises, and how they increase malware detection and protection across your network.
 
 You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings.
 
 The guide is available in PDF format for offline viewing:
+
 - [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795)
 
 You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery:
+
 - [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript)
 
 > [!IMPORTANT]
-> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment.
+> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment.
 >
-> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library. 
-
+> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md).
 
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
-
-
-
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index d0d4cfd9db..942585308e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Enable the limited periodic scanning feature in Windows Defender AV
-description: Limited periodic scanning lets you use Windows Defender AV in addition to your other installed AV providers
+title: Enable the limited periodic Windows Defender Antivirus scanning feature
+description: Limited periodic scanning lets you use Windows Defender Antivirus in addition to your other installed AV providers
 keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,61 +11,42 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 
 
-# Use limited periodic scanning in Windows Defender AV
-
-
+# Use limited periodic scanning in Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10, version 1703 and later
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
 
-It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
+It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
 
-**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
 
 ## How to enable limited periodic scanning
 
-By default, Windows Defender AV will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other AV product is out-of-date, expired, or not working correctly.
+By default, Windows Defender Antivirus will enable itself on a Windows 10 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly.
 
-If Windows Defender AV is enabled, the usual options will appear to configure Windows Defender AV on that device:
+If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device:
 
-![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
+![Windows Security app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png)
 
+If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
 
-If another AV product is installed and working correctly, Windows Defender AV will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
-
-![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
+![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png)
 
 Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. 
 
-
 ![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png)
 
 Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page.
 
-
-![When enabled, periodic scanning shows the normal Windows Defender AV options](images/vtp-3ps-lps-on.png)
-
-
-
+![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png)
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
index a15ae25596..2209e57918 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Apply Windows Defender AV updates after certain events
-description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports.
+title: Apply Windows Defender Antivirus updates after certain events
+description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
 keywords: updates, protection, force updates, events, startup, check for latest, notifications
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,57 +11,44 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Manage event-based forced updates
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-**Audience**
-
-- Network administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-
-
-Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
 
 ## Check for protection updates before running a scan
 
-You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan.
-
-
-**Use Group Policy to check for protection updates before running a scan:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
-
-6.  Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**. 
-
-7.  Click **OK**.
+You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan.
 
 **Use Configuration Manager to check for protection updates before running a scan:**
 
-1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2.  Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
+2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
 
 3. Click **OK**.
 
-4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+4.[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
+
+**Use Group Policy to check for protection updates before running a scan:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+3. Click **Policies** then **Administrative templates**.
+
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**.
+
+5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**.
+
+6. Click **OK**.
 
 **Use PowerShell cmdlets to check for protection updates before running a scan:**
 
@@ -73,7 +60,6 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
 **Use Windows Management Instruction (WMI) to check for protection updates before running a scan**
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
@@ -85,46 +71,39 @@ CheckForSignaturesBeforeRunningScan
 See the following for more information:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
-
-
-
-
-
 ## Check for protection updates on startup
 
-You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started.
+You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started.
 
-**Use Group Policy to download protection updates at startup:**
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Policies** then **Administrative templates**.
 
-4.  Click **Policies** then **Administrative templates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. 
 
-5.  Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**. 
+6. Click **OK**.
 
-6.  Click **OK**.
+You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running.
 
-You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running.
+**Use Group Policy to download updates when Windows Defender Antivirus is not present:**
 
-**Use Group Policy to download updates when Windows Defender AV is not present:**
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+3. Click **Policies** then **Administrative templates**.
 
-4.  Click **Policies** then **Administrative templates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
 
-6.  Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**. 
+6. Click **OK**.
 
-7.  Click **OK**.
-
-**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
+**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:**
 
 Use the following cmdlets:
 
@@ -132,10 +111,9 @@ Use the following cmdlets:
 Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
 ```
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-
-**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:**
+**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:**
 
 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
 
@@ -146,11 +124,8 @@ SignatureDisableUpdateOnStartupWithoutEngine
 See the following for more information:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
-
-
-
-
 
+
 ## Allow ad hoc changes to protection based on cloud-delivered protection
 
 Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates.
@@ -159,27 +134,21 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
 
 **Use Group Policy to automatically download recent updates based on cloud-delivered protection:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
-    1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
-    2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
+3. Click **Policies** then **Administrative templates**.
 
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
+    1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
+    2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
 
 ## Related topics
 
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
 - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
 - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
index 00b1ed1c2f..210423199c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -11,50 +11,51 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Manage updates and scans for endpoints that are out of date
+# Manage Windows Defender Antivirus updates and scans for endpoints that are out of date
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-**Audience**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-- Network administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-
-
-
-Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
+Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
 
 For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time.
 
-When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan.
+When the user returns to work and logs on to their PC, Windows Defender Antivirus will immediately check and download the latest protection updates, and run a scan.
 
 ## Set up catch-up protection updates for endpoints that haven't updated for a while
 
-If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
+If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md).
+
+**Use Configuration Manager to configure catch-up protection updates:**
+
+1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
+
+2.  Go to the **Definition updates** section and configure the following settings:
+
+    1.	Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
+    2.	For the  **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+
+3. Click **OK**.
+
+4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 **Use Group Policy to enable and configure the catch-up update feature:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
 
-6.  Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
+5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
 
-7. Click **OK**.
+6. Click **OK**.
 
 **Use PowerShell cmdlets to configure catch-up protection updates:**
 
@@ -78,23 +79,11 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
-**Use Configuration Manager to configure catch-up protection updates:**
-
-1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-
-2.  Go to the **Definition updates** section and configure the following settings:
-
-    1.	Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
-    2.	For the  **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
-
-3. Click **OK**.
-
-4.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 
 ## Set the number of days before protection is reported as out-of-date
 
-You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
+You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source.
 
 **Use Group Policy to specify the number of days before protection is considered out-of-date:**
 
@@ -119,7 +108,7 @@ You can also specify the number of days after which Windows Defender AV protecti
 
 ## Set up catch-up scans for endpoints that have not been scanned for a while
 
-You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan.
+You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan.
 
 The process for enabling this feature is:
 
@@ -159,7 +148,7 @@ Set-MpPreference -DisableCatchupQuickScan
 
 ```
 
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
+See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)  and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus.
 
 **Use Windows Management Instruction (WMI) to configure catch-up scans:**
 
@@ -187,9 +176,8 @@ See the following for more information and allowed parameters:
 
 ## Related topics
 
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
 - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
 - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
index 650a73dafb..efcd9e0cfc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -11,27 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Manage the schedule for when protection updates should be downloaded and applied
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-**Audience**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-- Network administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-
-
-Windows Defender AV lets you determine when it should look for and download updates.
+Windows Defender Antivirus lets you determine when it should look for and download updates.
 
 You can schedule updates for your endpoints by: 
 
@@ -41,24 +30,6 @@ You can schedule updates for your endpoints by:
 
 You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information.
 
-**Use Group Policy to schedule protection updates:**
-
-> [!IMPORTANT]
-> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4.  Click **Policies** then **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
-
-    1.  Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
-    2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
-    3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
-
-
 **Use Configuration Manager to schedule protection updates:**
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
@@ -73,6 +44,24 @@ You can also randomize the times when each endpoint checks and downloads protect
 
 5.	[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
+**Use Group Policy to schedule protection updates:**
+
+> [!IMPORTANT]
+> By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default.
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
+
+    1.  Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
+    2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
+    3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
+
+
 
 **Use PowerShell cmdlets to schedule protection updates:**
 
@@ -102,9 +91,8 @@ See the following for more information and allowed parameters:
 
 ## Related topics
 
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
 - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index 5eab19050c..e550220a80 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -11,33 +11,23 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Manage the sources for Windows Defender Antivirus protection updates
 
-**Applies to**
--   Windows 10
+**Applies to:**
 
-**Audience**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-
-  
+
 
 
 There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
 
 This topic describes where you can specify the updates should be downloaded from, also known as the fallback order.
 
-See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
+See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
 
 
 
@@ -52,7 +42,7 @@ You can use the following sources:
 -   [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
 -   System Center Configuration Manager
 -   A network file share
--   The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
+-   The [Microsoft Malware Protection Center definitions page (MMPC)](https://www.microsoft.com/security/portal/definitions/adl.aspx)
 
 
 When updates are published, some logic will be applied to minimize the size of the update. In most cases, only the "delta" (or the differences between the latest update and the update that is currently installed on the endpoint) will be downloaded and applied. However, the size of the delta depends on:
@@ -80,8 +70,8 @@ Microsoft Update | You want your endpoints to connect directly to Microsoft Upda
 File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
 Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
 MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).
-  
-    
+
+
 You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
 
 > [!IMPORTANT]
@@ -100,16 +90,16 @@ The procedures in this article first describe how to set the order, and then how
 4.  Click **Policies** then **Administrative templates**.
 
 5.  Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
-    
-    1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.  
 
-    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.  
+    1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
+
+    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
 
     ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
 
-    3.  Click **OK**. This will set the order of protection update sources.  
+    3.  Click **OK**. This will set the order of protection update sources.
 
-    1.  Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.  
+    1.  Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
 
     2.  Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
 
@@ -133,7 +123,7 @@ See the following for more information:
 - [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
 - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
 - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
-- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) 
+- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
 
 **Use Windows Management Instruction (WMI) to manage the update location:**
 
@@ -147,6 +137,9 @@ SignatureDefinitionUpdateFileSharesSouce
 See the following for more information:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
+**Use Mobile Device Management (MDM) to manage the update location:**
+
+See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
 
 
 
@@ -157,11 +150,11 @@ See the following for more information:
 
 
 ## Related topics
-- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
-- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
 - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 - [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
index 99051e2f5f..b3541abe11 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
@@ -11,21 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Manage Windows Defender Antivirus updates and apply baselines
 
-
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Network administrators
-
-There are two types of updates related to keeping Windows Defender Antivirus:
+There are two types of updates related to keeping Windows Defender Antivirus up to date:
 1. Protection updates
 2. Product updates
 
@@ -33,14 +28,14 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
 
 ## Protection updates
 
-Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
+Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
 
 The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. 
 
 
 ## Product updates
 
-Windows Defender AV requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
+Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
 
 You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
index de30dd760f..ee85e54424 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
@@ -11,24 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Manage updates for mobile devices and virtual machines (VMs)
 
-**Applies to**
--   Windows 10
-
-**Audience**
-
-- Network administrators
-
-**Manageability available with**
-
-- Group Policy
-
-
+**Applies to:**
 
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates.
 
@@ -44,7 +34,7 @@ The following topics may also be useful in these situations:
 
 ## Opt-in to Microsoft Update on mobile computers without a WSUS connection
 
-You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. 
+You can use Microsoft Update to keep definitions on mobile devices running Windows Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. 
 
 This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update.
 
@@ -81,7 +71,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 
 ## Prevent definition updates when running on battery power
 
-You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source. 
+You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. 
 
 **Use Group Policy to prevent definition updates on battery power:**
 
@@ -103,4 +93,4 @@ You can configure Windows Defender AV to only download protection updates when t
 ## Related topics
 
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
+- [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/TOC.md b/windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-antivirus/TOC.md
rename to windows/security/threat-protection/windows-defender-antivirus/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index d0306388a6..eeb27d5a8f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Hide the Windows Defender Antivirus interface
-description: You can hide virus and threat protection tile in the Windows Defender Security Center app.
+description: You can hide virus and threat protection tile in the Windows Security app.
 keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,39 +11,31 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Prevent users from seeing or interacting with the Windows Defender AV user interface
+# Prevent users from seeing or interacting with the Windows Defender Antivirus user interface
+
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans.
 
 ## Hide the Windows Defender Antivirus interface
 
-In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
+In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
 
 With the setting set to **Enabled**:
 
-![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
+![Screenshot of Windows Security without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png)
 
 With the setting set to **Disabled** or not configured:
 
-![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
+![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png)
 
 >[!NOTE]
->Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
 
 
 In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.":
@@ -87,5 +79,5 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule
 
 
 - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
index 79696c63e9..938413082b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
@@ -11,26 +11,20 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
-# Report on Windows Defender Antivirus protection
+# Report on Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus.
 
-- IT administrators
+You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).  
 
-There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV.
-
-
-
-You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune).  
-
-Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
+Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings.
 
 
 If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx). 
@@ -46,4 +40,4 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index db4d6528c0..485ea3e2a7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -11,28 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/23/2018
+ms.date: 09/03/2018
 ---
 
 # Restore quarantined files in Windows Defender AV
 
-
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
 
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Windows Defender Security Center
-
-If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
-
-1. Open **Windows Defender Security Center**.
+1. Open **Windows Security**.
 2. Click **Virus & threat protection** and then click **Scan history**.
 3. Under **Quarantined threats**, click **See full history**.
 4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
@@ -43,5 +33,5 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y
 - [Review scan results](review-scan-results-windows-defender-antivirus.md)
 - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
-- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 151f4e6a10..a63291b836 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Review the results of Windows Defender AV scans 
-description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
 keywords: scan results, remediation, full scan, quick scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,40 +11,32 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
-# Review Windows Defender AV scan results
-
+# Review Windows Defender Antivirus scan results
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager 
-- Microsoft Intune
-- Windows Defender Security Center app
+After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. 
 
 
-After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. 
+**Use Microsoft Intune to review scan results:**
 
+1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
 
-**Use Configuration Manager to review Windows Defender AV scan results:**
+2. Click the scan results in **Device actions status**.
+
+**Use Configuration Manager to review scan results:**
 
 See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
 
 
-**Use the Windows Defender Security Center app to review Windows Defender AV scan results:**
+**Use the Windows Security app to review scan results:**
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
 
@@ -54,7 +46,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us
 
 
 
-**Use PowerShell cmdlets to review Windows Defender AV scan results:**
+**Use PowerShell cmdlets to review scan results:**
 
 The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
 
@@ -76,20 +68,15 @@ Get-MpThreat
 
 See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
 
-**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
+**Use Windows Management Instruction (WMI) to review scan results:**
 
 Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
 
 
-**Use Microsoft Intune to review Windows Defender AV scan results:**
-
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Click the scan results in **Device actions status**.
 
 
 
 ## Related topics
 
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 4aa2447988..dd926aacc2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
 title: Run and customize on-demand scans in Windows Defender AV
-description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
+description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
 keywords: scan, on-demand, dos, intune, instant scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,31 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/10/2018
+ms.date: 09/03/2018
 ---
 
-
-
-
-
-# Configure and run on-demand Windows Defender AV scans
+# Configure and run on-demand Windows Defender Antivirus scans
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Windows Defender AV mpcmdrun utility
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- System Center Configuration Manager 
-- Microsoft Intune
-- Windows Defender Security Center app
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
 
@@ -44,12 +27,18 @@ You can run an on-demand scan on individual endpoints. These scans will start im
 
 Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
 
-Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
 
 In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
 
 A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
 
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
+
+**Use Configuration Manager to run a scan:**
+
+See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
 
 **Use the mpcmdrum.exe command-line utility to run a scan:**
 
@@ -65,15 +54,16 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
 
 
 
-**Use Configuration Manager to run a scan:**
+**Use Microsoft Intune to run a scan:**
 
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
+
+2. Select **...More** and then select **Quick Scan** or **Full Scan**.
 
 
+**Use the Windows Security app to run a scan:**
 
-**Use the Windows Defender Security Center app to run a scan:**
-
-See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
 
 
 
@@ -96,16 +86,9 @@ See the following for more information and allowed parameters:
 - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
 
 
-**Use Microsoft Intune to run a scan:**
-
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-
-
 ## Related topics
 
 
-- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index 8e4b44e881..bc6c620629 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -11,32 +11,17 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/26/2018
+ms.date: 09/03/2018
 ---
 
+# Configure scheduled quick or full Windows Defender Antivirus scans
 
-# Configure scheduled quick or full scans for Windows Defender AV
-
-
-
-**Applies to**
--   Windows 10
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
-
+**Applies to:**
 
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 > [!NOTE]
-> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
+> By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
 
 
 In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. 
@@ -60,7 +45,7 @@ To configure the Group Policy settings described in this topic:
 
 Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
 
-## Quick scan versus full scan
+## Quick scan versus full scan and custom scan
 
 When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
 
@@ -72,6 +57,11 @@ In most instances, this means a quick scan is adequate to find malware that wasn
 
 A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
 
+A custom scan allows you to specify the files and folders to scan, such as a USB drive. 
+
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
+
 ## Set up scheduled scans
 
 Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
@@ -84,7 +74,7 @@ Location | Setting | Description | Default setting (if not configured)
 Scan | Specify the scan type to use for a scheduled scan | Quick scan
 Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
 Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender scans. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
 
 **Use PowerShell cmdlets to schedule scans:**
 
@@ -239,8 +229,8 @@ Signature updates | Turn on scan after signature update | A scan will occur imme
 
 
 - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
-- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-windows-defender-antivirus.md)
+- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
 - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index b2b7a4640f..592aa7ffe9 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -11,26 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/19/2018
+ms.date: 09/03/2018
 ---
 
 # Specify the cloud-delivered protection level
 
-
-
 **Applies to:**
 
-- Windows 10, version 1703 and later
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager (current branch)
-- Intune
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
 
@@ -39,27 +27,6 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 
 
 
-**Use Group Policy to specify the level of cloud-delivered protection:**
-
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3.  In the **Group Policy Management Editor** go to **Computer configuration**. 
-
-4.  Click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
-
-1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
-    1.  Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.  
-    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). 
- 
-1. Click **OK**.
-
-  
-**Use Configuration Manager to specify the level of cloud-delivered protection:**
-
-1.  See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
-
 **Use Intune to specify the level of cloud-delivered protection:**
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -80,6 +47,28 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
 For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
   
 
+**Use Configuration Manager to specify the level of cloud-delivered protection:**
+
+1.  See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+
+**Use Group Policy to specify the level of cloud-delivered protection:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**. 
+
+4.  Click **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**.
+
+1.  Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:  
+    1.  Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.  
+    2.  Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). 
+ 
+1. Click **OK**.
+
+  
+
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
index 28d890360d..ae18d78a72 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md
@@ -11,18 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Troubleshoot Windows Defender Antivirus reporting in Update Compliance
 
 **Applies to:**
 
-- Windows 10
-
-**Audience**
-
-- IT administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
 
@@ -31,7 +27,7 @@ Typically, the most common indicators of a problem are:
 - You do not see any devices at all
 - The reports and information you do see is outdated (older than a few days)
 
-For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic. 
+For common error codes and event IDs related to the Windows Defender Antivirus service that are not related to Update Compliance, see [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md). 
 
 There are three steps to troubleshooting these problems:
 
@@ -40,12 +36,12 @@ There are three steps to troubleshooting these problems:
 3. Submit support logs
 
 >[!IMPORTANT]
->It typically takes 3 days for devices to start appearing in Update Compliance
+>It typically takes 3 days for devices to start appearing in Update Compliance.
 
 
 ## Confirm pre-requisites
 
-In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender AV protection:
+In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus:
 
 >[!div class="checklist"]
 >- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
@@ -67,4 +63,4 @@ If the above pre-requisites have all been met, you may need to proceed to the ne
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index c71d3ab6c0..a40df9b551 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -11,45 +11,40 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/16/2018
+ms.date: 09/11/2018
 ---
 
-# Review event logs and error codes to troubleshoot issues with Windows Defender AV
+# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus
 
+**Applies to:**
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
-
-**Audience**
-
-- Enterprise security administrators
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
 
 The tables list:
 
-- [Windows Defender AV event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
-- [Windows Defender AV client error codes](#error-codes)
-- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes)
+- [Windows Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
+- [Windows Defender Antivirus client error codes](#error-codes)
+- [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
 
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>You can also visit the Windows Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+
 >- Cloud-delivered protection
 >- Fast learning (including Block at first sight)
 >- Potentially unwanted application blocking
 
 
-## Windows Defender AV event IDs
+## Windows Defender Antivirus event IDs
 
-Windows Defender AV records event IDs in the Windows event log.
+Windows Defender Antivirus records event IDs in the Windows event log.
 
-You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
+You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender Antivirus client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
 
-The table in this section lists the main Windows Defender AV event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
+The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. 
 
-**To view a Windows Defender AV event**
+**To view a Windows Defender Antivirus event**
 
 1.  Open **Event Viewer**.
 2.  In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**.
@@ -330,7 +325,7 @@ Description of the error. 
 User action:
 
 
-The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
+The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Windows Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
 To troubleshoot this event:
 
            
 
          1. Run the scan again.
            2. 
@@ -438,7 +433,7 @@ Message:
 Description:
 
 
-Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
 
            
 
            User: <Domain>\\<User>
            
 
            Name: <Threat name>
            
@@ -490,7 +485,7 @@ Message:
 Description:
 
 
-Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
 
            
 
            User: <Domain>\\<User>
            
 
            Name: <Threat name>
            
@@ -549,7 +544,7 @@ Message:
 Description:
 
 
-Windows Defender has restored an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has restored an item from quarantine. For more information please see the following:
 
            
 
            Name: <Threat name>
            
 
            ID: <Threat ID>
            
@@ -593,7 +588,7 @@ Message:
 Description:
 
 
-Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
+Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following:
 
            
 
            Name: <Threat name>
            
 
            ID: <Threat ID>
            
@@ -640,7 +635,7 @@ Message:
 Description:
 
 
-Windows Defender has deleted an item from quarantine.  
+Windows Defender Antivirus has deleted an item from quarantine.  
 For more information please see the following:
 
            
 
            Name: <Threat name>
            
@@ -684,7 +679,7 @@ Message:
 Description:
 
 
-Windows Defender has encountered an error trying to delete an item from quarantine.
+Windows Defender Antivirus has encountered an error trying to delete an item from quarantine.
 For more information please see the following:
 
            
 
            Name: <Threat name>
            
@@ -732,7 +727,7 @@ Message:
 Description:
 
 
-Windows Defender has removed history of malware and other potentially unwanted software.
+Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
 
            
 
            Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
            
 
            User: <Domain>\\<User>
            
@@ -763,7 +758,7 @@ The antimalware platform could not delete history of malware and other potential
 Description:
 
 
-Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
+Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
 
            
 
            Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
            
 
            User: <Domain>\\<User>
            
@@ -798,7 +793,7 @@ Message:
 Description:
 
 
-Windows Defender has detected a suspicious behavior.  
+Windows Defender Antivirus has detected a suspicious behavior.  
 For more information please see the following:
 
            
 
            Name: <Threat name>
            
@@ -876,7 +871,7 @@ Message:
 Description:
 
 
-Windows Defender has detected malware or other potentially unwanted software.  
+Windows Defender Antivirus has detected malware or other potentially unwanted software.  
 For more information please see the following:
 
            
 
            Name: <Threat name>
            
@@ -930,7 +925,7 @@ UAC
 User action:
 
 
-No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.
+No action is required. Windows Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender Antivirus interface, click Clean Computer.
 
 
 
@@ -958,7 +953,7 @@ Message:
 Description:
 
 
-Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.  
+Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.  
 For more information please see the following:
 
            
 
            Name: <Threat name>
            
@@ -1020,7 +1015,7 @@ Description of the error. 
 
            Signature Version: <Definition version>
            
 
            Engine Version: <Antimalware Engine version>
            
 NOTE:
-Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
              
+Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
                
 
              • Default Internet Explorer or Microsoft Edge setting
                • 
 
              • User Access Control settings
                • 
 
              • Chrome settings
                • 
@@ -1059,7 +1054,7 @@ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Se
 User action:
 
 
-No action is necessary. Windows Defender removed or quarantined a threat. 
+No action is necessary. Windows Defender Antivirus removed or quarantined a threat. 
 
 
 
@@ -1086,7 +1081,7 @@ Message:
 Description:
 
 
-Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
+Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.  
 For more information please see the following:
 
                
 
                Name: <Threat name>
                
@@ -1155,7 +1150,7 @@ Description of the error. 
 User action:
 
 
-No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
+No action is necessary. Windows Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
 
 
 
@@ -1182,7 +1177,7 @@ Message:
 Description:
 
 
-Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software.  
+Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.  
 For more information please see the following:
 
                
 
                Name: <Threat name>
                
@@ -1251,7 +1246,7 @@ Description of the error. 
 User action:
 
 
-The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
+The Windows Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
 
@@ -1314,7 +1309,7 @@ Symbolic name:
 Message:
 
@@ -1322,7 +1317,7 @@ Message:
 Description:
 
@@ -1456,7 +1451,7 @@ Message:
 Description:
 
@@ -1506,7 +1501,7 @@ Message:
 Description:
 
@@ -1625,7 +1620,7 @@ Message:
 Description:
 
@@ -1947,7 +1942,7 @@ Message:
 Description:
 
@@ -2126,7 +2121,7 @@ Message:
 Description:
 
@@ -2153,7 +2148,7 @@ Message:
 Description:
 
@@ -2215,7 +2210,7 @@ Message:
 Description:
 
@@ -2243,7 +2238,7 @@ Message:
 Description:
 
@@ -2270,7 +2265,7 @@ Message:
 Description:
 
@@ -2294,7 +2289,7 @@ User action:
 
@@ -2322,7 +2317,7 @@ Message:
 Description:
 
@@ -2369,7 +2364,7 @@ Message:
 Description:
 
@@ -2396,7 +2391,7 @@ Message:
 Description:
 
@@ -2424,7 +2419,7 @@ Message:
 Description:
 
@@ -2494,7 +2489,7 @@ Message:
 Description:
 
@@ -2587,7 +2582,7 @@ Message:
 Description:
 
@@ -2613,7 +2608,7 @@ Message:
 Description:
 
@@ -2641,7 +2636,7 @@ Message:
 Description:
 
@@ -2669,10 +2664,10 @@ Message:
 Description:
 
@@ -2701,7 +2696,7 @@ Message:
 Description:
 
                
 
                
 Action
 
-Windows Defender has deduced the hashes for a threat resource.
+Windows Defender Antivirus has deduced the hashes for a threat resource.
 
 
                
 
                
 
-Windows Defender client is up and running in a healthy state.
+Windows Defender Antivirus client is up and running in a healthy state.
 
                
 
                Current Platform Version: <Current platform version>
                
 
                Threat Resource Path: <Path>
                
@@ -1361,7 +1356,7 @@ Message:
 Description:
 
                		
 
-Windows Defender client is up and running in a healthy state.
+Windows Defender Antivirus client is up and running in a healthy state.
 
                
 
                Platform Version: <Current platform version>
                
 
                Signature Version: <Definition version>
                
@@ -1402,7 +1397,7 @@ Message:
 Description:
 
                		
 
-Windows Defender client health report.
+Antivirus client health report.
 
                
 
                Platform Version: <Current platform version>
                
 
                Engine Version: <Antimalware Engine version>
                
@@ -1422,10 +1417,10 @@ Windows Defender client health report.
 
                Antispyware signature creation time: ?<Antispyware signature creation time>
                
 
                Last quick scan start time: ?<Last quick scan start time>
                
 
                Last quick scan end time: ?<Last quick scan end time>
                
-
                Last quick scan source: <Last quick scan source> (1 = scheduled, 2 = on demand)
                
+
                Last quick scan source: <Last quick scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                
 
                Last full scan start time: ?<Last full scan start time>
                
 
                Last full scan end time: ?<Last full scan end time>
                
-
                Last full scan source: <Last full scan source> (1 = scheduled, 2 = on demand)
                
+
                Last full scan source: <Last full scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                
 
                Product status: For internal troubleshooting
 
                
                 		
 
-Windows Defender signature version has been updated.
+Antivirus signature version has been updated.
 
                
 
                Current Signature Version: <Current signature version>
                
 
                Previous Signature Version: <Previous signature version>
                
@@ -1479,7 +1474,7 @@ Windows Defender signature version has been updated.
 User action:
 
                		
 
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
 
 
                
 
                
 
-Windows Defender has encountered an error trying to update signatures.
+Windows Defender Antivirus has encountered an error trying to update signatures.
 
                
 
                New Signature Version: <New version number>
                
 
                Previous Signature Version: <Previous signature version>
                
@@ -1584,7 +1579,7 @@ Message:
 Description:
 
                		
 
-Windows Defender engine version has been updated.
+Windows Defender Antivirus engine version has been updated.
 
                
 
                Current Engine Version: <Current engine version>
                
 
                Previous Engine Version: <Previous engine version>
                
@@ -1598,7 +1593,7 @@ Windows Defender engine version has been updated.
 User action:
 
                		
 
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
 
 
                
 
                
 
-Windows Defender has encountered an error trying to update the engine.
+Windows Defender Antivirus has encountered an error trying to update the engine.
 
                
 
                New Engine Version:
                
 
                Previous Engine Version: <Previous engine version>
                
@@ -1643,7 +1638,7 @@ Description of the error. 
 User action:
 
                		
 
-The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
 To troubleshoot this event:
 
                  
 
                1. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
                  2. 
@@ -1675,7 +1670,7 @@ Message:
 Description:
 
                		
 
-Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
 
                
 
                Signatures Attempted:
                
 
                Error Code: <Error code>
@@ -1692,7 +1687,7 @@ Description of the error. 
                
 User action:
 
                		
 
-The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
+The Windows Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender Antivirus will attempt to revert back to a known-good set of definitions.
 To troubleshoot this event:
 
                  
 
                1. Restart the computer and try again.
                  2. 
@@ -1727,7 +1722,7 @@ Message:
 Description:
 
                		
 
-Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
+Windows Defender Antivirus could not load antimalware engine because current platform version is not supported. Windows Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
 
                
 
                Current Platform Version: <Current platform version>
                
 
                
@@ -1758,7 +1753,7 @@ Message:
 Description:
                 		
 
-Windows Defender has encountered an error trying to update the platform.
+Windows Defender Antivirus has encountered an error trying to update the platform.
 
                
 
                Current Platform Version: <Current platform version>
                
 
                Error Code: <Error code>
@@ -1791,7 +1786,7 @@ Message:
 Description:
 
                		
 
-Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
+Windows Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender Antivirus platform to maintain the best level of protection available.
 
                
 
                Current Platform Version: <Current platform version>
                
 
                
@@ -1822,7 +1817,7 @@ Message:
 Description:
                 		
 
-Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+Windows Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
 
                
 
                Current Signature Version: <Current signature version>
                
 
                Signature Type: <Signature type>, for example: 
                  
@@ -1880,7 +1875,7 @@ Message:
 Description:
 
                		
 
-Windows Defender used Dynamic Signature Service to discard obsolete signatures.
+Windows Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
 
                
 
                Current Signature Version: <Current signature version>
                
 
                Signature Type: <Signature type>, for example: 
                  
@@ -1919,7 +1914,7 @@ Windows Defender used Dynamic Signature Service to discard obsolete signa
 User action:
 
                		
 
-No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
+No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
 
 
                
 
                
 
-Windows Defender has encountered an error trying to use Dynamic Signature Service.
+Windows Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
 
                
 
                Current Signature Version: <Current signature version>
                
 
                Signature Type: <Signature type>, for example: 
                  
@@ -2017,7 +2012,7 @@ Message:
 Description:
 
                		
 
-Windows Defender discarded all Dynamic Signature Service signatures.
+Windows Defender Antivirus discarded all Dynamic Signature Service signatures.
 
                
 
                Current Signature Version: <Current signature version>
                
 
                
@@ -2048,7 +2043,7 @@ Message:
 Description:
                 		
 
-Windows Defender downloaded a clean file.
+Windows Defender Antivirus downloaded a clean file.
 
                
 
                Filename: <File name>
 Name of the file.
                
@@ -2081,7 +2076,7 @@ Message:
 Description:
 
                		
 
-Windows Defender has encountered an error trying to download a clean file.
+Windows Defender Antivirus has encountered an error trying to download a clean file.
 
                
 
                Filename: <File name>
 Name of the file.
                
@@ -2100,7 +2095,7 @@ User action:
 
                		
 
 Check your Internet connectivity settings.
-The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
+The Windows Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. 
 
 
                
 
                
 
-Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
+Windows Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
 
 
                
 
                
 
-Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
+Windows Defender Antivirus has encountered an error trying to download and configure offline antivirus.
 
                
 
                Error Code: <Error code>
 Result code associated with threat status. Standard HRESULT values.
                
@@ -2187,7 +2182,7 @@ Message:
 Description:
 
                		
 
-The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+The support for your operating system will expire shortly. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
 
 
                
 
                
 
-The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+The support for your operating system has expired. Running Windows Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
 
 
                
 
                
 
-The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
+The support for your operating system has expired. Windows Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
 
 
                
 
                
 
-Windows Defender Real-Time Protection feature has encountered an error and failed.
+Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
 
                
 
                Feature: <Feature>, for example:
 
                  
@@ -2284,7 +2279,7 @@ Windows Defender Real-Time Protection feature has encountered an error and faile
 Result code associated with threat status. Standard HRESULT values.
                
 
                Error Description: <Error description>
 Description of the error. 
                
-
                Reason: The reason Windows Defender real-time protection has restarted a feature.
                
+
                Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
                
 
                
                 		
 
                
 
                
 You should restart the system then run a full scan because it's possible the system was not protected for some time.
-The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start. 
+The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. 
 If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. 
 
 
                
 
                
-Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+Windows Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
 
                
 
                Feature: <Feature>, for example:
 
                  
@@ -2332,7 +2327,7 @@ Windows Defender Real-time Protection has restarted a feature. It is recommended
 
                • Network Inspection System
                  • 
 
                
 
                
-
                Reason: The reason Windows Defender real-time protection has restarted a feature.
                
+
                Reason: The reason Windows Defender Antivirus real-time protection has restarted a feature.
                
 
                
                 		
 
                
 
                
-Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
+Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
 
 
                
 
                
 
-Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled. 
+Windows Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. 
 
 
                
 
                
 
-Windows Defender Real-time Protection feature configuration has changed.
+Windows Defender Antivirus real-time protection feature configuration has changed.
 
                
 
                Feature: <Feature>, for example:
 
                  
@@ -2462,12 +2457,12 @@ Message:
 Description:
 
                		
 
-Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
 
                
 
                Old value: <Old value number>
-Old Windows Defender configuration value.
                
+Old antivirus configuration value.
 
                New value: <New value number>
-New Windows Defender configuration value.
                
+New antivirus configuration value.
 
                
                 		
 
                
 
                
-Windows Defender  engine has been terminated due to an unexpected error.
+Windows Defender Antivirus engine has been terminated due to an unexpected error.
 
                
 
                Failure Type: <Failure type>, for example:
 Crash
@@ -2525,7 +2520,7 @@ To troubleshoot this event:
                  
 User action:
 
                		
 
-The Windows Defender client engine stopped due to an unexpected error.
+The Windows Defender Antivirus client engine stopped due to an unexpected error.
 To troubleshoot this event:
 
                  
 
                1. Run the scan again.
                  2. 
@@ -2560,7 +2555,7 @@ Message:
 Description:
 
                		
 
-Windows Defender scanning for malware and other potentially unwanted software has been enabled.
+Windows Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
 
 
                
 
                
 
-Windows Defender scanning for malware and other potentially unwanted software is disabled.
+Windows Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
 
 
                
 
                
 
-Windows Defender scanning for viruses has been enabled. 
+Windows Defender Antivirus scanning for viruses has been enabled. 
 
 
                
 
                
 
-Windows Defender scanning for viruses is disabled. 
+Windows Defender Antivirus scanning for viruses is disabled. 
 
 
                
 
                
 
-Windows Defender  has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+Windows Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
 
                
-
                Expiration Reason: The reason Windows Defender will expire.
                
-
                Expiration Date: The date Windows Defender will expire.
                
+
                Expiration Reason: The reason Windows Defender Antivirus will expire.
                
+
                Expiration Date: The date Windows Defender Antivirus will expire.
                
 
                
                 		
 
                
 
                
-Windows Defender  grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+Windows Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
 
                
 
                Expiration Reason:
                
 
                Expiration Date: 
                
@@ -2715,7 +2710,7 @@ Description of the error. 
 
                
 
 
-## Windows Defender client error codes
+## Windows Defender Antivirus client error codes
 If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
 This section provides the following information about Windows Defender Antivirus client errors.
 -   The error code
@@ -2765,7 +2760,7 @@ This error indicates that there might be a problem with your security product.
 Resolution
 
                  
 
                1. Update the definitions. Either:
                    
-
                  1. Click the Update definitions button on the Update tab in Windows Defender. Update definitions in Windows DefenderOr,
+
                  2. Click the Update definitions button on the Update tab in Windows Defender Antivirus. Update definitions in Windows Defender AntivirusOr,
 
                    3. 
 
                  3. Download the latest definitions from the Windows Defender Security Intelligence site.
 Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.
@@ -2797,7 +2792,7 @@ data that does not allow the engine to function properly.
 
 Possible reason
 
-This error indicates that Windows Defender failed to quarantine a threat. 
+This error indicates that Windows Defender Antivirus failed to quarantine a threat. 
 
 
 
@@ -2865,7 +2860,7 @@ Follow the manual remediation steps outlined in the Windows Defender Offline 
-article.
+Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
 
 
 
@@ -2916,15 +2910,15 @@ article.
 
 Possible reason
 
-This error indicates that Windows Defender does not support the current version of the platform and requires a new version of the platform. 
+This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform. 
 Resolution
-You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.  
+You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.  
 
 
 
 
 
-The following error codes are used during internal testing of Windows Defender AV.
+The following error codes are used during internal testing of Windows Defender Antivirus.
 
 If you see these errors, you can try to [update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
index f13977e93c..d4fbc2f0c0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Configure Windows Defender AV with Group Policy
-description: Configure Windows Defender AV settings with Group Policy
+title: Configure Windows Defender Antivirus with Group Policy
+description: Configure Windows Defender Antivirus settings with Group Policy
 keywords: group policy, GPO, configuration, settings
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,18 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Use Group Policy settings to configure and manage Windows Defender AV
+# Use Group Policy settings to configure and manage Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10, version 1703
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
 
-In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
+In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings:
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
 
@@ -41,15 +41,15 @@ The following table in this topic lists the Group Policy settings available in W
 
 Location | Setting | Documented in topic
 ---|---|---
-Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
 Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
 Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
 Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
-Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
-MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
+MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
 MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
 MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
@@ -59,23 +59,23 @@ Network inspection system | Specify additional definition sets for network traff
 Network inspection system | Turn on definition retirement | Not used
 Network inspection system | Turn on protocol recognition | Not used
 Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
 Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Reporting | Configure Watson events | Not used
 Reporting | Configure Windows software trace preprocessor components | Not used
 Reporting | Configure WPP tracing level | Not used
@@ -89,11 +89,11 @@ Root | Define addresses to bypass proxy server | Not used
 Root | Define proxy auto-config (.pac) for connecting to the network | Not used
 Root | Define proxy server for connecting to the network | Not used
 Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
 Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
@@ -103,25 +103,25 @@ Scan | Configure local setting override for schedule scan day | [Prevent or allo
 Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
 Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
-Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
-Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Create a system restore point | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on heuristics | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan network files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan packed executables | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan removable drives | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender Antivirus](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
@@ -136,9 +136,9 @@ Signature updates | Initiate definition update on startup | [Manage event-based
 Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
 Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
 Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
-Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
+Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index 403cf6a2e3..618ef1fa2f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender AV with Configuration Manager and Intune
+title: Configure Windows Defender Antivirus with Configuration Manager and Intune
 description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection
 keywords: scep, intune, endpoint protection, configuration
 search.product: eADQiWindows 10XVcnh
@@ -11,14 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 07/19/2018
+ms.date: 09/03/2018
 ---
 
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender Antivirus
 
-If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
+**Applies to:**
 
-In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans.
+
+In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus.
 
 See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 8a77b98ed5..65ac1a5a70 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -11,14 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 12/12/2017
+ms.date: 09/03/2018
 ---
 
-# Use PowerShell cmdlets to configure and manage Windows Defender AV
+# Use PowerShell cmdlets to configure and manage Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx).
 
@@ -27,7 +27,7 @@ For a list of the cmdlets and their functions and available parameters, see the
 PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. 
 
 > [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
 
 Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. 
 
@@ -36,7 +36,7 @@ You can [configure which settings can be overridden locally with local policy ov
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
 
-**Use Windows Defender AV PowerShell cmdlets:**
+**Use Windows Defender Antivirus PowerShell cmdlets:**
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
index f8c35eb6c8..4d68937d13 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
 ---
-title: Configure Windows Defender AV with WMI
+title: Configure Windows Defender Antivirus with WMI
 description: Use WMI scripts to configure Windows Defender AV.
 keywords: wmi, scripts, windows management instrumentation, configuration
 search.product: eADQiWindows 10XVcnh
@@ -11,22 +11,22 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 09/03/2018
 ---
 
-# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
+# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender Antivirus
 
 **Applies to:**
 
-- Windows 10
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
 
 Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
 
-Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
 
-The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts.
 
 Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. 
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index fc5487d680..3c436236fe 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -11,18 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/21/2018
+ms.date: 09/03/2018
 ---
 
 # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection
 
 **Applies to:**
 
-- Windows 10, version 1703 and later
-
-**Audience**
-
-- Enterprise security administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  
 
@@ -79,5 +75,5 @@ You can also [configure Windows Defender AV to automatically receive new protect
 [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets.
 [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked.
 [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
+[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy.
 [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index db9fd10f0d..10022efbdd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -11,26 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/04/2018
+ms.date: 09/03/2018
 ---
 
-
 # Windows Defender Antivirus compatibility
 
-
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016
-
-**Audience**
-
-- Enterprise security administrators
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
 
-However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. You can then choose to enable an optional, limited protection feature, called [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
 
 If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
 
@@ -80,11 +72,11 @@ In passive and automatic disabled mode, you can still [manage updates for Window
  If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
 
 >[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
+>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Security app.
 >  
 >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
 >
->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md).
+>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
     
 
 ## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index ae39992504..1ef9d7b879 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -11,60 +11,51 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Windows Defender Antivirus in Windows 10 and Windows Server 2016
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
+**Applies to:**
 
-Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-This library of documentation is for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network.
+Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
 
-For more important information about running Windows Defender on a server platform, see [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md).
+Windows Defender Antivirus includes:
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus. 
+- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
 
-Windows Defender AV can be managed with:
-- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
-- Microsoft Intune
-
-It can be configured with:
+You can configure and manage Windows Defender Antivirus with:
 - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
 - Microsoft Intune
 - PowerShell
 - Windows Management Instrumentation (WMI)
 - Group Policy
 
-Some of the highlights of Windows Defender AV include:
-- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus. 
-- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
-- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
-
-
 >[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
+>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
 >- Cloud-delivered protection
 >- Fast learning (including Block at first sight)
 >- Potentially unwanted application blocking
 
 ## What's new in Windows 10, version 1803
 
-- The [Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings.
+- The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
+- The [Virus & threat protection area in the Windows Security app](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings.
 
 
 ## What's new in Windows 10, version 1703
 
-New features for Windows Defender AV in Windows 10, version 1703 include:
-- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
+New features for Windows Defender Antivirus in Windows 10, version 1703 include:
+- [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
 - [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Security app](windows-defender-security-center-antivirus.md)
 
-We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
-- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md)
-- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
+We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
+- [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md)
+- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md)
 
 
 
@@ -74,25 +65,17 @@ Windows Defender AV has the same hardware requirements as Windows 10. For more i
 -   [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
 -   [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
 
+Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016; however, [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
 
-Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
+## Related topics
 
-Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
-
-
-
- 
-## In this library
-
-Topic | Description
-:---|:---
-[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) | The Windows Defender Security Center combines the settings and notifications from the previous Windows Defender AV app and Windows Settings in one easy-to-manage place
-[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) | Windows Defender AV can be used on Windows Server 2016, and features the same configuration and management capabilities as the Windows 10 version - with some added features for automatic exclusions
-[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) | Windows Defender AV operates in different modes depending on whether it detects other AV products or if you are using Windows Defender Advanced Threat Protection
-[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script
-[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
-[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
-[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
-[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
-[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
+[Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md)
+[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
+[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md)
+[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md)
+[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
+[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md)
+[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
+[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index f8fb6d41ba..c86a30f578 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -11,30 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/11/2018
+ms.date: 09/03/2018
 ---
 
-
 # Windows Defender Antivirus on Windows Server 2016
 
-
 **Applies to:**
 
-- Windows Server 2016
-
-**Audience**
-
-- Enterprise security administrators
-- Network administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- System Center Configuration Manager 
-- PowerShell
-- Windows Management Instrumentation (WMI)
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
 
@@ -60,7 +44,7 @@ This topic includes the following instructions for setting up and running Window
 By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required.
 
 >[!NOTE]
->You can't uninstall the Windows Defender Security Center app, but you can disable the interface with these instructions.
+>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
 
 If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index c58ed524ef..279bf6d452 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -11,31 +11,20 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
 # Run and review the results of a Windows Defender Offline scan
 
-
 **Applies to:**
 
-- Windows 10, version 1607 and later
-
-**Audience**
-
-- Enterprise security administrators
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell cmdlets
-- Windows Management Instruction (WMI)
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
 
 You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
 
-In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
 
 ## Pre-requisites and requirements
 
@@ -97,7 +86,7 @@ You can run a Windows Defender Offline scan with the following:
 
 - PowerShell
 - Windows Management Instrumentation (WMI)
-- The Windows Defender Security Center app
+- The Windows Security app
 
 
 
@@ -127,7 +116,7 @@ See the following for more information:
 
 **Use the Windows Defender Security app to run an offline scan:**
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
 
@@ -141,10 +130,10 @@ See the following for more information:
 
 ## Review scan results
 
-Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). 
+Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). 
 
 
 ## Related topics
 
 - [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index e7349b1a3f..11a9537dac 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Defender Antivirus in the Windows Defender Security Center app
-description: Windows Defender AV is now included in the Windows Defender Security Center app.
+title: Windows Defender Antivirus in the Windows Security app
+description: Windows Defender AV is now included in the Windows Security app.
 keywords: wdav, antivirus, firewall, security, windows
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,25 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 09/03/2018
 ---
 
-# Windows Defender Antivirus in the Windows Defender Security Center app
+# Windows Defender Antivirus in the Windows Security app
 
-**Applies to**
+**Applies to:**
 
-- Windows 10, version 1703 and later
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- End-users
-
-**Manageability available with**
-
-- Windows Defender Security Center app  
-
-
-In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Defender Security Center.
+In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
 
 Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
 
@@ -37,27 +28,27 @@ Settings that were previously part of the Windows Defender client and main Windo
 > Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
 
 > [!WARNING] 
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. 
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. 
 >It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. 
 >This will significantly lower the protection of your device and could lead to malware infection.
 
 
-See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
 
 >[!NOTE]
->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
+>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
 
-**Review virus and threat protection settings in the Windows Defender Security Center app:**
+**Review virus and threat protection settings in the Windows Security app:**
 
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
-![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png)
+![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
     
 ## Comparison of settings and functions of the old app and the new app
 
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. 
 
 The following diagrams compare the location of settings and functions between the old and new apps:
 
@@ -76,14 +67,14 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
 
 ## Common tasks
 
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Defender Security Center app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
 
 > [!NOTE]
 > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
 
 
-**Run a scan with the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Run a scan with the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
@@ -92,8 +83,8 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
 
 
-**Review the definition update version and download the latest updates in the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Review the definition update version and download the latest updates in the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
@@ -105,9 +96,9 @@ This section describes how to perform some of the most common tasks when reviewi
 
 
 
-**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app**
+**Ensure Windows Defender Antivirus is enabled in the Windows Security app**
 
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
@@ -117,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi
 
 >[!NOTE]
 >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.  
->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
 
 
 
-**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Add exclusions for Windows Defender Antivirus in the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
@@ -144,7 +135,7 @@ This section describes how to perform some of the most common tasks when reviewi
  
 
 **Set ransomware protection and recovery options**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 1d9c033045..123f439d6f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -21,6 +21,7 @@
 ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
+### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
 #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
 #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
index cf8105dc69..f876e2a21b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md
index ac9277f3b2..19441d1b3a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 03/01/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index e6c1d39bd4..689be7ba29 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,7 +14,7 @@ ms.date: 09/21/2017
 # Administer AppLocker
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
@@ -65,6 +66,6 @@ You must have Edit Setting permission to edit a GPO. By default, members of the
 
 ## Using Windows PowerShell to administer AppLocker
 
-For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
+For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](https://technet.microsoft.com/library/hh847210.aspx).
  
  
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
index 3544866752..8b526e85fa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
index 9210e50905..e1d9bba88b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index ec754cf12c..c939e91051 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index 26b4d23de4..b6c2c868d6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
index 09a77338da..36e0ac5981 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
index 3089c59df8..c4b962b01a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
index 5ba8623822..ee4c5fe937 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
index dcc657973f..054ee9ef62 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
index 3330eda208..44b08ac93f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 06/08/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
index 66187c838a..953ead6f1e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
index a72ff3932a..dbc018a25b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
index 16266b4bae..f5511d3cc8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index eace7b9b57..c756426699 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/02/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
index e40454320d..a97aa2c7cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
index 699a7c233a..b21e2e2528 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
index 30344b2d69..ec420bcac6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
index 77e783422f..9eec93864f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
index 55249cd6d8..76e4917930 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
index 58f90360cf..7f38968703 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 51965b4116..1848f8085f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
index b86eb4c12e..1e07df2d5b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index ffbec0bb55..7c12e10af2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -6,8 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 09/21/2017
+ms.date: 08/02/2018
 ---
 
 # Delete an AppLocker rule
@@ -16,7 +17,7 @@ ms.date: 09/21/2017
  -   Windows 10 
  -   Windows Server
 
-This topic for IT professionals describes the steps to delete an AppLocker rule.
+This topic for IT professionals describes the steps to delete an AppLocker rule. 
 
 As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running.
 
@@ -25,6 +26,8 @@ For info about testing an AppLocker policy to see what rules affect which files
 You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
 AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
+These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings.
+
 **To delete a rule in an AppLocker policy**
 
 1.  Open the AppLocker console.
@@ -43,6 +46,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
       
       
       
+      
     
 
 To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
index 0e6056ffe2..3457f579f9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
index 2df842862c..c3be5b8cd7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
index 34d351396b..6acc47d3c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
index 65cb27bc2f..e81f42d528 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,7 +14,7 @@ ms.date: 09/21/2017
 # Determine which apps are digitally signed on a reference device
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
@@ -29,7 +30,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
 
 2.  Analyze the publisher's name and digital signature status from the output of the command.
 
-For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx).
+For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](https://technet.microsoft.com/library/ee460961.aspx).
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
index a73fc8b1cd..bca3d32254 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index 3e7efbb672..393294a921 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -6,6 +6,7 @@ ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index be67db5038..cea7ab6ca2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index b14ec68862..01f5f91d5d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -5,6 +5,7 @@ ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.pagetype: security
 ms.date: 09/21/2017
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index faeb7da296..7b6244b2eb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index da3b193ffe..8f9183d2d5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 01886f6af8..c03fb9d05e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index 5ade426b41..b620e305a4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index 5593a53034..a915311c12 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index 4fba782a8d..6ef53ce437 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index bac088407a..1ac1c9ce81 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index b442b268b0..000441d121 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index d4fdf2d40e..71956ee4d9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index da6e9d1a9c..536d75e6ad 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index 2ffbc23507..b880da4f7e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index f3bef329a4..0785d8c4b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 7a8937b222..dfb5a0b633 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index 3522e95463..6f54125e98 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,14 +14,14 @@ ms.date: 09/21/2017
 # Manage packaged apps with AppLocker
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
 
 ## Understanding Packaged apps and Packaged app installers for AppLocker
 
-Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. 
+Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
 With packaged apps, it is possible to control the entire app by using a single AppLocker rule.
 
 >**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
@@ -29,7 +30,7 @@ Typically, an app consists of multiple components: the installer that is used to
 
 ### Comparing classic Windows apps and packaged apps
 
-AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 
+AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
 
 -   **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
@@ -48,7 +49,7 @@ You can use two methods to create an inventory of packaged apps on a computer: t
 
 >**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
  
-For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
+For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/library/hh847210.aspx).
 
 For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
 
@@ -56,7 +57,7 @@ Consider the following info when you are designing and deploying apps:
 
 -   Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary.
 -   You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
--   By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or 
+-   By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or
 Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design.
 
     To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
@@ -67,7 +68,7 @@ Just as there are differences in managing each rule collection, you need to mana
 
 1.  Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
 
-2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx).
+2.  Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](https://technet.microsoft.com/library/ee460941(WS.10).aspx).
 
 3.  Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 62d120be4b..5de1967090 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,14 +14,14 @@ ms.date: 09/21/2017
 # Merge AppLocker policies by using Set-ApplockerPolicy
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
 
 The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.
 
-For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx).
+For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](https://technet.microsoft.com/library/hh847212.aspx).
 
 For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index 9becb2ec65..d77a10fb74 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 08cd3572ad..d7dec8dac9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index a9c80b2eac..cda020c5b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 685667b11c..8911d1bf9e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 10/13/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 995eb8fedc..f4d78c2168 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 6812987ac1..5eb4f002d8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 7d0bc2af2c..df08c99d15 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 70eb43cab4..d816c2e3df 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -14,7 +14,7 @@ ms.date: 09/21/2017
 # Requirements to use AppLocker
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
@@ -35,21 +35,21 @@ The following table show the on which operating systems AppLocker features are s
 
 | Version | Can be configured | Can be enforced | Available rules | Notes |
 | - | - | - | - | - |
-| Windows 10| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
-| Windows Server 2016
                    Windows Server 2012 R2
                    Windows Server 2012| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| | 
+| Windows 10| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
+| Windows Server 2016
                    Windows Server 2012 R2
                    Windows Server 2012| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| |
 | Windows 8.1 Pro| Yes| No| N/A||
-| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| | 
-| Windows RT 8.1| No| No| N/A||  
+| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL| |
+| Windows RT 8.1| No| No| N/A||
 | Windows 8 Pro| Yes| No| N/A||
-| Windows 8 Enterprise| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL||  
-| Windows RT| No| No| N/A| |  
+| Windows 8 Enterprise| Yes| Yes| Packaged apps
                    Executable
                    Windows Installer
                    Script
                    DLL||
+| Windows RT| No| No| N/A| |
 | Windows Server 2008 R2 Standard| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
 | Windows Server 2008 R2 Enterprise|Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
-| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.| 
-| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.| 
+| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
+| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
 | Windows 7 Ultimate| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
-| Windows 7 Enterprise| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.| 
-| Windows 7 Professional| Yes| No| Executable
                    Windows Installer
                    Script
                    DLL| No AppLocker rules are enforced.| 
+| Windows 7 Enterprise| Yes| Yes| Executable
                    Windows Installer
                    Script
                    DLL| Packaged app rules will not be enforced.|
+| Windows 7 Professional| Yes| No| Executable
                    Windows Installer
                    Script
                    DLL| No AppLocker rules are enforced.|
  
 
 AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index 39ac2f8cc8..174b721e32 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index d31c811eb4..6fab819f0e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index a1189105f5..a6b7813076 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,19 +14,19 @@ ms.date: 09/21/2017
 # Security considerations for AppLocker
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
 
-The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for 
+The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for
 AppLocker:
 
 AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions.
 
 AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
 
-Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx).
+Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/ee460962.aspx).
 
 AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 0590a63b72..6d3979d91f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index 6c210aa053..453ab0eb53 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index ec71166da6..27c90949d6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index fe25d088f2..b78412c268 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 009f8a35ab..5e696490b6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 4e1b579be2..66ac0616c3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 10/13/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 8c9da9bfcd..c85924b254 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 07a4161fda..35b9675e4c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index b216fa6fa5..b8dff87c25 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index 7b9bbb1637..fdba7959a0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index 4ec88b21fc..a7077bd6b7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index 7e6d3a3a64..cf5e0d7301 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index e2a66c497c..93e36b568f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index c7817633da..56ef43a232 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index 31ac2a2881..bf60367a08 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 1b711c83d1..46a0ba3967 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index b584cf1375..612e3824d2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 0f8cc64fbc..45529acef2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -14,7 +15,7 @@ ms.date: 09/21/2017
 # Use a reference device to create and maintain AppLocker policies
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
@@ -58,8 +59,8 @@ If AppLocker policies are currently running in your production environment, expo
 
 You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
 
--   [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx)
--   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+-   [Test an AppLocker Policy with Test-AppLockerPolicy](https://technet.microsoft.com/library/ee791772(WS.10).aspx)
+-   [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
 
 >**Caution:**  If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
  
@@ -69,7 +70,7 @@ When the AppLocker policy has been tested successfully, it can be imported into
 
 -   [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
 -   [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
--   [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
+-   [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
 
 If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 71bfcb91e5..e5cd39f92c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 30a919b546..686d4be09d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
@@ -13,41 +14,41 @@ ms.date: 09/21/2017
 # Use the AppLocker Windows PowerShell cmdlets
 
 **Applies to**
- -   Windows 10 
+ -   Windows 10
  -   Windows Server
 
 This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
 
 ## AppLocker Windows PowerShell cmdlets
 
-The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the 
+The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
 Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
 
-To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the 
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
 Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
 
 ### Retrieve application information
 
-The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. 
+The [Get-AppLockerFileInformation](https://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
 
 File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
 
 ### Set AppLocker policy
 
-The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
+The [Set-AppLockerPolicy](https://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
 
 ### Retrieve an AppLocker policy
 
-The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
+The [Get-AppLockerPolicy](https://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
 
 ### Generate rules for a given user or group
 
-The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the 
+The [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
 list of file information.
 
 ### Test the AppLocker Policy against a file set
 
-The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
+The [Test-AppLockerPolicy](https://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
 
 ## Additional resources
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 19b0fe1159..36b1d0017d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index 09a6f698ed..6d7fb0b8d9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index 3f65a1e334..292c50818f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 544b30162f..47b6d2df84 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 2c487d8854..9926340d47 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 4cb0d0390a..83fd5dc5c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -6,8 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 09/21/2017
+author: andreabichsel
+ms.localizationpriority: medium
+msauthor: v-anbic
+ms.date: 08/27/2018
 ---
 
 # Working with AppLocker rules
@@ -60,6 +62,8 @@ The AppLocker console is organized into rule collections, which are executable f
 When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
 
 The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+
+EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.
  
 ## Rule conditions
 
@@ -112,7 +116,7 @@ The following table details these path variables.
 | Windows directory or disk | AppLocker path variable | Windows environment variable |
 | - | - | - |
 | Windows| %WINDIR%| %SystemRoot%| 
-| System32| %SYSTEM32%| %SystemDirectory%| 
+| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%| 
 | Windows installation directory| %OSDRIVE%| %SystemDrive%| 
 | Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | 
 | Removable media (for example, a CD or DVD)| %REMOVABLE%| |
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index f2d785d66a..740a8eab56 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -18,7 +18,7 @@ ms.date: 05/03/2018
 -   Windows 10
 -   Windows Server 2016
 
-When WDAC policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
+Running Appication Control in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
 
 Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 7303a1371c..54c89364d5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/28/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
index c91ecd2bc3..e49dcb1440 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index c2ea74a274..b6683d45c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/28/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index a8c0e32665..46f8a8a3c8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/28/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 2012791205..857ab2ea09 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.date: 05/17/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
index 41f09c0b09..68bc862fd3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
+++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 09/21/2017
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 2754f9f13f..26155f371a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 07/16/2018
+ms.date: 08/31/2018
 ---
 
 # Microsoft recommended block rules
@@ -134,7 +134,10 @@ Microsoft recommends that you block the following Microsoft-signed applications
    
    
    
-   
+  
+   
+     
+     
    
    
    
@@ -655,32 +658,54 @@ Microsoft recommends that you block the following Microsoft-signed applications
   
   
   
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
 
    
@@ -767,7 +792,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
   --> 
    
    
- 
+
   
    
@@ -814,7 +839,10 @@ Microsoft recommends that you block the following Microsoft-signed applications
    
    
    
-   
+   
+  
+   
+     
    
    
    
@@ -1399,6 +1427,28 @@ Microsoft recommends that you block the following Microsoft-signed applications
   
   
   
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
   
   
   
@@ -1407,7 +1457,7 @@ Microsoft recommends that you block the following Microsoft-signed applications
    
   0 
   
-  
+
   ```
 
                    
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 239ebf291c..de4380bc34 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/21/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 3ebdf18aaf..1a987c35e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 04/20/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
index 316dc3405f..40b5506097 100644
--- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
+++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/21/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index d973298558..94c511c911 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/08/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index fd0fd8af09..1423972366 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: jsuther1974
 ms.date: 02/28/2018
 ---
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
new file mode 100644
index 0000000000..f126a1d3f3
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -0,0 +1,33 @@
+---
+title: Windows Defender Application Control and .NET Hardening (Windows 10)
+description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: morganbr
+ms.date: 08/20/2018
+---
+
+# Windows Defender Application Control and .NET hardening 
+
+Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. 
+Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. 
+Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. 
+
+When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. 
+Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. 
+
+Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. 
+Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. 
+Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. 
+
+To enable Dynamic Code Security, add the following option to the  section of your policy: 
+
+```xml
+ 
+     
+
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 51bc9c068e..2c07c12e12 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -45,6 +45,9 @@ Group Policy can also be used to distribute Group Policy Objects that contain WD
 Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender Device Guard configurable code integrity policies.  
 
 Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). 
-For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](https://docs.microsoft.com/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).  
+For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md).  
 
+## See also
 
+- [WDAC design guide](windows-defender-application-control-design-guide.md)
+- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index af72b5b90d..d1ce22572e 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
 ms.date: 10/19/2017
@@ -12,15 +13,14 @@ ms.date: 10/19/2017
 
 # Configure Windows Defender Application Guard policy settings
 
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
 
 Application Guard uses both network isolation and application-specific settings.
 
 ### Network isolation settings
 
-**Applies to:**
-- Windows 10 Enterpise edition, version 1709 or higher
-
 These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
 
 >[!NOTE]
@@ -38,10 +38,10 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Professional, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                    • Disable the clipboard functionality completely when Virtualization Security is enabled.
                    • Enable copying of certain content from Application Guard into Microsoft Edge.
                    • Enable copying of certain content from Microsoft Edge into Application Guard.

                      **Important**
                      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
                    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Professional, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                    • Enable Application Guard to print into the XPS format.
                    • Enable Application Guard to print into the PDF format.
                    • Enable Application Guard to print to locally attached printers.
                    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
                    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Professional, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

                    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Professional, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                    **Note**
                    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
                    **To reset the container:**
                    1. Open a command-line program and navigate to Windows/System32.
                    2. Type `wdagtool.exe cleanup`.
                      The container environment is reset, retaining only the employee-generated data.
                    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
                      The container environment is reset, including discarding all employee-generated data.
                    |
+|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
                    • Disable the clipboard functionality completely when Virtualization Security is enabled.
                    • Enable copying of certain content from Application Guard into Microsoft Edge.
                    • Enable copying of certain content from Microsoft Edge into Application Guard.

                      **Important**
                      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
                    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
                    • Enable Application Guard to print into the XPS format.
                    • Enable Application Guard to print into the PDF format.
                    • Enable Application Guard to print to locally attached printers.
                    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
                    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

                    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher

                    Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

                    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

                    **Note**
                    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
                    **To reset the container:**
                    1. Open a command-line program and navigate to Windows/System32.
                    2. Type `wdagtool.exe cleanup`.
                      The container environment is reset, retaining only the employee-generated data.
                    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
                      The container environment is reset, including discarding all employee-generated data.
                    |
 |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

                    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
 |Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

                    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
 |Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

                    (experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

                      **Important**
                      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

                    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

                    **Note**
                    This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index dcea68cace..06a0ab7b13 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
 ms.date: 11/07/2017
@@ -12,9 +13,7 @@ ms.date: 11/07/2017
 
 # Frequently asked questions - Windows Defender Application Guard 
 
-**Applies to:**
-- Windows 10 Enterpise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
index 037fb26536..c483df5917 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
@@ -1,23 +1,55 @@
 ---
-title: Prepare and install Windows Defender Application Guard (Windows 10)
+title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
 description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
 ms.date: 10/19/2017
 ---
 
-## Prepare to install Windows Defender Application Guard 
+# Prepare to install Windows Defender Application Guard
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+## Review system requirements
+
+>[!NOTE]
+>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
+
+### Hardware requirements
+Your environment needs the following hardware to run Windows Defender Application Guard.
+
+|Hardware|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

                    **-AND-**

                    One of the following virtualization extensions for VBS:

                    VT-x (Intel)

                    **-OR-**

                    AMD-V|
+|Hardware memory|Microsoft requires a minimum of 8GB RAM|
+|Hard disk|5 GB free space, solid state disk (SSD) recommended|
+|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
+
+### Software requirements
+Your environment needs the following software to run Windows Defender Application Guard.
+
+|Software|Description|
+|--------|-----------|
+|Operating system|Windows 10 Enterprise edition, version 1709 or higher
                    Windows 10 Professional edition, version 1803|
+|Browser|Microsoft Edge and Internet Explorer|
+|Management system
                     (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

                    **-OR-**

                    [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

                    **-OR-**

                    [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

                    **-OR-**

                    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
+
+
+## Prepare for Windows Defender Application Guard 
 Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
 
 **Standalone mode**
 
 Applies to:
 - Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
+- Windows 10 Pro edition, version 1803
 
 Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode,   you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-wd-app-guard.md) testing scenario.
 
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 413a76b74a..ea9ccb6b07 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
 ms.date: 11/09/2017
@@ -12,9 +13,7 @@ ms.date: 11/09/2017
 
 # System requirements for Windows Defender Application Guard
 
-**Applies to:**
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
 
@@ -26,7 +25,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio
 
 |Hardware|Description|
 |--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
 |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

                    **-AND-**

                    One of the following virtualization extensions for VBS:

                    VT-x (Intel)

                    **-OR-**

                    AMD-V|
 |Hardware memory|Microsoft requires a minimum of 8GB RAM|
 |Hard disk|5 GB free space, solid state disk (SSD) recommended|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
index cffffca2da..b05ad26647 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
@@ -5,18 +5,20 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
 ms.date: 10/19/2017
 ---
 
-# Testing scenarios using Windows Defender Application Guard in your business or organization
+# Application Guard testing scenarios
 
-We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
 
-**Applies to:**
-- Windows 10 Enterpise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
+
 
 ## Application Guard in standalone mode
 You can see how an employee would use standalone mode with Application Guard.
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 0fb816ceab..de2039986d 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -5,16 +5,15 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 07/09/2018
+ms.date: 09/07/2018
 ---
 
 # Windows Defender Application Guard overview
 
-**Applies to:**
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
  
 Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
 
@@ -36,11 +35,65 @@ Application Guard has been created to target several types of systems:
 
 - **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
 
-## In this section
+## Frequently Asked Questions
+
+| | |
+|---|----------------------------|
+|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?|
+|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. |
+||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount       - Default is 4 cores. |
+||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB            - Default is 8GB.|
+||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
+|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                    In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
+|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
+|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
+|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?|
+|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?|
+|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.|
+
                    
+
+| | |
+|---|----------------------------|
+|**Q:** |What is the WDAGUtilityAccount local account?|
+|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
+
                    
+
+## Related topics
+
 |Topic |Description |
 |------|------------|
 |[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
 |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
 |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
 |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
-|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|
+
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 193fddfef8..deb8c0e185 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -1,102 +1,82 @@
-# [Windows Defender Security Center](windows-defender-security-center-atp.md)
-##Get started
-### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
-### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
-### [Preview features](preview-windows-defender-advanced-threat-protection.md)
-### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
-### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
-## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
-### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
-### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
-#### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
-##### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune)
-#### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
-#### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
-### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
-### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
-### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
-### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
-### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
-### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
-## [Understand the portal](use-windows-defender-advanced-threat-protection.md)
-### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-### [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
 
-##Investigate and remediate threats
-###Alerts queue
-#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
-#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
-#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
-#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
-#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
-#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
-#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+## [Overview](overview.md)
+### [Attack surface reduction](overview-attack-surface-reduction.md)
+#### [Hardware-based isolation](overview-hardware-based-isolation.md)
+##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md)
+##### [System isolation](how-hardware-based-containers-help-protect-windows.md)
+#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
+### [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+### [Endpoint detection and response](overview-endpoint-detection-response.md)
+#### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
 
+#### Alerts queue
+##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+ 
+#### Machines list
+##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](machine-tags-windows-defender-advanced-threat-protection.md)
+##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 
 
-###Machines list
-#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
-
-
-### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
-#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
-##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+ 
+##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
 ###### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
 ###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+ 
+### [Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)
+#### [Learn about the automated investigation and remediation dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md)
 
-### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-#### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
-## [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md)
+### [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
+#### [Threat analytics](threat-analytics.md)
+#### [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
 
-## [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
-##API and SIEM support
-### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
-#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)
+#### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+##### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+#### [Custom detections](overview-custom-detections.md)
+#####[Create custom detections rules](custom-detection-rules.md)
+
+
+### [Management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
-#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
 #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
 #####Actor
 ###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
@@ -109,20 +89,20 @@
 ###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
 ###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
 ###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-#####Domain
-######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+######Domain
+#######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
 #####File
-###### [Block file](block-file-windows-defender-advanced-threat-protection.md)
+###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
 ###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
 ###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
 ###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file](unblock-file-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
 
 #####IP
 ###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
@@ -130,27 +110,25 @@
 ###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
 ###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
 #####Machines
-###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
 ###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
 ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
 ###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
 ###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
 ###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
 ###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-
-
+###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 #####User
 ###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
@@ -158,46 +136,227 @@
 ###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
 ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
-##Reporting
-### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-
-##Check service health and sensor state
-### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
-### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
-### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
-### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
-### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
-## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
-
-###General
-#### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
-#### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
-#### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
-#### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
-#### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+ 
+#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
 
-###Permissions
-#### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
-#### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
+### [Microsoft threat protection](threat-protection-integration.md)
+####  [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
+#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md)
 
-###APIs
-#### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 
-###Rules
-#### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
-#### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
-#### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
-#### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
 
-###Machine management
-#### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
-#### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
 
-## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+## [Get started](get-started.md)
+### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+### [Preview features](preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
 
-## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
-## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
-### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+### [Evaluate Windows Defender ATP](evaluate-atp.md)
+####Evaluate attack surface reduction
+##### [Hardware-based isolation](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+##### [Application control](../windows-defender-application-control/audit-windows-defender-application-control-policies.md)
+##### [Exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
+##### [Network Protection](../windows-defender-exploit-guard/evaluate-network-protection.md)
+##### [Controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+#### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
 
+### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md)
+
+## [Configure and manage capabilities](onboard.md)
+### [Configure attack surface reduction](configure-attack-surface-reduction.md)
+#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
+##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) 
+#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
+#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
+###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
+##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
+##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+#### [Attack surface reduction controls](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](../windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
+
+
+
+### [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
+#### [Utilize Microsoft cloud-delivered protection](../windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+##### [Enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
+##### [Specify the cloud-delivered protection level](../windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
+##### [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
+##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+#### [Configure behavioral, heuristic, and real-time protection](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
+##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
+#### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
+#### [Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+##### [Use limited periodic antivirus scanning](../windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
+
+#### [Deploy, manage updates, and report on antivirus](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
+##### [Deploy and enable antivirus](../windows-defender-antivirus/deploy-windows-defender-antivirus.md)
+###### [Deployment guide for VDI environments](../windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
+##### [Report on antivirus protection](../windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](../windows-defender-antivirus/troubleshoot-reporting.md)
+##### [Manage updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
+###### [Manage protection and definition updates](../windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](../windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](../windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
+###### [Manage event-based forced updates](../windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](../windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+#### [Customize, initiate, and review the results of scans and remediation](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in antivirus scans](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
+#### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+#### [Manage antivirus in your business](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Group Policy settings to configure and manage antivirus](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage antivirus](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to configure and manage antivirus](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+#### [Manage scans and remediation](../windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in antivirus scans](../windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
+##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
+##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
+##### [Review scan results](../windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
+##### [Run and review the results of an offline scan](../windows-defender-antivirus/windows-defender-offline.md)
+##### [Restore quarantined files](../windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
+#### [Manage next generation protection in your business](../windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
+##### [Use Microsoft Intune and System Center Configuration Manager to manage next generation protection](../windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
+##### [Use Group Policy settings to manage next generation protection](../windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
+##### [Use PowerShell cmdlets to manage next generation protection](../windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
+##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](../windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
+##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
+
+
+### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) 
+
+### Management and API support
+#### [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
+##### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+###### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+####### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-machines-using-microsoft-intune)
+###### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+##### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+##### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+##### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
+##### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
+##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+  
+#### API for custom alerts
+##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+###### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+###### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+###### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+###### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+ 
+
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+
+#### Reporting
+##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+#### Role-based access control
+##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
+###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
+###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
+####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
+
+#### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md)
+
+### Configure Microsoft threat protection integration
+#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
+#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
+
+
+### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+#### General
+##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
+##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
+##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+ 
+#### Permissions
+##### [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
+##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
+###### [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md)
+###### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
+####### [Create and manage machine tags](machine-tags-windows-defender-advanced-threat-protection.md)
+ 
+#### APIs
+##### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+ 
+####Rules
+##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+ 
+####Machine management
+##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
+ 
+#### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+ 
+
+
+
+## [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md)
+###Troubleshoot sensor state
+#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+#### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+#### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+#### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+#### [Review sensor events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+
+### [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
+#### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
+
+###Troubleshoot attack surface reduction
+#### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md)
+#### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md)
+ 
+### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index b414111b05..e8f8e79356 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Configure advanced features in Windows Defender ATP
 description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
-keywords: advanced features, settings, block file
+keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,30 +10,34 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/08/2018
+ms.date: 09/28/2018
 ---
 
 # Configure advanced features in Windows Defender ATP
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
 
 Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
 
-Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
+Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
 
 ## Automated investigation
 When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md).
 
+## Auto-resolve remediated alerts
+For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
+
+>[!TIP] 
+>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
+
+>[!NOTE]
+> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
+>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it.
+
+
 ## Block file
 This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
 
@@ -78,6 +82,16 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
 
+## Microsoft Cloud App Security
+Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. 
+
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+## Azure information protection
+Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
+
+
 ## Microsoft Intune connection
 This feature is only available if you have an active Microsoft Intune (Intune) license. 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
index 216c76d3bb..fd419d2f79 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 2ebe1dceb6..b594ad69f0 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 06/01/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index 538e981c02..3eb5787182 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -10,30 +10,13 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/13/2018
+ms.date: 08/15/2018
 ---
 
 # Query data using Advanced hunting in Windows Defender ATP
 
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
-Advanced hunting allows you to proactively hunt for possible threats across your organization using a powerful search and query tool. Take advantage of the following capabilities: 
-
-- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
-- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
-- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
-- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
 
 To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
 
@@ -51,7 +34,8 @@ First, we define a time filter to review only records from the previous seven da
 
 We then add a filter on the _FileName_  to contain only instances of _powershell.exe_.
 
-Afterwards, we add a filter on the _ProcessCommandLine_
+Afterwards, we add a filter on the _ProcessCommandLine_. 
+
 Finally, we  project only the columns we're interested in exploring and limit the results to 100 and click **Run query**.
 
 You have the option of expanding the screen view so you can focus on your hunting query and related results.
@@ -88,7 +72,7 @@ The following tables are exposed as part of Advanced hunting:
 - **RegistryEvents** - Stores registry key creation, modification, rename and deletion events 
 - **LogonEvents** - Stores login events 
 - **ImageLoadEvents** - Stores load dll events  
-- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others.
+- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
 
 These tables include data from the last 30 days.
 
@@ -160,7 +144,7 @@ Check out the [Advanced Hunting repository](https://github.com/Microsoft/Windows
 
 ## Related topic
 - [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md
new file mode 100644
index 0000000000..cce2d0c0a3
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -0,0 +1,32 @@
+---
+title: Alerts queue in Windows Defender Security Center
+description: View and manage the alerts surfaced in Windows Defender Security Center
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Alerts queue in Windows Defender Security Center
+Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as machines, files, or user accounts.
+
+
+## In this section
+Topic | Description 
+:---|:---
+[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | Shows a list of alerts that were flagged in your network.
+[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
+[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
+[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. 
+[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event. 
+[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses.
+[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain. 
+[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.  
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 5d5708572e..526668ad8c 100644
--- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -16,48 +16,28 @@ ms.date: 04/24/2018
 # View and organize the Windows Defender Advanced Threat Protection Alerts queue
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink) 
 
-The **Alerts queue** shows a list of alerts that were flagged from machines in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
+The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
 
-Alerts are organized in queues by their workflow status or assignment:
+There are several options you can choose from to customize the alerts queue view. 
 
-- **New**
-- **In progress**
-- **Resolved**
-- **Assigned to me**
+On the top navigation you can:
+- Select grouped view or list view
+- Customize columns to add or remove columns 
+- Select the items to show per page
+- Navigate between pages
+- Apply filters
 
-To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
 
-> [!NOTE]
-> By default, alerts in the queues are sorted from newest to oldest.
+![Image of alerts queue](images/alerts-queue-list.png)
 
-![Image of alerts queue](images/atp-new-alerts-list.png)
-
-##  Sort, filter, and group the alerts list
-You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
-
-### Time period
-- 1 day
-- 3 days
-- 7 days
-- 30 days
-- 6 months
-
-### OS Platform
-  - Windows 10
-  - Windows Server 2012 R2
-  - Windows Server 2016
-  - Other
+##  Sort, filter, and group the alerts queue
+You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
 
 ### Severity
 
@@ -82,71 +62,31 @@ So, for example:
 -	An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
 -	Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
 
+### Status
+You can choose to limit the list of alerts based on their status.
+
+### Investigation state
+Corresponds to the automated investigation state.
+
+### Assigned to
+You can choose between showing alerts that are assigned to you or automation.
 
 ### Detection source
-- Windows Defender AV
-- Windows Defender ATP
-- Windows Defender SmartScreen
-- Others
+Select the source that triggered the alert detection.
 
 >[!NOTE]
 >The Windows Defender Antivirus filter will only appear if machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
 
 
-### View
-- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
-- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together.
+### OS platform
+Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
 
-The grouped view allows for efficient alert triage and management.
+### Machine group
+If you have specific machine groups that you're interested in checking the alerts on, you can select the groups to limit the alerts queue view to display just those machine groups.
 
-## Alert queue columns
-You can click on the first column to open up the **Alert management pane**. You can also select view the machine and user panes by selecting the icons beside the links.
+### Associated threat
+Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md). 
 
-Alerts are listed with the following columns:
-
-- **Title** - Displays a brief description of the alert and its category.
-- **Machine and user** - Displays the machine name and user associated with the alert. You view the machine or user details pane or pivot the actual details page.
-- **Severity** - Displays the severity of the alert. Possible values are informational, low, medium, or high.
-- **Last activity** - Date and time for when the last action was taken on the alert.
-- **Time in queue** - Length of time the alert has been in the alerts queue.
-- **Detection source** - Displays the detection source of the alert.
-- **Status** - Current status of the alert. Possible values include new, in progress, or resolved. 
-- **Investigation state** - Reflects the number of related investigations and it's current state.
-- **Assigned to** - Displays who is addressing the alert.
-- **Manage icon** - You can click on the icon to bring up the alert management pane where you can manage and see details about the alert.
-
-### Use the Alert management pane
-Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
-
-![Image of an alert selected](images/atp-alerts-selected.png)
-
-You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
-
-- Change the status of an alert from new, to in progress, or resolved.
-- Specify the alert classification from true alert or false alert by selecting **In progress**.
-  Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
-    - APT
-    - Malware
-    - Security personnel
-    - Security testing
-    - Unwanted software
-    - Other
-- Assign the alert to yourself if the alert is not yet assigned.
-- View related activity on the machine.
-- Add and view comments about the alert.
-
->[!NOTE]
->You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
-
-### Use the User details pane
-Selecting a user brings up the **User details** pane where you can see information such as machine details, related alerts, last IP address, when the machine was first and last seen reporting to the service, and information on the logged on users.
-
-![Alerts queue with numbers](images/atp-alerts-queue-user.png)
-
-### Bulk edit alerts
-Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
-
-![Alerts queue bulk edit](images/alerts-q-bulk.png)
 
 ## Related topics
 - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
index 677b25564f..ee57104d76 100644
--- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index e948d94905..68c07126d2 100644
--- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -10,22 +10,16 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/03/2018
 ---
 
 # Assign user access to Windows Defender Security Center
-**Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+**Applies to:**
 - Azure Active Directory
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
 
 Windows Defender ATP supports two ways to manage permissions:
@@ -40,67 +34,10 @@ Windows Defender ATP supports two ways to manage permissions:
 >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
 >- After switching to RBAC, you will not be able to switch back to using basic permissions management.
 
-## Use basic permissions management
-Refer to the instructions below to use basic permissions management. You can use either Azure PowerShell or the Azure Portal.  
-
-For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md).
-
-### Assign user access using Azure PowerShell
-You can assign users with one of the following levels of permissions:
-- Full access (Read and Write)
-- Read-only access
-
-#### Before you begin
-- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
                    
-
-    > [!NOTE]
-    > You need to run the PowerShell cmdlets in an elevated command-line.
-
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
-
-**Full access** 
                    
-Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
-Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
-
-**Read only access** 
                    
-Users with read only access can log in, view all alerts, and related information.
-They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
-Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
-
-Use the following steps to assign security roles:
-
-- For **read and write** access, assign users to the security administrator role by using the following command:
-```text
-Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
-```
-- For **read only** access, assign users to the security reader role by using the following command:
-```text
-Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
-```
-
-For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
-
-### Assign user access using the Azure portal
-
-1.	Go to the [Azure portal](https://portal.azure.com).
-
-2.	Select **Azure Active Directory**.
-
-3.  Select **Manage** > **Users and groups**.
-
-4.  Select **Manage** > **All users**.
-
-5.	Search or select the user you want to assign the role to.
-
-6.	Select **Manage** > **Directory role**.
-
-7.	Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
-
-    ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
-
 
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)
 
 ## Related topic
+- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
 - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
index 37b9d32417..2dc0691f2a 100644
--- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 28/02/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index a59d266c4b..a1c25550d8 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -10,20 +10,10 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/21/2018
+ms.date: 09/03/2018
 ---
 
-# Use Automated investigations to investigate and remediate threats
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
+# Overview of Automated investigations
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
 
@@ -71,6 +61,7 @@ You can configure the following levels of automation:
 
 Automation level | Description 
 :---|:---
+Not protected | Machines will not get any automated investigations run on them.
 Semi - require approval for any remediation | This is the default automation level.

                      An approval is needed for any remediation action. 
 Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. 

                     Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
 Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. 

                     Files or executables in all other folders will  automatically be remediated if needed.
@@ -82,191 +73,10 @@ The default machine group is configured for semi-automatic remediation. This mea
 
 When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
 
-
-## Manage Automated investigations
-By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
-
->[!NOTE]
->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
-
-Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. 
-
-From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
-
-![Image of Auto investigations page](images/atp-auto-investigations-list.png)
-
- 
-**Filters**
                    
-You can use the following operations to customize the list of Automated investigations displayed:
-
-
-**Triggering alert**
                    
-The alert the initiated the Automated investigation.
-
-**Status**
                    
-An Automated investigation can be in one of the following status:
-
-Status | Description
-:---|:---
-| No threats found                                          | No malicious entities found during the investigation.
-| Failed                                                    | A problem has interrupted the investigation, preventing it from completing.                                                         |
-| Partially remediated                                      | A problem prevented the remediation of some malicious entities.                                                                     |
-| Pending                                           | Remediation actions require review and approval.                                                                                    |
-| Waiting for machine                                       | Investigation paused. The investigation will resume as soon as the machine is available.                                            |
-| Queued                                                    | Investigation has been queued and will resume as soon as other remediation activities are completed.                                |
-| Running                                                   | Investigation ongoing. Malicious entities found will be remediated.                                                                 |
-| Remediated                                                | Malicious entities found were successfully remediated.                                                                              |
-| Terminated by system                                      | Investigation was stopped by the system.                                                                                          |
-| Terminated by user                                        | A user stopped the investigation before it could complete.  
-| Partially investigated                                    | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
-
-
-
-**Detection source**
                    
-Source of the alert that initiated the Automated investigation. 
-
-**Threat**
                    
-The category of threat detected during the Automated investigation.
-
-
-**Tags**
                    
-Filter using manually added tags that capture the context of an Automated investigation.
-
-**Machines**
                    
-You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
-
-**Machine groups**
                    
-Apply this filter to see specific machine groups that you might have created.
-
-**Comments**
                    
-Select between filtering the list between Automated investigations that have comments and those that don't.
-
-## Analyze Automated investigations 
-You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
-
-In this view, you'll see the name of the investigation, when it started and ended. 
-
-![Image of investigation details window](images/atp-analyze-auto-ir.png)
-
-The progress ring shows two status indicators:
-- Orange ring - shows the pending portion of the investigation
-- Green ring - shows the running time portion of the investigation
-
-![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) 
-
-In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. 
-
-The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. 
-
-From this view, you can also view and add comments and tags about the investigation.
-
-### Investigation page
-The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
-
-You'll also have access to the following sections that help you see details of the investigation with finer granularity:
-
-- Investigation graph
-- Alerts
-- Machines
-- Threats
-- Entities
-- Log
-- Pending actions
-
-  >[!NOTE]
-  >The Pending actions tab is only displayed if there are actual pending actions.
-
-- Pending actions history
-
-  >[!NOTE]
-  >The Pending actions history tab is only displayed when an investigation is complete.
-
-In any of the sections, you can customize columns to further expand to limit the details you see in a section.
-
-### Investigation graph
-The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
-
-### Alerts
-Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
-
-Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. 
-
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. 
-
-Clicking on an alert title brings you the alert page.
-
-### Machines
-Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
-
-Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
-
-Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
-
-Clicking on an machine name brings you the machine page.
-
-### Threats
-Shows details related to threats associated with this investigation. 
-
-### Entities
-Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
-
-### Log
-Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
-
-As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
-
-Available filters include action type, action, status, machine name, and description.
-
-You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. 
-
-### Pending actions history
-This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
-
-
-## Pending actions
-If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. 
-
-![Image of pending actions](images\atp-pending-actions-notification.png)
-
-When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
-
- 
-The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
-
-![Image of pending actions page](images/atp-pending-actions-list.png)
-
-Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
-
-From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-Pending actions are grouped together in the following tabs:
--  Quarantine file
--  Remove persistence
--  Stop process
--  Expand pivot
--  Quarantine service
-
->[!NOTE]
->The tab will only appear if there are pending actions for that category.
-
-### Approve or reject an action
-You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
-
-
-![Image of list of pending actions](images/atp-approve-reject-action.png)
-
-Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
-
-![Image of pending action selected](images/atp-pending-actions-file.png)
-
-From the panel, you can click on the Open investigation page link to see the investigation details.
-
-You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. 
-
-![Image of multiple investigations selected](images/atp-pending-actions-multiple.png)
-
 ## Related topic
-- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+- [Learn about the automated investigations dashboard](manage-auto-investigation-windows-defender-advanced-threat-protection.md)
+
+
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..6c995b3429
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,86 @@
+---
+title: Use basic permissions to access Windows Defender Security Center
+description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
+keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/13/2018
+---
+
+# Use basic permissions to access the portal
+**Applies to:**
+
+- Azure Active Directory
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
+
+Refer to the instructions below to use basic permissions management. 
+
+You can use either of the following:
+- Azure PowerShell
+-  Azure Portal
+
+For granular control over permissions, [switch to role-based access control](rbac-windows-defender-advanced-threat-protection.md).
+
+## Assign user access using Azure PowerShell
+You can assign users with one of the following levels of permissions:
+- Full access (Read and Write)
+- Read-only access
+
+### Before you begin
+- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
                    
+
+    > [!NOTE]
+    > You need to run the PowerShell cmdlets in an elevated command-line.
+
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
+
+**Full access** 
                    
+Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
+Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
+
+**Read only access** 
                    
+Users with read only access can log in, view all alerts, and related information.
+They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
+Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role.
+
+Use the following steps to assign security roles:
+
+- For **read and write** access, assign users to the security administrator role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
+```
+- For **read only** access, assign users to the security reader role by using the following command:
+```text
+Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
+```
+
+For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+
+## Assign user access using the Azure portal
+
+1.	Go to the [Azure portal](https://portal.azure.com).
+
+2.	Select **Azure Active Directory**.
+
+3.  Select **Manage** > **Users and groups**.
+
+4.  Select **Manage** > **All users**.
+
+5.	Search or select the user you want to assign the role to.
+
+6.	Select **Manage** > **Directory role**.
+
+7.	Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+
+    ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
+
+## Related topic
+- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index 428fb853da..5841eedc07 100644
--- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Check sensor health state in Windows Defender ATP
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -29,7 +24,6 @@ ms.date: 04/24/2018
 
 The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
-![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png)
 
 There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
 - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
@@ -38,15 +32,6 @@ There are two status indicators on the tile that provide information on the numb
 
 Clicking any of the groups directs you to Machines list, filtered according to your choice.
 
-![Windows Defender ATP sensor filter](images/atp-sensor-filter.png)
-
-
-
 You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md).
 
 You can filter the health state list by the following status:
@@ -61,7 +46,7 @@ You can view the machine details when you click on a misconfigured or inactive m
 
 ![Windows Defender ATP sensor filter](images/atp-machine-health-details.png)
 
-In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page.
+In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. 
 
 >[!NOTE]
 >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
index 432cfcfa13..3ff19840f0 100644
--- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Enable conditional access to better protect users, devices, and data 
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -69,89 +64,9 @@ The following example sequence of events explains conditional access in action:
 4. The manual or automated investigation and remediation is completed and the threat is removed. Windows Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
 5. Users can now access applications.
 
-
-
- ## Configure conditional access
-This section guides you through all the steps you need to take to properly implement conditional access.
-
-### Before you begin
->[!WARNING] 
->It's important to note that Azure AD registered devices is not supported in this scenario.
                    
->Only Intune enrolled devices are supported.
-
-You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
-
-
-- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
-- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup).
-
-
-
-There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
-
-> [!NOTE] 
-> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
-
-Take the following steps to enable conditional access:
-- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
-- Step 2: Turn on the Windows Defender ATP integration in Intune
-- Step 3: Create the compliance policy in Intune
-- Step 4: Assign the policy 
-- Step 5: Create an Azure AD conditional access policy
-
-
-### Step 1: Turn on the Microsoft Intune connection
-1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
-2. Toggle the Microsoft Intune setting to **On**.
-3. Click **Save preferences**.
-
-
-### Step 2: Turn on the Windows Defender ATP integration in Intune
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Device compliance** > **Windows Defender ATP**.
-3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**.
-4. Click **Save**.
-
-
-### Step 3: Create the compliance policy in Intune
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies** > **Create policy**.
-3. Enter a **Name** and **Description**.
-4. In **Platform**, select **Windows 10 and later**.
-5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
-
-  - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
-  - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
-  - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
-  - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
-
-6. Select **OK**, and **Create** to save your changes (and create the policy).
-
-### Step 4: Assign the policy
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy.
-3. Select **Assignments**.
-4. Include or exclude your Azure AD groups to assign them the policy.
-5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
-
-### Step 5: Create an Azure AD conditional access policy
-1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
-2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
-3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
-
-4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-
-5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
-
-6. Select **Enable policy**, and then **Create** to save your changes.
-
-For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
-
+ 
 ## Related topic
-- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+- [Configure conditional access in Windows Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
index c4633c09c3..922143b7f4 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
new file mode 100644
index 0000000000..f48dd12b3e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
@@ -0,0 +1,38 @@
+---
+title: 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/01/2018
+---
+
+# Configure attack surface reduction
+
+You can configure attack surface reduction with a number of tools, including:
+
+- Microsoft Intune
+- System Center Configuration Manager
+- Group Policy
+- PowerShell cmdlets
+
+
+The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
+
+## In this section
+Topic | Description
+:---|:---
+[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
+[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
+[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and aopps that are typically used for by exploit-seeking malware
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
+
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..7e52942346
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,96 @@
+---
+title: Configure conditional access in Windows Defender ATP
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Configure conditional access in Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+This section guides you through all the steps you need to take to properly implement conditional access.
+
+### Before you begin
+>[!WARNING] 
+>It's important to note that Azure AD registered devices is not supported in this scenario.
                    
+>Only Intune enrolled devices are supported.
+
+You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
+
+
+- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
+- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup).
+
+
+
+There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
+
+> [!NOTE] 
+> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
+
+Take the following steps to enable conditional access:
+- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
+- Step 2: Turn on the Windows Defender ATP integration in Intune
+- Step 3: Create the compliance policy in Intune
+- Step 4: Assign the policy 
+- Step 5: Create an Azure AD conditional access policy
+
+
+### Step 1: Turn on the Microsoft Intune connection
+1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
+2. Toggle the Microsoft Intune setting to **On**.
+3. Click **Save preferences**.
+
+
+### Step 2: Turn on the Windows Defender ATP integration in Intune
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **Device compliance** > **Windows Defender ATP**.
+3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**.
+4. Click **Save**.
+
+
+### Step 3: Create the compliance policy in Intune
+1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
+2. Select **Device compliance** > **Policies** > **Create policy**.
+3. Enter a **Name** and **Description**.
+4. In **Platform**, select **Windows 10 and later**.
+5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
+
+  - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
+  - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
+  - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
+  - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
+
+6. Select **OK**, and **Create** to save your changes (and create the policy).
+
+### Step 4: Assign the policy
+1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
+2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy.
+3. Select **Assignments**.
+4. Include or exclude your Azure AD groups to assign them the policy.
+5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
+
+### Step 5: Create an Azure AD conditional access policy
+1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
+2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
+3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
+
+4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
+
+5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
+
+6. Select **Enable policy**, and then **Create** to save your changes.
+
+For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 1ebb14a664..1d3703c9be 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/16/2018
 ---
 
@@ -17,10 +17,7 @@ ms.date: 07/16/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 980252189b..ba9cdde442 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -18,10 +18,7 @@ ms.date: 04/24/2018
 **Applies to:**
 
 - Group Policy
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 83f63e9c62..c9a8e4b1b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -10,17 +10,14 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/19/2018
 ---
 
 # Onboard Windows 10 machines using Mobile Device Management tools
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
@@ -58,82 +55,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
    
 7. Select **OK**, and **Create** to save your changes, which creates the profile.
 
-
-
-### Onboard and monitor machines using the classic Intune console
-
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
-
-    a. In the navigation pane, select **Settings** > **Onboarding**.
-
-    b. Select Windows 10 as the operating system.
-
-    c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
-    
-    d. Click **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
-
-3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-
-  a. Select **Policy** > **Configuration Policies** > **Add**.
-  ![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
-
-  b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**. 
                    
-  ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
-
-  c. Type a name and description for the policy. 
                    
-
-  ![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
-
-  d. Under OMA-URI settings, select **Add...**. 
                    
-
-  ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
-
-  e. Type the following values then select **OK**:
-
-  ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
-
-  - **Setting name**: Type a name for the setting.
-  - **Setting description**: Type a description for the setting.
-  - **Data type**: Select **String**.
-  - **OMA-URI**:  *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
-  - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
-
-
-  f. Save the policy.
-
-  ![Microsoft Intune save policy](images/atp-intune-save-policy.png)
-
-  g. Deploy the policy.
-
-  ![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
-
-  h. Select the device group to deploy the policy to:
-
-  ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
-
-When the policy is deployed and is propagated, machines will be shown in the **Machines list**.
-
-You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to:
-- Onboarding
-- Health Status for onboarded machines
-- Configuration for onboarded machines
-
-> [!div class="mx-tableFixed"]
-Policy | OMA-URI | Type | Value | Description
-:---|:---|:---|:---|:---
-Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file |  Onboarding
-Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE |  Windows Defender ATP service is running
-Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
-Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
-Configuration for onboarded machines  | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 
                     Default value: 1 | Windows Defender ATP Sample sharing is enabled
-Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 
                     1: Normal (default)

                     2: Expedite | Windows Defender ATP diagnostic data reporting
-
 > [!NOTE]
 > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
 > - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
-> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
 
 
 >[!TIP]
@@ -159,16 +83,6 @@ For security reasons, the package used to Offboard machines will expire 30 days
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
-Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to:
-- Offboarding
-- Health Status for offboarded machines
-- Configuration for offboarded machines
-
-Policy | OMA-URI | Type | Value | Description
-:---|:---|:---|:---|:---
-Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
-Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
 
 > [!NOTE]
 > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index cbc1b85dda..d0bf0a6cbd 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - System Center 2012 Configuration Manager or later versions
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 8236a40cf4..ea54c42092 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index c0ae298a7a..8b93f17477 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 07/12/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..82a78124e7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,283 @@
+---
+title: Configure managed security service provider support
+description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP 
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Configure managed security service provider integration
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
+
+>[!NOTE]
+>The following terms are used in this article to distinguish between the service provider and service consumer:
+> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
+> - MSSP customers: Organizations that engage the services of MSSPs.
+
+The integration will allow MSSPs to take the following actions:
+- Get access to MSSP customer's Windows Defender Security Center portal
+- Get email notifications, and 
+- Fetch alerts through security information and event management (SIEM) tools
+
+Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. 
+
+Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
+
+
+In general, the following configuration steps need to be taken:
+
+- **Grant the MSSP access to Windows Defender Security Center** 
                    
+This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
+
+- **Configure alert notifications sent to MSSPs** 
                    
+This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
+
+- **Fetch alerts from MSSP customer's tenant into SIEM system** 
                     
+This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
+
+- **Fetch alerts from MSSP customer's tenant using APIs** 
                    
+This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
+
+
+## Grant the MSSP access to the portal
+
+>[!NOTE] 
+> These set of steps are directed towards the MSSP customer. 
                    
+> Access to the portal can can only be done by the MSSP customer.
+
+As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. 
+
+Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality. 
+
+You'll need to take the following 2 steps:
+- Add MSSP user to your tenant as a guest user
+- Grant MSSP user access to Windows Defender Security Center
+
+### Add MSSP user to your tenant as a guest user
+Add a user who is a member of the MSSP tenant to your tenant as a guest user.
+
+To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
+
+### Grant MSSP user access to Windows Defender Security Center
+Grant the guest user access and permissions to your Windows Defender Security Center tenant.
+
+Granting access to guest user is done the same way as granting access to a user who is a member of your tenant. 
+
+If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md).
+
+If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md).
+
+>[!NOTE]
+>There is no difference between the Member user and Guest user roles from RBAC perspective.
+
+It is recommended that groups are created for MSSPs to make authorization access more manageable.
+
+As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. 
+
+##  Access the Windows Defender Security Center MSSP customer portal
+
+>[!NOTE] 
+>These set of steps are directed towards the MSSP. 
+
+By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
+MSSPs however, will need to use a tenant-specific URL in the following format:  `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal. 
+
+In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
+
+
+Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
+
+1. As an MSSP, login to Azure AD with your credentials. 
+
+2. Switch directory to the MSSP customer's tenant.
+
+3.  Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field. 
+
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+
+## Configure alert notifications that are sent to MSSPs 
+
+>[!NOTE]
+>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+
+After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
+For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications).
+
+These check boxes must be checked:
+   - **Include organization name** - The customer name will be added to email notifications
+   - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+
+
+## Fetch alerts from MSSP customer's tenant into the SIEM system
+
+>[!NOTE]
+>This action is taken by the MSSP.
+
+
+To fetch alerts into your SIEM system you'll need to take the following steps:
+
+Step 1: Create a third-party application
+
+Step 2: Get access and refresh tokens from your customer's tenant
+
+Step 3: Whitelist your application on Windows Defender Security Center
+
+
+
+### Step 1: Create an application in Azure Active Directory (Azure AD)
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
+
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
+
+2. Select **Azure Active Directory** > **App registrations**.
+
+3. Click **New application registration**.
+
+4. Specify the following values:
+
+    - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
+    - Application type: Web app / API
+    - Sign-on URL: `https://SiemMsspConnector`
+
+5. Click **Create**. The application is displayed in the list of applications you own.
+
+6. Select the application, then click **Settings** > **Properties**.
+
+7. Copy the value from the **Application ID** field.
+
+8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name.
+
+9. Ensure that the **Multi-tenanted** field is set to **Yes**.
+
+10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. 
+
+11. Click **Save**.
+
+12. Select **Keys** and specify the following values:
+
+    - Description: Enter a description for the key.
+    - Expires: Select **In 1 year**
+
+13. Click **Save**. Save the value is a safe place, you'll need this 
+
+### Step 2: Get access and refresh tokens from your customer's tenant
+This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
+
+After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
+
+
+1. Create a new folder and name it: `MsspTokensAcquisition`.
+
+2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
+
+    >[!NOTE]
+    >In line 30, replace `authorzationUrl` with `authorizationUrl`.
+
+3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
+    ```
+    param (
+        [Parameter(Mandatory=$true)][string]$clientId,
+        [Parameter(Mandatory=$true)][string]$secret,
+        [Parameter(Mandatory=$true)][string]$tenantId
+    )
+    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+    # Load our Login Browser Function
+    Import-Module .\LoginBrowser.psm1
+
+    # Configuration parameters
+    $login = "https://login.microsoftonline.com"
+    $redirectUri = "https://SiemMsspConnector"
+    $resourceId = "https://graph.windows.net"
+
+    Write-Host 'Prompt the user for his credentials, to get an authorization code'
+    $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
+                        $login, $tenantId, $clientId, $redirectUri, $resourceId)
+    Write-Host "authorzationUrl: $authorizationUrl"
+
+    # Fake a proper endpoint for the Redirect URI
+    $code = LoginBrowser $authorizationUrl $redirectUri
+
+    # Acquire token using the authorization code
+
+    $Body = @{
+        grant_type = 'authorization_code'
+        client_id = $clientId
+        code = $code
+        redirect_uri = $redirectUri
+        resource = $resourceId
+        client_secret = $secret
+    }
+
+    $tokenEndpoint = "$login/$tenantId/oauth2/token?"
+    $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
+    $token = $Response.access_token
+    $refreshToken= $Response.refresh_token
+
+    Write-Host " -----------------------------------  TOKEN ---------------------------------- "
+    Write-Host $token
+
+    Write-Host " -----------------------------------  REFRESH TOKEN ---------------------------------- "
+    Write-Host $refreshToken 
+    ```
+4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
+
+5. Run the following command: 
+   `Set-ExecutionPolicy -ExecutionPolicy Bypass`
+
+6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId  -secret  -tenantId `
+
+    - Replace \ with the Application ID you got from the previous step.
+    - Replace \ with the application key you created from the previous step.
+    - Replace \ with your customer's tenant ID. 
+
+7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
+
+8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. 
+
+### Step 3: Whitelist your application on Windows Defender Security Center
+You'll need to whitelist the application you created in Windows Defender Security Center.
+
+You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
+
+1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
+
+2. Click **Settings** > **SIEM**. 
+
+3. Select the **MSSP** tab.
+
+4. Enter the **Application ID** from the first step and your **Tenant ID**.
+
+5. Click **Authorize application**. 
+
+You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
+
+- In the ArcSight configuration file / Splunk Authentication Properties file  you will have to write your application key manually by settings the secret value.
+- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
+
+## Fetch alerts from MSSP customer's tenant using APIs
+For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
+
+## Related topics
+- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
+- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) 
+- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 22fd6a1f44..4456ba11e8 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -10,18 +10,13 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/29/2018
+ms.date: 09/12/2018
 ---
 
 
 # Configure machine proxy and Internet connectivity settings
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -49,18 +44,24 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
 ## Configure the proxy server manually using a registry-based static proxy
 Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
 
-The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
+The static proxy is configurable through Group Policy (GP). The group policy can be found under: 
+- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
+    - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+    ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
+- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
+    - Configure the proxy:
                    
+      ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
 
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+    The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
 
-The registry value `TelemetryProxyServer` takes the following string format:
+    The registry value `TelemetryProxyServer` takes the following string format:
 
-```text
-:
-```
-For example: 10.0.0.6:8080
+    ```text
+    :
+    ```
+    For example: 10.0.0.6:8080
 
-The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+    The registry value `DisableEnterpriseAuthProxy` should be set to 1.
 
 ## Configure the proxy server manually using netsh command
 
@@ -85,7 +86,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
 ## Enable access to Windows Defender ATP service URLs in the proxy server
 If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
 
->![NOTE]
+>[!NOTE]
 > URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later. 
 
 Service location | Microsoft.com DNS record
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index 5947c3167a..d31a895006 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Onboard servers to the Windows Defender ATP service
 description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor.
-keywords: onboard server, server, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
+keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/08/2018
+ms.date: 09/06/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -19,29 +19,43 @@ ms.date: 05/08/2018
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server, version 1803
+- Windows Server, 2019
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
+[!include[Prerelease information](prerelease.md)]
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
 
+
 Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
 
 The service supports the onboarding of the following servers:
 - Windows Server 2012 R2
 - Windows Server 2016
 - Windows Server, version 1803
+- Windows Server 2019
 
-## Onboard Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2012 R2 and Windows Server 2016
 
-To onboard your servers to Windows Defender ATP, you’ll need to:
+To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to:
 
-- Turn on server monitoring from the Windows Defender Security Center portal.
+- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+- Turn on server monitoring from Windows Defender Security Center.
 - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
 
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
 
+### Configure and update System Center Endpoint Protection clients
+>[!IMPORTANT]
+>This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
+
+Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. 
+
+The following steps are required to enable this integration: 
+- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) 
+- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
+
 
 ### Turn on Server monitoring from the Windows Defender Security Center portal
 
@@ -86,14 +100,12 @@ Agent Resource    |    Ports
 | winatp-gw-aus.microsoft.com | 443| 
 | winatp-gw-aue.microsoft.com |443 | 
 
-## Onboard Windows Server, version 1803
-You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
+## Windows Server, version 1803 and Windows Server 2019
+To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
 
-1.	Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
+1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
 
-2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
-
-3.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+2.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
 
     a. Set the following registry entry:
        - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@@ -108,14 +120,33 @@ You’ll be able to onboard in the same method available for Windows 10 client m
        
        ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
 
-4. Run the following command to check if Windows Defender AV is installed:
+3. Run the following command to check if Windows Defender AV is installed:
 
    ```sc query Windefend```
 
     If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
 
+
+## Integration with Azure Security Center
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+The following capabilities are included in this integration:
+- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding).
+
+    >[!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+
+- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - Azure Security Center seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
+- Server investigation -  Azure Security Center customers can access Windows Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
+
+>[!IMPORTANT]
+>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
+>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
+
+
+
 ## Offboard servers 
-You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. 
+You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. 
 
 For other server versions, you have two options to offboard servers from the service:
 - Uninstall the MMA agent
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
index f499b17917..5c36c805e4 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
index ed37cdaedb..03f3013863 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
new file mode 100644
index 0000000000..e9d21b6f95
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
@@ -0,0 +1,63 @@
+---
+title: Create custom detection rules in Windows Defender ATP
+description: Learn how to create custom detections rules based on advanced hunting queries
+keywords: create custom detections, detections, advanced hunting, hunt, detect, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+
+# Create custom detections rules
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+1.	In the navigation pane, select **Advanced hunting**.
+
+2.	Select an existing query that you'd like to base the monitor on or create a new query.
+
+3.	Select **Create detection rule**.
+
+4.	Specify the alert details:
+
+    - Alert title
+    - Severity
+    - Category
+    - Description
+    - Recommended actions
+
+5.	Click **Create**.
+
+> [!TIP]
+> TIP #1: Running the query for the first time before saving it can help you find any mistakes or errors and give you a preview of the data you can expect to be returned.
                    
+> When a new detection rule is created, it will run for the first time (it might take a few minutes) and raise any alerts created by this rule. After that, the rule will automatically run every 24 hours. 
                    
+> TIP #2: Since the detection automatically runs every 24 hours, it's best to query data in the last 24 hours.
+
+## Manage existing custom detection rules
+View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules.
+
+1.	In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections  created in the system.
+
+2.	Select one of the rules to take any of the following actions:
+   - Open related alerts - See all the alerts that were raised based to this rule
+   - Run - Run the selected detection immediately. 
+
+   > [!NOTE]
+   > The next run for the query will be in 24 hours after the last run.
+    
+  - Edit - Modify the settings of the rule.
+  - Modify query - View and edit the query itself. 
+  - Turn off - Stop the query from running.
+  - Delete
+
+
+## Related topic
+- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 43933756ec..229300b01e 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
index 2e13780e25..b98dc92230 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index b4de052320..1efa791236 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,13 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/05/2018
+ms.date: 09/07/2018
 ---
 
 # Windows Defender ATP data storage and privacy
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index 26e859fb08..80d84f08c0 100644
--- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 1d1154af3b..4896e983e7 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
index bddab1a14d..1afddb33b9 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -32,8 +29,6 @@ Set the baselines for calculating the score of Windows Defender security control
 
 1. In the navigation pane, select **Settings** > **Secure Score**.
 
-    ![Image of Secure Score controls from Preferences setup menu](images/atp-enable-security-analytics.png)
-
 2. Select the security control, then toggle the setting between **On** and **Off**.
 
 3. Click **Save preferences**.
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 44e55b2b9b..123c537dc8 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md
new file mode 100644
index 0000000000..760908772b
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md
@@ -0,0 +1,38 @@
+---
+title: Evaluate Windows Defender Advanced Threat Protection
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 08/10/2018
+---
+
+# Evaluate Windows Defender ATP 
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
+
+You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp).
+
+You can also evaluate the different security capabilities in Windows Defender ATP by using the following instructions. 
+
+## Evaluate attack surface reduction
+These capabilities help prevent attacks and exploitations from infecting your organization.
+- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
+- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
+
+## Evaluate next generation protection
+Next gen protections help detect and block the latest threats.
+- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
+
+
+## See Also
+[Get started with Windows Defender Advanced Threat Protection](get-started.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 9fe88c8887..03354b9f6a 100644
--- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -19,10 +19,7 @@ ms.date: 05/21/2018
 **Applies to:**
 
 - Event Viewer
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index 137a1b8070..68a5bbfdf5 100644
--- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 11/09/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
index 8864102a57..860ff1eee2 100644
--- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/23/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
index fec2f15177..94cb8338ce 100644
--- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 
diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 8d04e19940..1de9e6fc6b 100644
--- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 10/23/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -60,7 +57,7 @@ The following suggested actions can help fix issues related to a misconfigured m
 - [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
                    
   Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
 
-If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
 
 ### No sensor data
 A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data.
@@ -78,7 +75,7 @@ If the machines aren't reporting correctly, you might need to check that the Win
 - [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
                    
 If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
 
-If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
+If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
 
 ## Related topic
 - [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
index ade4afd10e..b000396208 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
@@ -28,7 +28,7 @@ Users need to have Security administrator or Global admin directory roles.
 
 ## HTTP request
 ```
-POST /testwdatppreview/machineactions/{id}/getPackageUri
+GET /testwdatppreview/machineactions/{id}/getPackageUri
 ```
 
 ## Request headers
diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md
new file mode 100644
index 0000000000..ea37ae0629
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/get-started.md
@@ -0,0 +1,54 @@
+---
+title: Get started with Windows Defender Advanced Threat Protection
+description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
+keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Get started with Windows Defender Advanced Threat Protection
+Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
+
+The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 
+
+**Attack surface reduction**
                    
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
+
+**Next generation protection**
                    
+To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
+
+**Endpoint detection and response**
                    
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
+
+**Auto investigation and remediation**
                    
+In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
+
+**Secure score**
                    
+Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
+
+**Advanced hunting**
                    
+Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. 
+
+**Management and APIs**
                    
+Integrate Windows Defender Advanced Threat Protection into your existing workflows.
+
+**Microsoft threat protection**
                    
+Bring the power of Microsoft threat protection to your organization.
+
+## In this section 
+Topic | Description 
+:---|:---
+[Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | Learn about the requirements for onboarding machines to the platform. 
+[Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md) | Get guidance on how to check that licenses have been provisioned to your organization and how to access the portal for the first time.
+[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
+[Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) | Explains the data storage and privacy details related to Windows Defender ATP.
+[Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) | Set permissions to manage who can access the portal. You can set basic permissions or set granular permissions using role-based access control (RBAC).
+[Evaluate Windows Defender ATP](evaluate-atp.md) | Evaluate the various capabilities in Windows Defender ATP and test features out.
+[Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. 
\ No newline at end of file
diff --git a/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
similarity index 94%
rename from windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md
rename to windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
index c26efe3d4f..199ece9336 100644
--- a/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md
@@ -6,11 +6,13 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: justinha
-ms.date: 06/29/2017
+ms.date: 08/01/2018
 ---
 
-# How hardware-based containers help protect Windows 10
+
+# Windows Defender System Guard: How hardware-based containers help protect Windows 10
 
 Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. 
 Windows 10 protects critical resources, such as the Windows authentication stack, single sign-on tokens, Windows Hello biometric stack, and Virtual Trusted Platform Module, by using a container type called Windows Defender System Guard. 
@@ -25,7 +27,7 @@ Windows Defender System Guard reorganizes the existing Windows 10 system integri
 
 With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s [Secure Boot feature](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987), which is part of the Unified Extensible Firmware Interface (UEFI). 
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
 
 After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. 
 
@@ -47,5 +49,5 @@ While Windows Defender System Guard provides advanced protection that will help
 
 As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
-![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png) 
 
+![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png
new file mode 100644
index 0000000000..19428a4156
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/active-alerts-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png b/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png
new file mode 100644
index 0000000000..614b37509d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/advanced-features.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG
index dda65b5342..d7e7d092eb 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG and b/windows/security/threat-protection/windows-defender-atp/images/advanced-hunting-query-example.PNG differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png
index bafa469657..4a894f8c27 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png
new file mode 100644
index 0000000000..b62bd16313
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/alerts-queue-list.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png
index 6950882187..9d46d16055 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-active-investigations-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png
index f43355e6e2..e023ffdfd6 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-advanced-hunting.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png
index 1b6c2dfa10..1d9c37de33 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alert-view.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG
index dcaa87034d..680603087c 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-related-to-machine.PNG differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png
index 4fcc40c32c..ec05ebcd1f 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png
index 7a975960a1..40a8d079a4 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png
index b2cdc68a24..2ac2a20e91 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-auto-investigations-list.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png
index 82565d784f..deefc7b684 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-automated-investigations-statistics.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png
index c2c13fe289..80ee13a00e 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine-user.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png
index 62e88527b3..c92c48edf0 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-atp-machine.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png b/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png
new file mode 100644
index 0000000000..df043c168e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-cloud-discovery-dashboard-menu.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png
index e46f058e86..2d4b4fc334 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png
index 6d0e7a9d55..ffff95d0b6 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-file-action.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png
new file mode 100644
index 0000000000..50cc3f6f67
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png
new file mode 100644
index 0000000000..dee5f471b1
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png
new file mode 100644
index 0000000000..043255312e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details-page.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png
new file mode 100644
index 0000000000..0135cd0a3f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png
new file mode 100644
index 0000000000..0b52a39faa
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-evidence-tab.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png
new file mode 100644
index 0000000000..5875c6fdb3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-details.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png
new file mode 100644
index 0000000000..7944809cde
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-graph-tab.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png
new file mode 100644
index 0000000000..ffac35fc9b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-investigations-tab.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png
new file mode 100644
index 0000000000..1e4d52ff8d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-machine-tab.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png
new file mode 100644
index 0000000000..a2a61cb49b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-queue.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png
new file mode 100644
index 0000000000..7d02d3d6ed
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-mgt-pane.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png
index e2e3ae3944..4aa7b0b33b 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machine-timeline-details-panel.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png
index 9347d09c04..2a637f7560 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png
index eccd6e9aec..1b65743d36 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-machines-timeline.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png b/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png
new file mode 100644
index 0000000000..11e12c2890
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-mcas-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png
index ee2cf3dc71..94b1da42ea 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-onboard-endpoints-WDATP-portal.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png
index 55113991e6..8da2532df7 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-list.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png
index af05f88e0b..415835330e 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-pending-actions-notification.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png b/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png
new file mode 100644
index 0000000000..3df94c2e4d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-rename-incident.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png
index 5a4816bf80..56a204ca39 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-sec-ops-dashboard.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png
index 0989362804..3be42e4c9d 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-suspicious-activities-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png
index dce4ee3f5e..e39ee3c1ed 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-tile-sensor-health.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png
index 2fcb58e44f..e3f37f7626 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-user-details-view-azureatp.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png
index c2b81ca99a..dc9414f4cf 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-users-at-risk.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png b/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png
new file mode 100644
index 0000000000..0c1aa96a37
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/cloud-apps.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png
new file mode 100644
index 0000000000..f4ff016260
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/cloud-discovery.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png
index 974708504f..a91410b6a2 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/dashboard.png and b/windows/security/threat-protection/windows-defender-atp/images/dashboard.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/io.png b/windows/security/threat-protection/windows-defender-atp/images/io.png
index a03e5fb917..4f2babfee6 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/io.png and b/windows/security/threat-protection/windows-defender-atp/images/io.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png b/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png
new file mode 100644
index 0000000000..04480e2b04
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/machines-at-risk-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/machines-list.png b/windows/security/threat-protection/windows-defender-atp/images/machines-list.png
new file mode 100644
index 0000000000..8ffba20f49
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/machines-list.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/mss.png b/windows/security/threat-protection/windows-defender-atp/images/mss.png
index 63a22c2e50..2935e70089 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/mss.png and b/windows/security/threat-protection/windows-defender-atp/images/mss.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png
new file mode 100644
index 0000000000..b302d30f54
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/new-secure-score-dashboard.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png b/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png
new file mode 100644
index 0000000000..2dc4cba2f2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/new-ssot.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png b/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png
new file mode 100644
index 0000000000..f858a4664a
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/sec-ops-dashboard.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png
index 452918b63f..bdc4ec022d 100644
Binary files a/windows/security/threat-protection/windows-defender-atp/images/status-tile.png and b/windows/security/threat-protection/windows-defender-atp/images/status-tile.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/ta.png b/windows/security/threat-protection/windows-defender-atp/images/ta.png
new file mode 100644
index 0000000000..db89f750a7
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ta.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png b/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png
new file mode 100644
index 0000000000..374a1e58b2
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/threat-analytics-report.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png b/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png
new file mode 100644
index 0000000000..2b08ddae2e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/top-recommendations.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png b/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png
new file mode 100644
index 0000000000..04eaa248a9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/win10-endpoint-users.png differ
diff --git a/windows/security/hardware-protection/images/windows-defender-system-guard-boot-time-integrity.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png
similarity index 100%
rename from windows/security/hardware-protection/images/windows-defender-system-guard-boot-time-integrity.png
rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-boot-time-integrity.png
diff --git a/windows/security/hardware-protection/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png
similarity index 100%
rename from windows/security/hardware-protection/images/windows-defender-system-guard-validate-system-integrity.png
rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard-validate-system-integrity.png
diff --git a/windows/security/hardware-protection/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png
similarity index 100%
rename from windows/security/hardware-protection/images/windows-defender-system-guard.png
rename to windows/security/threat-protection/windows-defender-atp/images/windows-defender-system-guard.png
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index 5f1f375b3f..6e47b6ddea 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index f57e046676..6640bb6e9f 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index 8a0c91b597..29592bd0f8 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index d90a76d961..607b3d55e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -10,13 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/30/2018
+ms.date: 09/18/2018
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) 
@@ -61,7 +60,7 @@ You'll also see details such as logon types for each user account, the user grou
  For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
 
 **Machine risk**
                    
-The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
+The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
 
 **Azure Advanced Threat Protection**
                     
 If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. 
@@ -148,73 +147,13 @@ From the list of events that are displayed in the timeline, you can examine the
 ![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png)
 
 
-You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
+You can also use the [Artifact timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine.
 
 Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of meta data on the file or IP address.
 
 The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
 
-## Add machine tags
-You can add tags on machines during an investigation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. 
 
-You can add tags on machines using the following ways:
-- By setting a registry key value
-- By using the portal
-
-### Add machine tags by setting a registry key value
-Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
-
->[!NOTE]
-> Applicable only on the following machines:
->- Windows 10, version 1709 or later
->- Windows Server, version 1803 or later
->- Windows Server 2016
->- Windows Server 2012 R2 
-
-Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. 
-
-Use the following registry key entry to add a tag on a machine:
-
--	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
--	Registry key value (string): Group
-
-
-### Add machine tags using the portal
-Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
-
-1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
-
-    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-    -	**Machines list** - Select the machine name from the list of machines.
-    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
-
-    You can also get to the alert page through the file and IP views.
-
-2.	Open the **Actions** menu and select **Manage tags**.
-
-    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
-
-3. Enter tags on the machine. To add more tags, click the + icon.
-4. Click **Save and close**. 
-
-    ![Image of adding tags on a machine](images/atp-save-tag.png)
-
-    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
-
-### Manage machine tags
-You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
-
-![Image of adding tags on a machine](images/atp-tag-management.png)
-
-## Use machine groups in an investigation
-Machine group affiliation can represent geographic location, specific activity, importance level and others.
-
-You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
-
-You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
-
-In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. 
 
 
 ## Related topics
diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
index 778f8d48b4..c2460df138 100644
--- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -112,7 +109,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
 
 	![Image of final preference set up](images\atp-final-preference-setup.png)
 
-9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete.
+9. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
 
 	![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
index eade1924be..2969a1b1a1 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
@@ -16,10 +16,7 @@ ms.date: 05/08/2018
 # Create and manage machine groups in Windows Defender ATP
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Azure Active Directory
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -42,7 +39,7 @@ As part of the process of creating a machine group, you'll:
 >A machine group is accessible to all users if you don’t assign any Azure AD groups to it.
 
 
-## Add a machine group
+## Create a machine group
 
 1.	In the navigation pane, select **Settings** > **Machine groups**.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..09ba1f5325
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,81 @@
+---
+title: Create and manage machine tags
+description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident
+keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/13/2018
+---
+
+# Create and manage machine tags
+Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others.
+
+You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
+
+You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
+
+In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter. 
+
+
+Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. 
+
+You can add tags on machines using the following ways:
+- By setting a registry key value
+- By using the portal
+
+## Add machine tagsby setting a registry key value
+Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
+
+>[!NOTE]
+> Applicable only on the following machines:
+>- Windows 10, version 1709 or later
+>- Windows Server, version 1803 or later
+>- Windows Server 2016
+>- Windows Server 2012 R2 
+
+Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. 
+
+Use the following registry key entry to add a tag on a machine:
+
+-	Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
+-	Registry key value (string): Group
+
+>[!NOTE]
+>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. 
+
+
+## Add machine tags using the portal
+Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
+
+1.	Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
+
+    -	**Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+    -	**Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+    -	**Machines list** - Select the machine name from the list of machines.
+    -	**Search box** - Select Machine from the drop-down menu and enter the machine name.
+
+    You can also get to the alert page through the file and IP views.
+
+2.	Open the **Actions** menu and select **Manage tags**.
+
+    ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
+
+3. Enter tags on the machine. To add more tags, click the + icon.
+4. Click **Save and close**. 
+
+    ![Image of adding tags on a machine](images/atp-save-tag.png)
+
+    Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
+
+### Manage machine tags
+You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. 
+
+![Image of adding tags on a machine](images/atp-tag-management.png)
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 3906ca3861..d75eefe80b 100644
--- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -10,63 +10,62 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/03/2018
 ---
 
 # View and organize the Windows Defender ATP Machines list
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
 
-The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
+The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days.  
 
-Use the Machines list in these main scenarios:
+At a glance you'll see information such as domain, risk level, OS platform, and other details. 
+
+
+There are several options you can choose from to customize the machines list view. 
+On the top navigation you can:
+- Customize columns to add or remove columns 
+- Export the entire list in CSV format
+- Select the items to show per page
+- Navigate between pages
+- Apply filters
+
+
+Use the machine list in these main scenarios:
 
 - **During onboarding**
                    
   During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
+    
+    >[NOTE]
+    > Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
+Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
+
 - **Day-to-day work** 
                    
-  The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
+  The list enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts. Sorting machines by **Active alerts**, helps identify the most vulnerable machines and take action on them.
 
-## Sort, filter, and download the list of machines from the Machines list
-You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.  
 
-Filter the **Machines list** by **Time**, **OS Platform**, **Health**, **Security state**, **Malware category alerts**, **Groups**, or **Tags** to focus on certain sets of machines, according to the desired criteria.  
+![Image of machines list with list of machines](images/machines-list.png)
 
-You can also download the entire list in CSV format using the **Export to CSV** feature.
+## Sort and filter the machine list
+You can apply the following filters to limit the list of alerts and get a more focused view. 
 
-![Image of machines list with list of machines](images/atp-machines-list-view2.png)
 
-You can use the following filters to limit the list of machines displayed during an investigation:
-
-**Time period**
                    
-- 1 day
-- 3 days
-- 7 days
-- 30 days
-- 6 months
-
-**Risk level**
                    
+### Risk level
 Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert.
 
-**OS Platform**
                    
-- Windows 10
-- Windows Server 2012 R2
-- Windows Server 2016
-- Other
+### OS Platform
+Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
 
-
-**Sensor health state**
                    
+### Health state
 Filter the list to view specific machines grouped together by the following machine health states:
 
 - **Active** – Machines that are actively reporting sensor data to the service.
--	**Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
+- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to:
   - No sensor data
   - Impaired communications
 
@@ -74,7 +73,7 @@ Filter the list to view specific machines grouped together by the following mach
 -	**Inactive** – Machines that have completely stopped sending signals for more than 7 days.
 
 
-**Security state**
                    
+### Security state
 Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization. 
 
 
@@ -83,39 +82,9 @@ Filter the list to view specific machines that are well configured or require at
 
 For more information, see [View the Secure Score dashboard](secure-score-dashboard-windows-defender-advanced-threat-protection.md).
 
-**Malware category alerts**
                    
-Filter the list to view specific machines grouped together by the following malware categories:
-  -	**Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee.
-  -	**Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers.
-  These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyberattacks to establish control and steal information.
-  -	**Exploit** – Exploits take advantage of unsecure code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks.
-  - **Backdoor** - Backdoors are malicious remote access tools that allow attackers to access and control infected machines. Backdoors can also be used to exfiltrate data.
-  -	**General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks.
-  -	**PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software.
-
-**Groups and tags** 
                    
+### Tags
 You can filter the list based on the grouping and tagging that you've added to individual machines. 
 
-## Export machine list to CSV
-You can  download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file.
-
->[NOTE]
-> Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is.
-Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
-
-## Sort the Machines list
-You can sort the **Machines list** by the following columns:
-
-- **Machine name** - Name or GUID of the machine
-- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data
-- **Last seen** - Date and time when the machine last reported sensor data
-- **Internal IP** - Local internal Internet Protocol (IP) address of the machine
-- **Active Alerts** - Number of alerts reported by the machine by severity
-- **Active malware alerts** - Number of active malware detections reported by the machine
-
-> [!NOTE]
-> The **Active malware detections** filter column will only appear if your machines are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
-
 
 ## Related topics
 - [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 4860f91956..00142f3502 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -10,51 +10,30 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/03/2018
 ---
 
 # Manage Windows Defender Advanced Threat Protection alerts
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
 
-Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue** menu.
+Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
 
 You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view.
 
 Selecting an alert in either of those places brings up the **Alert management pane**.
 
-![Image of alert status](images/atp-alert-status.png)
+![Image of alert status](images/atp-alerts-selected.png)
 
-## Change the status of an alert
-
-You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
-
-For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
-
-Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
-
-## Alert classification
-You can specify if an alert is a true alert or a false alert.
+## Link to another incident
+You can create a new incident from the alert or link to an existing incident. 
 
 ## Assign alerts
 If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself.
 
-## Add comments and view the history of an alert
-You can add comments and view historical events about an alert to see previous changes made to the alert.
-
-Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
-
-Added comments instantly appear on the pane.
 
 ## Suppress alerts
 There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. 
@@ -83,32 +62,18 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
 
-2. Scroll down to the **Create a supression rule** section.
+2.  Select **Create a supression rule**.
 
-    ![Image of alert status](images/atp-create-suppression-rule.png)
-
-3. Enter an alert title then select an indicator of compromise from the drop-down list.
-  
-    ![Image of alert status](images/atp-new-suppression-rule.png)
-
-  > [!NOTE]
-  > You cannot create a custom or blank suppression rule. You must start from an existing alert.
-
-4. Specify the suppression conditions by entering values for any of the following:
-    - Sha1
-    - File name
-    - Folder path
-
-    > [!NOTE]
-    > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions by removing the deselecting the checkbox.
+3. Select the **Trigerring IOC**.
     
-5. Specify the action and scope on the alert. 
                    
-   You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
+4. Specify the action and scope on the alert. 
                    
+   You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group.
 
-6. Click **Save and close**.
+5. Enter a rule name and a comment.
 
+6. Click **Save**.
 
-### View the list of suppression rules
+#### View the list of suppression rules
 
 1. In the navigation pane, select **Settings** > **Alert suppression**.
 
@@ -116,6 +81,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
 
 For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 
+## Change the status of an alert
+
+You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
+
+For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
+
+Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
+
+
+
+## Alert classification
+You can choose not to set a classification, or  specify if an alert is a true alert or a false alert.
+
+
+## Add comments and view the history of an alert
+You can add comments and view historical events about an alert to see previous changes made to the alert.
+
+Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
+
+Added comments instantly appear on the pane.
+
+
 ## Related topics
 - [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
 - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..a5df326a4d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,194 @@
+---
+title: Learn about the automated investigations dashboard in Windows Defender Security Center
+description: View the list of automated investigations, its status, detection source and other details.
+keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Learn about the automated investigations dashboard
+By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. 
+
+>[!NOTE]
+>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. 
+
+Use the **Customize columns** drop-down menu to select columns that you'd like to show or hide. 
+
+From this view, you can also download the entire list in CSV format using the **Export** button, specify the number of items to show per page, and navigate between pages. You also have the flexibility to filter the list based on your preferred criteria.
+
+![Image of Auto investigations page](images/atp-auto-investigations-list.png)
+
+ 
+**Filters**
                    
+You can use the following operations to customize the list of Automated investigations displayed:
+
+
+**Triggering alert**
                    
+The alert the initiated the Automated investigation.
+
+**Status**
                    
+An Automated investigation can be in one of the following status:
+
+Status | Description
+:---|:---
+| No threats found                                          | No malicious entities found during the investigation.
+| Failed                                                    | A problem has interrupted the investigation, preventing it from completing.                                                         |
+| Partially remediated                                      | A problem prevented the remediation of some malicious entities.                                                                     |
+| Pending action                                          | Remediation actions require review and approval.                                                                                    |
+| Waiting for machine                                       | Investigation paused. The investigation will resume as soon as the machine is available.                                            |
+| Queued                                                    | Investigation has been queued and will resume as soon as other remediation activities are completed.                                |
+| Running                                                   | Investigation ongoing. Malicious entities found will be remediated.                                                                 |
+| Remediated                                                | Malicious entities found were successfully remediated.                                                                              |
+| Terminated by system                                      | Investigation was stopped by the system.                                                                                          |
+| Terminated by user                                        | A user stopped the investigation before it could complete.  
+| Partially investigated                                    | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
+
+
+
+**Detection source**
                    
+Source of the alert that initiated the Automated investigation. 
+
+**Threat**
                    
+The category of threat detected during the Automated investigation.
+
+
+**Tags**
                    
+Filter using manually added tags that capture the context of an Automated investigation.
+
+**Machines**
                    
+You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
+
+**Machine groups**
                    
+Apply this filter to see specific machine groups that you might have created.
+
+**Comments**
                    
+Select between filtering the list between Automated investigations that have comments and those that don't.
+
+## Analyze Automated investigations 
+You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+
+In this view, you'll see the name of the investigation, when it started and ended. 
+
+![Image of investigation details window](images/atp-analyze-auto-ir.png)
+
+The progress ring shows two status indicators:
+- Orange ring - shows the pending portion of the investigation
+- Green ring - shows the running time portion of the investigation
+
+![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) 
+
+In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. 
+
+The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. 
+
+From this view, you can also view and add comments and tags about the investigation.
+
+### Investigation page
+The investigation page gives you a quick summary on the status, alert severity, category, and detection source.
+
+You'll also have access to the following sections that help you see details of the investigation with finer granularity:
+
+- Investigation graph
+- Alerts
+- Machines
+- Threats
+- Entities
+- Log
+- Pending actions
+
+  >[!NOTE]
+  >The Pending actions tab is only displayed if there are actual pending actions.
+
+- Pending actions history
+
+  >[!NOTE]
+  >The Pending actions history tab is only displayed when an investigation is complete.
+
+In any of the sections, you can customize columns to further expand to limit the details you see in a section.
+
+### Investigation graph
+The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+
+### Alerts
+Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. 
+
+Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing. 
+
+Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history. 
+
+Clicking on an alert title brings you the alert page.
+
+### Machines
+Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
+
+Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+
+Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
+
+Clicking on an machine name brings you the machine page.
+
+### Threats
+Shows details related to threats associated with this investigation. 
+
+### Entities
+Shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
+
+### Log
+Gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
+
+As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
+
+Available filters include action type, action, status, machine name, and description.
+
+You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. 
+
+### Pending actions history
+This tab is only displayed when an investigation is complete and shows all pending actions taken during the investigation.
+
+
+## Pending actions
+If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image. 
+
+![Image of pending actions](images\atp-pending-actions-notification.png)
+
+When you click on the pending actions link, you'll be taken to the pending actions page. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Pending actions**.
+
+ 
+The pending actions view aggregates all investigations that require an action for an investigation to proceed or be completed.
+
+![Image of pending actions page](images/atp-pending-actions-list.png)
+
+Use the Customize columns drop-down menu to select columns that you'd like to show or hide. 
+
+From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+
+Pending actions are grouped together in the following tabs:
+-  Quarantine file
+-  Remove persistence
+-  Stop process
+-  Expand pivot
+-  Quarantine service
+
+>[!NOTE]
+>The tab will only appear if there are pending actions for that category.
+
+### Approve or reject an action
+You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+
+Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
+
+![Image of pending action selected](images/atp-pending-actions-file.png)
+
+From the panel, you can click on the Open investigation page link to see the investigation details.
+
+You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations. 
+
+## Related topic
+- [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index c090006878..46adcfac19 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 06/14/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
index e1ce6b8173..9a359aaabc 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -41,9 +38,7 @@ For example, if you add *exe* and *bat* as file or attachment extension names, t
 
 3. Configure the following extension names and separate extension names with a comma:
    - **File extension names** -  Suspicious files except email attachments will be submitted for additional inspection
-   - **Attachment extension names** - Suspicious email attachments with these extension names will be submitted for additional inspection
-
-
+  
 
 ## Related topics
 - [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
index bae5b989f8..d3ed61a295 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md
new file mode 100644
index 0000000000..97ff8bd046
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md
@@ -0,0 +1,27 @@
+---
+title: Manage endpoint detection and response capabilities
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/01/2018
+---
+
+# Manage endpoint detection and response capabilities
+
+Manage the alerts queue, investigate machines in the machines list, take response actions, and hunt for possible threats in your organization using advanced hunting.
+
+
+## In this section
+Topic | Description 
+:---|:---
+[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Windows Defender Security Center.
+[Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. 
+[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats.
+[Query data using advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
index 6db6e02136..1fa0357ade 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md
new file mode 100644
index 0000000000..2e0966140c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md
@@ -0,0 +1,53 @@
+---
+title: Overview of management and APIs
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Overview of management and APIs 
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
+
+Windows Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform. 
+
+Acknowledging that customer environments and structures can vary, Windows Defender ATP was created with flexibility and granular control to fit varying customer requirements. 
+
+Machine onboarding is fully integrated into System Center Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Windows Defender ATP supports Group Policy and other third-party tools used for machines management.
+
+Windows Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
+- Globally distributed organizations and security teams
+- Tiered model security operations teams
+- Fully segregated devisions with single centralized global security operations teams 
+
+The Windows Defender ATP solution is built on top of an integration-ready platform:
+- It supports integration with a number of security information and event management (SIEM) solutions and also exposes APIs to fully support pulling all the alerts and detection information into any SIEM solution. 
+- It supports a rich set of application programming interface (APIs) providing flexibility for those who are already heavily invested in data enrichment and automation:
+   - Enriching events coming from other security systems with foot print or prevalence information
+   - Triggering file or machine level response actions through APIs
+   - Keeping systems in-sync such as importing machine tags from asset management systems into Windows Defender ATP, synchronize alerts and incidents status cross ticketing systems with Windows Defender ATP.
+
+An important aspect of machine management is the ability to analyze the environment from varying and broad perspectives. This often helps drive new insights and proper priority identification: 
+- The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures.
+- Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of  machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports.
+
+## Related topics
+- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+- [Role-based access control](rbac-windows-defender-advanced-threat-protection.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
new file mode 100644
index 0000000000..b37cd582c8
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
@@ -0,0 +1,64 @@
+---
+title: Configure Microsoft Cloud App Security integration 
+description: Learn how to turn on the settings to enable the Windows Defender ATP integration with Microsoft Cloud App Security.
+keywords: cloud, app, security, settings, integration, discovery, report
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/19/2018
+
+---
+
+# Configure Microsoft Cloud App Security integration
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+
+To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
+
+
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+1. In the navigation pane, select **Preferences setup** > **Advanced features**.
+2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
+3. Click **Save preferences**.
+ 
+
+
+![Advanced features](images/atp-mcas-settings.png)
+
+Once activated, Windows Defender ATP will immediately start forwarding discovery signals to Cloud App Security.
+
+## View the data collected
+
+1. Browse to the [Cloud App Security portal](https://portal.cloudappsecurity.com).
+
+2. Navigate to the Cloud Discovery dashboard.
+
+    ![Image of menu to cloud discovery dashboard](images/atp-cloud-discovery-dashboard-menu.png)
+
+3. Select **Win10 Endpoint Users report**, which contains the data coming from Windows Defender ATP.
+
+    ![Win10 endpoint users](./images/win10-endpoint-users.png)
+
+This report is similar to the existing discovery report with one major difference: you can now benefit from visibility to the machine context.
+
+Notice the new **Machines** tab that allows you to view the data split to the device dimensions. This is available in the main report page or any subpage (for example, when drilling down to a specific cloud app).
+
+![Cloud discovery](./images/cloud-discovery.png)
+
+
+For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps).
+
+If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1).
+
+## Related topic
+- [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
new file mode 100644
index 0000000000..51dfb9bf97
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
@@ -0,0 +1,43 @@
+---
+title: Microsoft Cloud App Security integration overview
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/18/2018
+---
+
+# Microsoft Cloud App Security integration overview
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security).
+
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
+## Windows Defender ATP and Cloud App Security integration 
+
+Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
+
+The integration provides the following major improvements to the existing Cloud App Security discovery: 
+
+- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. 
+
+- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Windows Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Windows Defender Security Center settings and you're good to go. 
+
+- Device context - Cloud traffic logs lack device context. Windows Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. 
+
+For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps).
+
+## Related topic
+
+- [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 2c3da444dd..84f62905aa 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -9,18 +9,13 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 There are some minimum requirements for onboarding machines to the service.
diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..0ec05caa9c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,44 @@
+---
+title: Managed security service provider (MSSP) support
+description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP)
+keywords: mssp, integration, managed, security, service, provider
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Managed security service provider support
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
+
+
+To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Windows Defender ATP. 
+
+
+Windows Defender ATP adds support for this scenario and to allow MSSPs to take the following actions:
+
+- Get access to MSSP customer's Windows Defender Security Center portal
+- Get email notifications, and 
+- Fetch alerts through security information and event management (SIEM) tools
+
+
+## Related topic
+- [Configure managed security service provider integration](configure-mssp-support-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
index 0b481a47f3..af9a42584f 100644
--- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Offboard machines from the Windows Defender ATP service
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - macOS
 - Linux
 - Windows Server 2012 R2
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 97d408e645..34c07f0734 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 
@@ -18,7 +18,7 @@ ms.date: 07/01/2018
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You need to onboard machines to Windows Defender ATP before you can use the service.
+You need to turn on the sensor to give visibility within Windows Defender ATP.
 
 For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
 
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
index 46f931e363..1428a1b310 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md
@@ -23,7 +23,7 @@ ms.date: 06/18/2018
 - Windows 8.1 Enterprise
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-[!include[Prerelease information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md
new file mode 100644
index 0000000000..39ee66db3c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/onboard.md
@@ -0,0 +1,32 @@
+---
+title: Configure and manage Windows Defender ATP capabilities
+description: Configure and manage Windows Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls 
+keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Configure and manage Windows Defender ATP capabilities
+
+Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. 
+
+
+## In this section 
+Topic | Description 
+:---|:---
+[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) |  By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
+[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
+[Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization.
+Configure Microsoft threat protection integration| Configure other solutions that integrate with Windows Defender ATP.
+Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. 
+[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) |  Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
new file mode 100644
index 0000000000..98d08c46d6
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
@@ -0,0 +1,32 @@
+---
+title: Overview of attack surface reduction
+description: Learn about the attack surface reduction capability in Windows Defender ATP
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 07/01/2018
+---
+
+# Overview of attack surface reduction
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in  your organization from new and emerging threats. 
+
+| Capability | Description |
+|------------|-------------|
+| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protects and maintains the integrity of the system as it starts and while it's running, and validates system integrity through local and remote attestation. In addition, container isolation for Microsoft Edge helps protect host operating system from malicious wbsites. |
+| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. |
+| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) | Applies exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV) |
+| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) | Extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV. | 
+| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV. |
+| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) | reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.  |
+| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Host-based, two-way network traffic filtering that blocks unauthorized network traffic flowing into or out of the local device. |
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
new file mode 100644
index 0000000000..9b2912076d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
@@ -0,0 +1,33 @@
+---
+title: Custom detections overview
+description: Understand how how you can leverage the power of advanced hunting to create custom detections
+keywords: custom detections, detections, advanced hunting, hunt, detect, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+
+# Custom detections overview
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats.
+
+This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+Custom detections are queries that run periodically every 24 hours and can be configured so that when the query meets the criteria you set, alerts are created and are surfaced in Windows Defender Security Center. These alerts will be treated like any other alert in the system.
+
+This capability is particularly useful for scenarios when you want to pro-actively prevent threats and be notified quickly of emerging threats.
+
+## Related topic
+- [Create custom detection rules](custom-detection-rules.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
new file mode 100644
index 0000000000..31b65ba716
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
@@ -0,0 +1,44 @@
+---
+title: Overview of endpoint detection and response capabilities
+description: Learn about the endpoint detection and response capabilities in Windows Defender ATP
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Overview of endpoint detection and response 
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat.
+
+
+When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
+
+Inspired by the "assume breach" mindset, Windows Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes and others. This information is stored for six months, enabling an analyst to travel back in time to the  starting point of an attack and pivot in various views and approach an investigation through multiple possible vectors. 
+
+The response capabilities give you the power to promptly remediate threats by acting on the affected entities. 
+
+## In this section
+
+Topic | Description 
+:---|:---
+Security operations dashboard | This is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. 
+Alerts queue | This dashboard shows all the alerts that were seen on machines. Learn how you can view and organize the queue, or how to manage and investigate alerts.
+Machines list | Shows a list of machines where alerts have been generated. Learn how you can investigate machines, or how to search for specific events in a timeline, and others.
+Take response actions | Learn about the available response actions and how to apply them on machines and files.
+
+
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md
new file mode 100644
index 0000000000..9d8cdabaae
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md
@@ -0,0 +1,27 @@
+---
+title: Hardware-based isolation (Windows 10)
+description: Learn about how hardware-based isolation in Windows 10 helps to combat malware.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: justinha
+ms.localizationpriority: medium
+ms.author: justinha
+ms.date: 09/07/2018
+---
+
+# Hardware-based isolation in Windows 10
+
+**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP. 
+
+| Feature | Description |
+|------------|-------------|
+| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
+| [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation.  |
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..598138a8ef
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,35 @@
+---
+title: Overview of advanced hunting capabilities
+description: Hunt for possible threats accross your organization using a powerful search and query tool
+keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/12/2018
+---
+
+# Overview of advanced hunting 
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. 
+
+With advanced hunting, you can take advantage of the following capabilities:
+
+- **Powerful query language with IntelliSense** - Built on top of a query language that gives you the flexibility you need to take hunting to the next level.
+- **Query the stored telemetry** - The telemetry data is accessible in tables for you to query. For example, you can query process creation, network communication, and many other event types.
+- **Links to portal** - Certain query results, such as machine names and file names are actually direct links to the portal, consolidating the Advanced hunting query experience and the existing portal investigation experience.
+- **Query examples** - A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
+
+## In this section
+Topic | Description 
+:---|:---
+[Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization.
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..222e5cfffa
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,76 @@
+---
+title: Overview of Secure score in Windows Defender Security Center
+description: Expand your visibility into the overall security posture of your organization
+keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Overview of Secure score in Windows Defender Security Center
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
+
+>[!IMPORTANT]
+> This feature is available for machines on Windows 10, version  1703 or later. 
+
+
+The **Secure score dashboard** displays a snapshot of:
+- Microsoft secure score
+- Secure score over time
+- Top recommendations
+- Improvement opportunities
+
+
+![Secure score dashboard](images/new-secure-score-dashboard.png)
+
+## Microsoft secure score
+The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
+
+![Image of Microsoft secure score tile](images/mss.png)
+
+Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 
+
+The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
+
+In the example image, the total points for the Windows security controls and Office 365 add up to 602 points. 
+
+You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
+
+## Secure score over time
+You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
+
+![Image of the security score over time tile](images/new-ssot.png)
+
+You can mouse over specific date points to see the total score for that security control is on a specific date.
+
+
+## Top recommendations
+Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action.
+
+![Top recommendations tile](images/top-recommendations.png)
+
+## Improvement opportunities 
+Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
+
+Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made. 
+
+
+
+![Improvement opportunities](images/io.png)
+
+
+Within the tile, you can click on each control to see the recommended optimizations.
+
+Clicking the link under the Misconfigured machines column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
+
+## Related topic
+- [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md
new file mode 100644
index 0000000000..b40bd3d25d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/overview.md
@@ -0,0 +1,36 @@
+---
+title: Overview of Windows Defender ATP 
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Overview of Windows Defender ATP capabilities
+
+Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. 
+
+## In this section 
+
+Topic | Description 
+:---|:---
+[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. 
+[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers.
+[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
+[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
+[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) |  Use a powerful search and query language to create custom queries and detection rules.
+[Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
+[Microsoft threat protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. 
+[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. 
+
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index bbee7b2a62..aa1c10660e 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Windows Defender Advanced Threat Protection portal overview
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -52,14 +47,15 @@ Area | Description
 :---|:---
 (1) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Automated investigations**, **Machines list**, **Service health**, **Advanced hunting**, and **Settings**.
 **Dashboards**	| Access the Security operations, the Secure Score, or Threat analytics dashboard.
-**Alerts** | View separate queues of new, in progress, resolved alerts, alerts assigned to you.
+**Incidents** | View alerts that have been aggregated as incidents.
+**Alerts** | View alerts generated from machines in your organizations.
 **Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
+**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
 **Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
 **Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
 **Settings** |	Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
 **(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Search, Community center, Time settings,  Help and support, Feedback** | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. 

                     **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. 

                      **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. 

                      **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.

                     **Feedback** - Access the feedback button to provide comments about the portal. 
+**(3) Community center, Time settings,  Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. 

                      **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. 

                      **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.

                     **Feedback** - Access the feedback button to provide comments about the portal. 
 
 ## Windows Defender ATP icons
 The following table provides information on the icons used all throughout the portal:
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index ee949dfc75..269e894610 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -14,11 +14,6 @@ ms.date: 04/24/2018
 # Create and build Power BI reports using Windows Defender ATP data
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index cc40a22908..538450ea18 100644
--- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # PowerShell code examples for the custom threat intelligence API
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 769e84dfb8..76c28f6e1f 100644
--- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -15,15 +15,8 @@ ms.date: 04/24/2018
 # Configure Windows Defender Security Center settings
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
 
 Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
@@ -32,7 +25,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable
 
 Topic | Description
 :---|:---
-[Update general settings](data-retention-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
+General settings | Modify your general settings that were previously defined as part of the onboarding process.
 Permissions | Manage portal access using RBAC as well as machine groups.
 APIs | Enable the threat intel and SIEM integration.
 Rules | Configure suppressions rules and automation settings.
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 244a09bc78..a295925903 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -15,11 +15,6 @@ ms.date: 04/24/2018
 # Turn on the preview experience in Windows Defender ATP
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 16ca374715..3eab3eda81 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,17 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 09/03/2018
 ---
 
 # Windows Defender ATP preview features
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -42,6 +37,29 @@ Turn on the preview experience setting to be among the first to try upcoming fea
 
 ## Preview features
 The following features are included in the preview release:
+
+- [Threat analytics](threat-analytics.md)
                    
+Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Custom detection](overview-custom-detections.md)
                    
+ With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+
+
+- [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)
                    
+Windows Defender ATP adds support for this scenario by providing MSSP integration. 
+The integration will allow MSSPs to take the following actions:
+Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
                    
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
                    
+Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+
+
+- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019) 
                    
+Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
+
 - [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
                    
 Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
   - Windows 7 SP1 Enterprise
@@ -50,6 +68,5 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Pro 
 
  
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  
 
diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index aab70fb694..58f784e646 100644
--- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Pull Windows Defender ATP alerts using REST API
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index ec4e631bbb..f84794a823 100644
--- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 04/24/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
index 6c6e1ced73..20e2299d14 100644
--- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
@@ -15,17 +15,10 @@ ms.date: 05/08/2018
 
 # Manage portal access using role-based access control
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Azure Active Directory
 - Office 365
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink)
 
 
@@ -45,9 +38,9 @@ Windows Defender ATP RBAC is designed to support your tier- or role-based model
   - Create custom roles and control what Windows Defender ATP capabilities they can access with granularity.
  
 - **Control who can see information on specific machine group or groups**
-  - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure AD user group.
+  - [Create machine groups](machine-groups-windows-defender-advanced-threat-protection.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific  Azure Active Directory (Azure AD) user group.
 
-To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure Active Directory (Azure AD) user groups assigned to the roles.
+To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.
 
 
 ### Before you begin
@@ -70,48 +63,7 @@ Someone with a Windows Defender ATP Global administrator role has unrestricted a
 >
 > After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal. 
 
-## Create roles and assign the role to a group
 
-1.	In the navigation pane, select **Settings > Role based access control > Roles**.
-
-2.	Click **Add role**. 
-
-3.	Enter the role name, description, and permissions you’d like to assign to the role.
-
-	 - **Role name**
-
-	 - **Description**
-
-	 - **Permissions**
-		  - **View data** - Users can view information in the portal.
-		  - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
-		  - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
-		  - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
-		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
-		  
-4.	Click **Next** to assign the role to an Azure AD group.
-
-5.	Use the filter to select the Azure AD group that you’d like to add to this role.
-
-6.	Click **Save and close**.
-
-7.	Apply the configuration settings.
-
-## Edit roles
-
-1.	Select the role you'd like to edit.
-
-2.	Click **Edit**.
-
-3.	Modify the details or the groups that are assigned to the role. 
-
-4.	Click **Save and close**.
-
-## Delete roles
-
-1.	Select the role you'd like to delete.
-
-2.	Click the drop-down button and select **Delete role**.
 
 ## Related topic
 - [Create and manage machine groups in Windows Defender ATP](machine-groups-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index c2dc292025..148d0a9793 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Take response actions on a file
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index c43c430a57..064fb37360 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 12/12/2017
 # Take response actions on a machine
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
index 8858ac7366..5feacd51aa 100644
--- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 11/12/2017
 # Take response actions in Windows Defender ATP
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
index b7b33d60ef..985a82d123 100644
--- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,6 @@ ms.date: 12/08/2017
 # Restrict app execution API
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
index c6803604a8..9132144898 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,6 @@ ms.date: 12/08/2017
 # Run antivirus scan API
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
index 87fe1b0b5c..ad774f962c 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
@@ -10,23 +10,24 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 11/06/2017
+ms.date: 09/07/2018
 ---
 
 #  Run a detection test on a newly onboarded Windows Defender ATP machine 
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+- Supported Windows 10 versions
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server, 2019
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
 Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
 
-1. Open an elevated command-line prompt on the machine and run the script:
+1. Create a folder:  'C:\test-WDATP-test'.
+2. Open an elevated command-line prompt on the machine and run the script:
 
     a.  Go to **Start** and type **cmd**.
 
@@ -34,7 +35,7 @@ Run the following PowerShell script on a newly onboarded machine to verify that
 
     ![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
 
-2. At the prompt, copy and run the following command:
+3. At the prompt, copy and run the following command:
 
     ```
     powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
index 47815df570..48a0fcb12c 100644
--- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: View the Secure Score dashboard in Windows Defender ATP
-description: Use the Secure Score dashboard to assess and improve the security state of your organization by analyzing various security control tiles. 
+title: Configure the security controls in Secure score
+description: Configure the security controls in Secure score
 keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -12,80 +12,10 @@ ms.localizationpriority: medium
 ms.date: 04/24/2018
 ---
 
-# View the Windows Defender Advanced Threat Protection Secure score dashboard
-
+# Configure the security controls in Secure score
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-abovefoldlink) 
-
-
-The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
-
->[!IMPORTANT]
-> This feature is available for machines on Windows 10, version  1703 or later. 
-
-
-The **Secure score dashboard** displays a snapshot of:
-- Microsoft Secure score
-- Windows Defender security controls
-- Improvement opportunities
-- Security score over time
-
-![Secure score dashboard](images/ss1.png)
-
-## Microsoft secure score
-The Microsoft secure score tile is reflective of the sum of all the Windows Defender security controls that are configured according to the recommended baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
-![Image of Microsoft secure score tile](images/mss.png)
-
-Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar). 
-
-The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
-
-In the example image, the total points for the Windows security controls and Office 365 add up to 718 points. 
-
-You can set the baselines for calculating the score of Windows Defender security controls on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md).
-
-## Windows Defender security controls
-The security controls tile shows a bar graph where each bar represents a Windows Defender security control. Each bar reflects the number of machines that are well configured and those that require **any kind of attention** for each security control. Hovering on top of the individual bars will show exact numbers for each category. Machines that are green are well configured, while machines that are orange require some level of attention. 
-
-
-![Windows Defender security controls](images/wdsc.png)
-
-## Improvement opportunities 
-Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
-
-Click on each control to see the recommended optimizations.
-
-![Improvement opportunities](images/io.png)
-
-The numbers beside the green triangle icon on each recommended action represents the number of points you can gain by taking the action.  When added together, the total number makes up the numerator in the fraction for each segment in the Improvement opportunities tile.
-
->[!IMPORTANT]
->Recommendations that do not display a green triangle icon are informational only and no action is required. 
-
-Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. 
-
-The following image shows an example list of machines where the EDR sensor is not turned on.
-
-![Image of view machines list with a filter applied](images/atp-security-analytics-view-machines2.png)
-
-## Security score over time
-You can track the progression of your organizational security posture over time using this tile. It displays the overall and individual control scores in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
-
-![Image of the security score over time tile](images/ssot.png)
-
-You can click on specific date points to see the total score for that security control is on a particular date.
-
-## Improve your secure score by applying improvement recommendations
 Each security control lists recommendations that you can take to increase the security posture of your organization.
 
 ### Endpoint detection and response (EDR) optimization
@@ -342,10 +272,7 @@ For more information, see [Manage Windows Defender Credential Guard](https://doc
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink) 
 
 ## Related topics
-- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
-- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [Overview of Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
index 8e9f3634dc..0fdb2ab3d7 100644
--- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Windows Defender Advanced Threat Protection Security operations dashboard
-description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
+title: Windows Defender Security Center Security operations dashboard
+description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
 keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -10,37 +10,32 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/04/2018
 ---
 
-# View the Windows Defender Advanced Threat Protection Security operations dashboard
+# Windows Defender Security Center Security operations dashboard
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) 
 
-The **Security operations dashboard** displays a snapshot of:
+The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. 
 
-- The latest active alerts on your network
+The dashboard displays a snapshot of:
+
+- Active alerts
 - Machines at risk
-- Machines with active malware alerts
+- Sensor health
+- Service health
 - Daily machines reporting
 - Active automated investigations
 - Automated investigations statistics
 - Users at risk
 - Suspicious activities
-- Sensor health
-- Service health
 
-![Image of Security operations dashboard](images/atp-sec-ops-1.png)
+
+![Image of Security operations dashboard](images/atp-sec-ops-dashboard.png)
 
 You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
 
@@ -49,51 +44,45 @@ From the **Security operations dashboard** you will see aggregated events to fac
 It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
 
 ## Active alerts
-You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
+You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into **New** and **In progress**.
 
-![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp-alerts-tile.png)
+![Click on each slice or severity to see a list of alerts from the past 30 days](images/active-alerts-tile.png)
 
 Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
 
 For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
 
-The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see,  [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
+Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see,  [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
 
 
 
 ## Machines at risk
 This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
 
-![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png)
+![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png)
 
 Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
 
 You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
 
-## Machines with active malware detections
-The **Machines with active malware detections** tile will only appear if your machines are using Windows Defender Antivirus.
+## Sensor health
+The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
 
-Active malware is defined as threats that were actively executing at the time of detection.
+![Sensor health tile](images/atp-tile-sensor-health.png)
 
-Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of machines with at least one active detection (as **Machines**) over the past 30 days.
+There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
+-	**Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
+- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
 
-![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png)
 
-The chart is sorted into five categories:
+When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
 
-- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access.
-- **Credential theft** - threats that attempt to steal credentials.
-- **Exploit** - threats that use software vulnerabilities to infect machines.
-- **Backdoor** - threats that gives a malicious hacker access to and control of machines.
-- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft.
-- **PUA** - applications that install and perform undesirable activity without adequate user consent.
+## Service health
+The **Service health** tile informs you if the service is active or if there are issues.
 
-Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
+![The Service health tile shows an overall indicator of the service](images/status-tile.png)
 
-Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
-
-> [!NOTE]
-> The **Machines with active malware detections** tile will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
+For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md).
 
 
 ## Daily machines reporting
@@ -104,13 +93,13 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb
 
 
 ## Active automated investigations
-You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Waiting for machine**, **Running**, and **Pending approval**.
+You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for machine**, and **Running**.
 
 ![Inmage of active automated investigations](images/atp-active-investigations-tile.png)
 
 
 ## Automated investigations statistics
-This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigaiton to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. 
+This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation. 
 
 ![Image of automated investigations statistics](images/atp-automated-investigations-statistics.png)
 
@@ -129,26 +118,6 @@ This tile shows audit events based on detections from various security component
 ![Suspicous activities tile](images/atp-suspicious-activities-tile.png)
 
 
-## Sensor health
-The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
-
-![Sensor health tile](images/atp-tile-sensor-health.png)
-
-There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
-- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
--	**Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
-
-When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
-
-## Service health
-The **Service health** tile informs you if the service is active or if there are issues.
-
-![The Service health tile shows an overall indicator of the service](images/status-tile.png)
-
-For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md).
-
-
-
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
 
diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 656e809d15..20028f9555 100644
--- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Check the Windows Defender Advanced Threat Protection service health
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
index 9540e46529..2e4f1e0fd1 100644
--- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,6 @@ ms.date: 12/08/2017
 # Stop and quarantine file API
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index b8bc903b76..a6c64df7ff 100644
--- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -10,17 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/03/2018
 ---
 
 # Supported Windows Defender ATP query APIs 
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -40,5 +35,3 @@ IP | Run API calls such as get IP related alerts, IP related machines, IP statis
 Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
 User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
 
-## Related topic
-- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
index 2d05ed0158..2ee0df491f 100644
--- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md
@@ -16,7 +16,6 @@ ms.date: 12/01/2017
 # Supported Windows Defender ATP query APIs 
 
 **Applies to:**
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
index 9b235fa9b0..affe0ea030 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Windows Defender Advanced Threat Protection Threat analytics
+title: Threat analytics for Spectre and Meltdown
 description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
 keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status 
 search.product: eADQiWindows 10XVcnh
@@ -10,20 +10,14 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 03/06/2018
+ms.date: 09/03/2018
 ---
 
 # Threat analytics for Spectre and Meltdown
-
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
+The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization.
 
 [Spectre and Meltdown](https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/) is a new class of exploits that take advantage of critical vulnerabilities in the CPU processors, allowing attackers running user-level, non-admin code to steal data from kernel memory. These exploits can potentially allow arbitrary non-admin code running on a host machine to harvest sensitive data belonging to other apps or system processes, including apps on guest VMs.
 
@@ -51,9 +45,8 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T
 Click a section of each chart to get a list of the machines in the corresponding mitigation status.
 
 ## Related topics
-- [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
-- [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
-- [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+- [Threat analtyics](threat-analytics-windows-defender-advanced-threat-protection.md)
+- [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md)
+- [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md
new file mode 100644
index 0000000000..cb47452b3c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md
@@ -0,0 +1,65 @@
+---
+title: Windows Defender Advanced Threat Protection Threat analytics
+description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization.
+keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Threat analytics 
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prereleaseinformation](prerelease.md)]
+
+Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. 
+
+Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+ 
+
+>[!NOTE]
+>The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
+
+Each threat report provides a summary to describe details such as where the threat is coming from, where it's been seen, or techniques and tools that were used by the threat. 
+
+The dashboard shows the impact in your organization through the following tiles:
+- Machines with alerts - shows the current distinct number of impacted machines in your organization 
+- Machines with alerts over time - shows the distinct number of impacted over time
+- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place 
+- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place.
+- Mitigation status over time - shows the distinct number of machines that have been mitigated, unmitigated, and unavailable over time
+
+![Image of a threat analytics report](images/ta.png)
+
+## Organizational impact
+You can assess the organizational impact of a threat using the **Machines with alerts** and **Machines with alerts over time** tiles.
+
+A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine are resolved.
+
+
+The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days.
+## Organizational resilience
+The **Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience.
+
+The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations.
+
+>[!IMPORTANT]
+>- The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be computed or measured that are not reflected in the charts and are covered in the threat description under **Mitigation recommendations** section.
+>- Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible actions that need to be taken to improve resiliency.
+
+
+
+>[!NOTE]
+>The Unavailable category indicates that there is no data available from the specific machine yet. 
+
+
+## Related topics
+- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index dc1b0cb21e..c189fa2336 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -10,17 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/03/2018
 ---
 
 # Understand threat intelligence concepts
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
new file mode 100644
index 0000000000..b491a5a109
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
@@ -0,0 +1,44 @@
+---
+title: Microsoft threat protection
+description: 
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/12/2018
+---
+
+#  Microsoft threat protection
+
+Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect your organization from advanced cyber threats. 
+
+Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers.
+
+## Conditional access
+Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. 
+
+## Office 365 Advanced Threat Protection (Office 365 ATP)
+The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. 
+
+## Azure Advanced Threat Protection (Azure ATP)
+ Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. 
+
+## Skype for Business
+The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
+
+## Azure Security Center
+Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
+
+## Microsoft Cloud App Security
+Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+
+## Related topic
+- [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
index e9cb11bc67..505296a18a 100644
--- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 02/13/2018
 # Windows Defender Security Center time zone settings
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index be766d8d46..d86deb3f28 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -17,10 +17,7 @@ ms.date: 06/25/2018
 
 **Applies to:**
 
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
index ef5f861a65..3310063e5a 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
@@ -1,76 +1,82 @@
----
-title: Troubleshoot onboarding issues and error messages
-description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection.
-keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: v-tanewt
-author: tbit0001
-ms.localizationpriority: medium
-ms.date: 11/28/2017
----
-
-# Troubleshoot subscription and portal access issues
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
-
-
-This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
-
-If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
-
-## No subscriptions found
-
-If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
-
-Potential reasons:
-- The Windows E5 and Office E5 licenses are separate licenses.
-- The license was purchased but not provisioned to this AAD instance.
-    - It could be a license provisioning issue.
-    - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
-
-For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
-[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
-
-![Image of no subscriptions found](images\atp-no-subscriptions-found.png)
-
-## Your subscription has expired
-
-If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. 
-
-You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
-
-> [!NOTE]
-> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-![Image of subscription expired](images\atp-subscription-expired.png)
-
-## You are not authorized to access the portal
-
-If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
-For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
-
-![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png)
-
-## Data currently isn't available on some sections of the portal
-If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
-
-![Image of data currently isn't available](images/atp-data-not-available.png)
-
-You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
-
-
-## Related topics
+---
+title: Troubleshoot onboarding issues and error messages
+description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection.
+keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: v-tanewt
+author: tbit0001
+ms.localizationpriority: medium
+ms.date: 08/01/2018
+---
+
+# Troubleshoot subscription and portal access issues
+
+**Applies to:**
+
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+
+
+This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
+
+If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
+
+## No subscriptions found
+
+If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
+
+Potential reasons:
+- The Windows E5 and Office E5 licenses are separate licenses.
+- The license was purchased but not provisioned to this AAD instance.
+    - It could be a license provisioning issue.
+    - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
+
+For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
+[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
+
+![Image of no subscriptions found](images\atp-no-subscriptions-found.png)
+
+## Your subscription has expired
+
+If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. 
+
+You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
+
+> [!NOTE]
+> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
+
+![Image of subscription expired](images\atp-subscription-expired.png)
+
+## You are not authorized to access the portal
+
+If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
+For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
+
+![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png)
+
+## Data currently isn't available on some sections of the portal
+If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
+
+![Image of data currently isn't available](images/atp-data-not-available.png)
+
+You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
+
+
+## Portal communication issues
+If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation.
+
+- `*.blob.core.windows.net 
+crl.microsoft.com`
+- `https://*.microsoftonline-p.com`
- `https://*.securitycenter.windows.com` 
- `https://automatediracs-eus-prd.securitycenter.windows.com`
- `https://login.microsoftonline.com`
- `https://login.windows.net`
- `https://onboardingpackagescusprd.blob.core.windows.net`
+- `https://secure.aadcdn.microsoftonline-p.com` 
+- `https://securitycenter.windows.com` 
- `https://static2.sharepointonline.com` 

+
+## Related topics
 - [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index f9e7872493..87d878f234 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -10,17 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/07/2018
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - Windows Server 2012 R2
 - Windows Server 2016
@@ -80,7 +75,7 @@ Event ID | Error Type | Resolution steps
 ## Troubleshoot onboarding issues using Microsoft Intune
 You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
 
-If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
+If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. 
 
 Use the following tables to understand the possible causes of issues while onboarding:
 
@@ -258,7 +253,7 @@ If the verification fails and your environment is using a proxy to connect to th
   For example, in Group Policy there should be no entries such as the following values:
 
   - ``````
-  - ``````
+  - ``````
 -  After clearing the policy, run the onboarding steps again.
 
 - You can also check the following registry key values to verify that the policy is disabled:
@@ -308,5 +303,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
 
 ## Related topics
 - [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
-- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
 - [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index 9a63f9dc8b..cd9048386c 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 02/13/2018
 # Troubleshoot SIEM tool integration issues
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -40,7 +35,9 @@ If your client secret expires or if you've misplaced the copy provided when you
 
 3. Select your tenant.
 
-4. Click **App registrations** > **All apps**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+4. Click **App registrations**. Then in the applications list, select the application:
+    - For SIEM: `https://WindowsDefenderATPSiemConnector`
+    - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
 
 5. Select **Keys** section, then provide a key description and specify the key validity duration.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md
new file mode 100644
index 0000000000..12f36df3a9
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md
@@ -0,0 +1,27 @@
+---
+title: Troubleshoot Windows Defender Advanced Threat Protection capabilities
+description: Find solutions to issues on sensor state, service issues, or other Windows Defender ATP capabilities 
+keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+#  Troubleshoot Windows Defender Advanced Threat Protection 
+
+Troubleshoot issues that might arise as you use Windows Defender ATP capabilities.
+
+## In this section
+Topic | Description 
+:---|:---
+Troubleshoot sensor state | Find solutions for issues related to the Windows Defender ATP sensor
+Troubleshoot service issues | Fix issues related to the Windows Defender Advanced Threat service
+Troubleshoot attack surface reduction | Fix issues related to network protection and attack surface reduction rules
+Troubleshoot next generation protection | If you encounter a problem with antivirus, you can search the tables in this topic to find a matching issue and potential solution
+
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
index 37aca9ce88..fc9f502186 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot Windows Defender Advanced Threat Protection service issues
+title:  Troubleshoot Windows Defender Advanced Threat Protection service issues
 description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
 keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
 search.product: eADQiWindows 10XVcnh
@@ -10,23 +10,18 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/12/2017
+ms.date: 07/30/2018
 ---
 
 # Troubleshoot service issues
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
-### Server error - Access is denied due to invalid credentials
+## Server error - Access is denied due to invalid credentials
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
 
-### Elements or data missing on the portal
+## Elements or data missing on the portal
 If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it.
 
 Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
@@ -35,17 +30,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
 > [!NOTE]
 > You must use the HTTPS protocol when adding the following endpoints.
 
-### Windows Defender ATP service shows event or error logs in the Event Viewer
+## Windows Defender ATP service shows event or error logs in the Event Viewer
 
 See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
 
-### Windows Defender ATP service fails to start after a reboot and shows error 577
+## Windows Defender ATP service fails to start after a reboot and shows error 577
 
 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
 
 For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
 
-#### Known issues with regional formats
+## Known issues with regional formats
 
 **Date and time formats**
                    
 There are some known issues with the time and date formats. 
@@ -65,6 +60,12 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
 
+## Windows Defender ATP tenant was automatically created in Europe
+When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default.
+
+
+
+
 
 ## Related topics
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index b8fed131a5..c45ead9ecd 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -16,11 +16,6 @@ ms.date: 04/24/2018
 # Use the threat intelligence API to create custom alerts
 
 **Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
index 07cec03da7..42e5a71b83 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Use the Windows Defender Advanced Threat Protection portal
+title: Overview of Windows Defender Security Center
 description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
 keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
 search.product: eADQiWindows 10XVcnh
@@ -13,21 +13,11 @@ ms.localizationpriority: medium
 ms.date: 03/12/2018
 ---
 
-# Use the Windows Defender Advanced Threat Protection portal
-
-**Applies to:**
-
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
+# Overview of Windows Defender Security Center
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) 
 
-You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards.
+Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. 
 
 Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
 
diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..122fd23da5
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,75 @@
+---
+title: Create and manage roles for role-based access control
+description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation 
+keywords: user roles, roles, access rbac
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Create and manage roles for role-based access control
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
+
+## Create roles and assign the role to an Azure Active Directory group
+The following steps guide you on how to create roles in Windows Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
+
+1.	In the navigation pane, select **Settings > Role based access control > Roles**.
+
+2.	Click **Add role**. 
+
+3.	Enter the role name, description, and permissions you'd like to assign to the role.
+
+	 - **Role name**
+
+	 - **Description**
+
+	 - **Permissions**
+		  - **View data** - Users can view information in the portal.
+		  - **Investigate alerts** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline.
+		  - **Approve or take action** - Users can take response actions and approve or dismiss pending remediation actions.
+		  - **Manage system settings** - Users can configure settings, SIEM and threat intel API settings, advanced settings, preview features, and automated file uploads.
+		  - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications.
+		  
+4.	Click **Next** to assign the role to an Azure AD group.
+
+5.	Use the filter to select the Azure AD group that you'd like to add to this role.
+
+6.	Click **Save and close**.
+
+7.	Apply the configuration settings.
+
+
+After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. 
+
+
+## Edit roles
+
+1.	Select the role you'd like to edit.
+
+2.	Click **Edit**.
+
+3.	Modify the details or the groups that are assigned to the role. 
+
+4.	Click **Save and close**.
+
+## Delete roles
+
+1.	Select the role you'd like to delete.
+
+2.	Click the drop-down button and select **Delete role**.
+
+
+##Related topic
+- [User basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
+- [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index 07eee21200..a67e865ccb 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -9,17 +9,12 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
-ms.date: 07/12/2018
+ms.localizationpriority: medium
+ms.date: 09/03/2018
 ---
 
 # Windows Defender Advanced Threat Protection
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
 >
 >For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
@@ -34,13 +29,10 @@ The Windows Defender ATP platform is where all the capabilities that are availab
 
 Topic | Description
 :---|:---
-[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
-[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
-[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
-[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). 
-[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. 
-
-
+[Overview](overview.md) | Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. 
+[Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Windows Defender ATP.
+[Cconfigure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. 
+[Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform.
 
 ## Related topic
 [Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats)
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
index 244a14ea0d..ea7e9fd67b 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
@@ -9,16 +9,12 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
 ms.date: 07/01/2018
 ---
 
 # Windows Defender Security Center
 
-**Applies to:**
-
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
 Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
 
 ## In this section
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 8cecfe7be5..18134f19d0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -1,5 +1,5 @@
 ---
-title: Use Attack surface reduction rules to prevent malware infection
+title: Use attack surface reduction rules to prevent malware infection
 description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
 search.product: eADQiWindows 10XVcnh
@@ -11,87 +11,41 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 10/02/2018
 ---
 
-
-
-# Reduce attack surfaces with Windows Defender Exploit Guard 
-
+# Reduce attack surfaces with attack surface reduction rules 
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-- Microsoft Office 365
-- Microsoft Office 2016
-- Microsoft Office 2013
-- Microsoft Office 2010
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 
+Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-
-The feature is comprised of a number of rules, each of which target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
+Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
 
 - Executable files and scripts used in Office apps or web mail that attempt to download or run files
 - Scripts that are obfuscated or otherwise suspicious
 - Behaviors that apps undertake that are not usually initiated during normal day-to-day work
 
-See the [Attack surface reduction rules](#attack-surface-reduction-rules) section in this topic for more information on each rule.
-
 When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
 
 ## Requirements
 
-Attack surface reduction requires Windows 10 Enterprise E5 and Windows Defender AV real-time protection.
-
-Windows 10 version | Windows Defender Antivirus
-- | -
-Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
+Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 
 ## Attack surface reduction rules
 
-Windows 10, version 1803 has five new Attack surface reduction rules:
-
-- Block executable files from running unless they meet a prevalence, age, or trusted list criteria 
-- Use advanced protection against ransomware
-- Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-- Block process creations originating from PSExec and WMI commands 
-- Block untrusted and unsigned processes that run from USB 
-
-In addition, the following rule is available for beta testing:
-
-- Block Office communication applications from creating child processes
-
 The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
 
 Rule name | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@@ -102,11 +56,11 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
-The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
+The rules apply to the following Office apps:
 
-Supported Office apps:
 - Microsoft Word
 - Microsoft Excel
 - Microsoft PowerPoint
@@ -126,7 +80,7 @@ This rule blocks the following file types from being run or launched from an ema
 >[!IMPORTANT]
 >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
 
-### Rule: Block Office applications from creating child processes
+### Rule: Block all Office applications from creating child processes
 
 Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
 
@@ -214,15 +168,19 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block only Office communication applications from creating child processes
 
 Office communication apps will not be allowed to create child processes. This includes Outlook.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
-## Review Attack surface reduction events in Windows Event Viewer
+### Rule: Block Adobe Reader from creating child processes
 
-You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
+This rule blocks Adobe Reader from creating child processes.
+
+## Review attack surface reduction rule events in Windows Event Viewer
+
+You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
 
@@ -236,7 +194,7 @@ You can review the Windows event log to see events that are created when an Atta
 
 4. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
+5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
 
  Event ID | Description
 -|-
@@ -258,7 +216,7 @@ You can review the Windows event log to see events that are created when an Atta
 
 Topic | Description 
 ---|---
-[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
-[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
-[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. 
+[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
+[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
+[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 989c432d1b..57927f648c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -1,6 +1,6 @@
 ---
-title: Test how Windows Defender EG features work
-description: Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled
+title: Test how Windows Defender ATP features work
+description: Audit mode lets you use the event log to see how Windows Defender ATP would protect your devices if it were enabled
 keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,35 +11,27 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 09/18/2018
 ---
 
 
-# Use audit mode to evaluate Windows Defender Exploit Guard features
+# Use audit mode 
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
-
-You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
+You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
 
 While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
 
-You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
 This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
 
-You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
+You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
@@ -48,10 +40,10 @@ You can use Group Policy, PowerShell, and configuration servicer providers (CSPs
 
 Audit options | How to enable audit mode | How to view events
 - | - | -
-Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
-Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md)
+Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
 
 
 You can also use the a custom PowerShell script that enables the features in audit mode automatically:
@@ -72,14 +64,9 @@ You can also use the a custom PowerShell script that enables the features in aud
       
       A message should appear to indicate that audit mode was enabled.
 
-
 ## Related topics
 
-
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-
-
-
+- [Protect devices from exploits](exploit-protection-exploit-guard.md) 
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network](network-protection-exploit-guard.md) 
+- [Protect important folders](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
index 21cec1e41c..83348307d8 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
@@ -1,5 +1,5 @@
 ---
-title: Submit cab files related to Windows Defender EG problems
+title: Submit cab files related to problems
 description: Use the command-line tool to obtain .cab file that can be used to investigate ASR rule issues.
 keywords: troubleshoot, error, fix, asr, windows defender eg, exploit guard, attack surface reduction
 search.product: eADQiWindows 10XVcnh
@@ -11,27 +11,22 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 ---
 
-# Collect diagnostic data for Windows Defender Exploit Guard file submissions
+# Collect diagnostic data for file submissions
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
+This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access. 
 
-- IT administrators
-
-This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. 
-
-In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md).
+In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [network protection](network-protection-exploit-guard.md).
 
 Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics:
-- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) 
-- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) 
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) 
+- [Troubleshoot network protection](troubleshoot-np.md) 
 
 
 
@@ -64,7 +59,7 @@ Before attempting this process, ensure you have met all required pre-requisites
 
 ## Related topics
 
-- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) 
-- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) 
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) 
+- [Troubleshoot network protection](troubleshoot-np.md) 
+
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 852398e010..fb5b4091c5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -1,6 +1,6 @@
 ---
 title: Help prevent ransomware and threats from encrypting and changing files
-description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware encrypting your files.
+description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files.
 keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,90 +11,62 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-
-
-# Protect important folders with Controlled folder access
-
+# Protect important folders with controlled folder access
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. 
-
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
 All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
 
-This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
 
 A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
 The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
-As with other features of Windows Defender Exploit Guard, you can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled.
-
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
 
 ## Requirements
 
-Windows 10 version | Windows Defender Antivirus
--|-
-Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled
+Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 
+## Review controlled folder access events in Windows Event Viewer
 
-## Review Controlled folder access events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app:
+You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
-3. On the left panel, under **Actions**, click **Import custom view...**
+3. On the left panel, under **Actions**, click **Import custom view...**.
 
-    ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
+   ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
 
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
 
 4. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to Controlled folder access:
+5. This will create a custom view that filters to only show the following events related to controlled folder access:
 
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
-1123 | Blocked Controlled folder access event
+1124 | Audited controlled folder access event
+1123 | Blocked controlled folder access event
 
 
  ## In this section
 
 Topic | Description 
 ---|---
-[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created.
-[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network
-[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
+[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 0732ac1826..2ed1ca2fa0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -1,5 +1,5 @@
 ---
-title: Configure how ASR works to finetune protection in your network
+title: Configure how attack surface reduction rules work to finetune protection in your network
 description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
 search.product: eADQiWindows 10XVcnh
@@ -11,50 +11,35 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 10/02/2018
 ---
 
-# Customize Attack surface reduction
+# Customize attack surface reduction rules
 
 **Applies to:**
 
-- Windows 10 Enterprise edition, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-
-This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
 
 You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
 
 This could potentially allow unsafe files to run and infect your devices.
 
 >[!WARNING]
->Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+>Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 > 
 >If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
 
-Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
 
@@ -64,7 +49,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
 
 Rule description | Rule honors exclusions | GUID 
 -|:-:|-
-Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
@@ -76,21 +61,20 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
-
-
-See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
+See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
 ### Use Group Policy to exclude files and folders
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
 
-6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
 
 ### Use PowerShell to exclude files and folderss
 
@@ -103,25 +87,20 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
 
 Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. 
 
-
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
 ### Use MDM CSPs to exclude files and folders
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
-
-
+Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
 
 ## Customize the notification
 
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
-
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 ## Related topics
 
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 1c626d7c8f..8c879a5721 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -1,5 +1,5 @@
 ---
-title: Add additional folders and apps to be protected by Windows 10
+title: Add additional folders and apps to be protected 
 description: Add additional folders that should be protected by Controlled folder access, or whitelist apps that are incorrectly blocking changes to important files.
 keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, whitelist, add executable
 search.product: eADQiWindows 10XVcnh
@@ -11,36 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-
-
-# Customize Controlled folder access
-
+# Customize controlled folder access
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
 
 - [Add additional folders to be protected](#protect-additional-folders)
 - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
@@ -50,46 +32,38 @@ This topic describes how to customize the following settings of the Controlled f
 >
 >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
 
-
  ## Protect additional folders
 
 Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
 
 You can add additional folders to be protected, but you cannot remove the default folders in the default list.
 
-Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
 
-You can also enter network shares and mapped drives. Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). 
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). 
 
 
-You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
+You can use the Windows Security app or Group Policy to add and remove additional protected folders.
 
-### Use the Windows Defender Security Center app to protect additional folders
+### Use the Windows Security app to protect additional folders
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
 
-3.	Under the **Controlled folder access** section, click **Protected folders**
+3. Under the **Controlled folder access** section, click **Protected folders**
 
 4. Click **Add a protected folder** and follow the prompts to add apps.
-
-    ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
-
  
 ### Use Group Policy to protect additional folders
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-
-6. Double-click the **Configured protected folders** setting and set the option to **Enabled**. Click **Show** and enter each folder.
-
-> [!NOTE]
-> Windows 10, version 1803 supports environment variables and wildcards. For information about using wildcards in Windows Defender Exploit Guard, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). 
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
 
 ### Use PowerShell to protect additional folders
 
@@ -100,38 +74,32 @@ You can use the Windows Defender Security Center app or Group Policy to add and
     Add-MpPreference -ControlledFolderAccessProtectedFolders ""
     ```
 
-
-Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
-
+Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
 
 ![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
 
-
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
 ### Use MDM CSPs to protect additional folders
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
 
+## Allow specific apps to make changes to controlled folders
 
-
- ## Allow specific apps to make changes to controlled folders
-
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature. 
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
 
 >[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
+>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
 >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 
+You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.
 
-You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
-
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
 
 ### Use the Windows Defender Security app to allow specific apps
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
 
@@ -145,13 +113,11 @@ When you add an app, you have to specify the app's location. Only the app in tha
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-
-6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
 
 ### Use PowerShell to allow specific apps
 
@@ -162,32 +128,27 @@ When you add an app, you have to specify the app's location. Only the app in tha
     Add-MpPreference -ControlledFolderAccessAllowedApplications ""
     ```
 
-    For example, to add the executable *test.exe*, located in the folder *C:\apps*, the cmdlet would be as follows:
+    For example, to add the executable *test.exe* located in the folder *C:\apps*, the cmdlet would be as follows:
 
     ```PowerShell
     Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
     ```
-
-Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
-
+Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
 
 ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
 
-
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 
-
-
 ### Use MDM CSPs to allow specific apps
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
 ## Customize the notification
 
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 ## Related topics
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) 
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
\ No newline at end of file
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) 
+- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index d26e9872e6..54719a5b2f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -1,7 +1,7 @@
 ---
 title: Enable or disable specific mitigations used by Exploit protection
 keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
-description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
+description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -11,55 +11,34 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-# Customize Exploit protection
+# Customize exploit protection
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-
- It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
  
-You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
 
- This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+ This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
 
-It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
 
 >[!WARNING] 
->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
 
 ## Exploit protection mitigations
 
 All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
 
-
 You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
 
-
 Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
 
-![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png)
-
 The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
 
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
@@ -76,7 +55,7 @@ Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed execu
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
 Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
@@ -121,11 +100,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
 >CFG will be enabled for *miles.exe*.
 
+### Configure system-level mitigations with the Windows Security app
 
-
-### Configure system-level mitigations with the Windows Defender Security Center app
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
       
@@ -137,9 +114,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
     >[!NOTE]
     >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
 
-    Changing some settings may required a restart, which will be indicated in red text underneath the setting.
-
-    ![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png)
+    Changing some settings may required a restart, which will be indicated in red text underneath the setting.	  
 
 4. Repeat this for all the system-level mitigations you want to configure.
 
@@ -147,10 +122,9 @@ You can now [export these settings as an XML file](import-export-exploit-protect
 
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
 
+### Configure app-specific mitigations with the Windows Security app
 
-### Configure app-specific mitigations with the Windows Defender Security Center app
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen.
 
@@ -160,31 +134,24 @@ Exporting the configuration as an XML file allows you to copy the configuration
     2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
         - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
         - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-        ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png)
-
-
+		        
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-    ![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png)
-
+    
 You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. 
 
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
 
+## PowerShell reference
 
- ## PowerShell reference
+ You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets.
 
- You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
-
- The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
+ The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
 
  >[!IMPORTANT]
  >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
 
-
  You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
 
 ```PowerShell
@@ -198,15 +165,13 @@ Get-ProcessMitigation -Name processName.exe
 >
 >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
 >
->The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
+>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
 
 Use `Set` to configure each mitigation in the following format:
 
  ```PowerShell
 Set-ProcessMitigation -  - ,,
 ```
-
-
 Where:
 
 - \:
@@ -218,7 +183,6 @@ Where:
 - \:
     - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
 
-
  For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 
  ```PowerShell
@@ -295,12 +259,12 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
 
 ## Customize the notification
 
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 
 ## Related topics
 
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index bb57a23872..0ff71be595 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -11,48 +11,32 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 08/08/2018
 ---
 
-
-
 # Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
 
-
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Enhanced Mitigation Experience Toolkit version 5.5 (latest version)
-
-
-
-**Audience**
-
-- Enterprise security administrators
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 >[!IMPORTANT]
->If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. 
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. 
 >  
 >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and its replacement in Windows 10: Windows Defender Exploit Guard. 
-
- In Windows 10, version 1709 (also known as the Fall Creators Update) we released [Windows Defender Exploit Guard](windows-defender-exploit-guard.md), which provides unparalleled mitigation of known and unknown threat attack vectors, including exploits. 
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. 
  
- Windows Defender Exploit Guard is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
 
- EMET is a stand-alone product that is available on earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
 
- After July 31, 2018, it will reach its end of life, which means it will not be supported and no additional development will be made on it.
-
- For more information about the individual features and mitigations available in Windows Defender Exploit Guard, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+After July 31, 2018, it will not be supported.
 
+For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
 
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 
 
  ## Feature comparison
@@ -62,15 +46,15 @@ This topic describes the differences between the Enhance Mitigation Experience T
   | Windows Defender Exploit Guard | EMET
  -|:-:|:-:
 Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Windows 8.1; Windows 8; Windows 7
                    Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) 
                    (no additional installation required)
                    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) 
                    (no additional installation required)
                    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
 Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
                    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
                    Ends after July 31, 2018
 Updates | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
                    No planned updates or development
 Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
                    [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited set of mitigations
 Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
                    [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited ruleset configuration only for modules (no processes)
 Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
 Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps protect important folders](controlled-folders-exploit-guard.md)
                    [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Requires installation and use of EMET tool
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Requires installation and use of EMET tool
 Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Available
 Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Requires use of EMET tool (EMET_CONF)
 System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
@@ -78,17 +62,13 @@ Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [U
 Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) 
                    [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited Windows event log monitoring
 Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Limited to EAF, EAF+, and anti-ROP mitigations
 
-
-
 ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
 
 ([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
 
-
-
 ## Mitigation comparison
 
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
 
 The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.  
 
@@ -119,10 +99,6 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] |
 Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 
 
-
-
-
-
 >[!NOTE] 
 >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
 > 
@@ -132,9 +108,9 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 ## Related topics
 
 - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index de3f852b51..dd2ed4fda3 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,36 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 10/02/2018
 ---
 
-
-# Enable Attack surface reduction 
-
+# Enable attack surface reduction rules
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-
-
-
-## Enable and audit Attack surface reduction rules
+## Enable and audit attack surface reduction rules
 
 You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
 
@@ -53,7 +35,7 @@ You can manually add the rules by using the GUIDs in the following table:
 Rule description | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
 Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
 Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
@@ -64,31 +46,28 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
-### Use Group Policy to enable or audit Attack surface reduction rules
+### Use Group Policy to enable or audit attack surface reduction rules
 
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
 
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-
-6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
     - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
         -  Block mode = 1
         -  Disabled = 0
         -  Audit mode = 2
 
-![Group policy setting showing a blank ASR rule ID and value of 1](images/asr-rules-gp.png)
-
-
-        
-
- ### Use PowerShell to enable or audit Attack surface reduction rules
+![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
+ 
+### Use PowerShell to enable or audit attack surface reduction rules
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@@ -97,14 +76,11 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
     Set-MpPreference -AttackSurfaceReductionRules_Ids  -AttackSurfaceReductionRules_Actions Enabled
     ```
 
-
-
 You can enable the feature in audit mode using the following cmdlet:
 
 ```PowerShell
 Add-MpPreference -AttackSurfaceReductionRules_Ids  -AttackSurfaceReductionRules_Actions AuditMode
 ```
-
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
 >[!IMPORTANT>
@@ -124,15 +100,12 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis
 >You can obtain a list of rules and their current state by using `Get-MpPreference`
 
 
-### Use MDM CSPs to enable Attack surface reduction rules
+### Use MDM CSPs to enable attack surface reduction rules
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 
-
- 
-
 ## Related topics
 
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+- [Customize attack surface reduction](customize-attack-surface-reduction.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 67697f589e..1d831ea2a9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,58 +11,37 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-
-
-# Enable Controlled folder access
-
+# Enable controlled folder access
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
+This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
 
-- Enterprise security administrators
+## Enable and audit controlled folder access
 
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
-
-
-## Enable and audit Controlled folder access
-
-You can enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
-
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
 >[!NOTE]
->The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**.
->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**.
+>The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
+>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
 >See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
 >
                    
->Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include:
+>Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
 >- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
 >- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
+>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
 
-### Use the Windows Defender Security app to enable Controlled folder access
+### Use the Windows Defender Security app to enable controlled folder access
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
 
@@ -85,28 +64,29 @@ For further details on how audit mode works, and when you might want to use it,
     ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png)
 
 >[!IMPORTANT]
->To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+>To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
 
-### Use PowerShell to enable Controlled folder access
+### Use PowerShell to enable controlled folder access
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
 
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
     ```PowerShell
     Set-MpPreference -EnableControlledFolderAccess Enabled
     ```
 
-You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
 
 Use `Disabled` to turn the feature off.
 
-### Use MDM CSPs to enable Controlled folder access
+### Use MDM CSPs to enable controlled folder access
 
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 
 
 ## Related topics
 
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) 
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) 
+- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index 584b3b2e8a..91f8b6b1bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Turn on Exploit protection to help mitigate against attacks
+title: Turn on exploit protection to help mitigate against attacks
 keywords: exploit, mitigation, attacks, vulnerability
 description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
 search.product: eADQiWindows 10XVcnh
@@ -11,69 +11,43 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 ---
 
-
-
-# Enable Exploit protection
-
+# Enable exploit protection
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. 
+Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. 
 
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
+## Enable and audit exploit protection
 
+You enable and configure each exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
 
+The mitigations available in exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. 
 
-## Enable and audit Exploit protection
-
-You enable and configure each Exploit protection mitigation separately. Some mitigations apply to the entire operating system, while others can be targeted towards specific apps. 
-
-The mitigations available in Exploit protection are enabled or configured to their default values automatically in Windows 10. However, you can customize the configuration to suit your organization and then deploy that configuration across your network. 
-
-You can also set mitigations to audit mode. Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
-
-For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+You can also set mitigations to [audit mode](audit-windows-defender-exploit-guard.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
 
 >[!WARNING] 
->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using audit mode before deploying in production.
 
-You can also convert an existing EMET configuration file (in XML format) and import it into Exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
+You can also convert an existing EMET configuration file (in XML format) and import it into exploit protection. This is useful if you have been using EMET and have a customized series of policies and mitigations that you want to keep using.
 
-See the following topics for instructions on configuring Exploit protection mitigations and importing, exporting, and converting configurations:
+See the following topics for instructions on configuring exploit protection mitigations and importing, exporting, and converting configurations:
 
 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
 
-
 ## Related topics
 
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index 2d33ef5980..af47213614 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Turn Network protection on
+title: Turn network protection on
 description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
 keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
 search.product: eADQiWindows 10XVcnh
@@ -14,60 +14,40 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
 
-
-# Enable Network protection
-
+# Enable network protection
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
-**Audience**
+This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
 
-- Enterprise security administrators
+## Enable and audit network protection
 
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-
-This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
-
-
-## Enable and audit Network protection
-
-You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
+You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
 
 For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
+### Use Group Policy to enable or audit network protection
 
-### Use Group Policy to enable or audit Network protection
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection**.
-
-6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
     - **Block** - Users will not be able to access malicious IP addresses and domains
     - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
     - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
 
 
 >[!IMPORTANT]
->To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+>To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
 
-
- ### Use PowerShell to enable or audit Network protection
+ ### Use PowerShell to enable or audit network protection
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@@ -76,7 +56,7 @@ For background information on how audit mode works, and when you might want to u
     Set-MpPreference -EnableNetworkProtection Enabled
     ```
 
-You can enable the feauting in audit mode using the following cmdlet:
+You can enable the feature in audit mode using the following cmdlet:
 
 ```
 Set-MpPreference -EnableNetworkProtection AuditMode
@@ -85,14 +65,12 @@ Set-MpPreference -EnableNetworkProtection AuditMode
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 
 
+### Use MDM CSPs to enable or audit network protection
 
-### Use MDM CSPs to enable or audit Network protection
-
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection.
 
 
 ## Related topics
 
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
-- [Evaluate Network protection](evaluate-network-protection.md)
+- [Protect your network](network-protection-exploit-guard.md)
+- [Evaluate network protection](evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 8f8c0175e4..2c5e663e91 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -6,29 +6,33 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.author: justinha
 author: brianlic-msft
-ms.date: 04/19/2018
+ms.date: 08/08/2018
 ---
 
 # Enable virtualization-based protection of code integrity 
 
 **Applies to**  
 
-- Windows 10
-- Windows Server 2016 
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. 
 Some applications, including device drivers, may be incompatible with HVCI. 
-This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
 If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
 
 ## How to turn on HVCI in Windows 10 
 
 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
+- [Windows Security app](#windows-security-app)
 - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
 - [Group Policy](#enable-hvci-using-group-policy)
 - [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) 
 - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
 
+### Windows Security app
+
+HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
+
 ### Enable HVCI using Intune
 
 Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). 
@@ -56,7 +60,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
 > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
                    In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
                    
 > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
 
-#### For Windows 1607 and above
+#### For Windows 10 version 1607 and later
 
 Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
 
@@ -110,7 +114,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 
 > To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
 
-#### For Windows 1511 and below
+#### For Windows 10 version 1511 and earlier
 
 Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
 
@@ -176,9 +180,8 @@ This field helps to enumerate and report state on the relevant security properti
 | **4.** | If present, Secure Memory Overwrite is available.       |
 | **5.** | If present, NX protections are available.               |
 | **6.** | If present, SMM mitigations are available.              |
+| **7.** | If present, Mode Based Execution Control is available.  |
 
-> [!NOTE]
-> 4, 5, and 6 were added as of Windows 10, version 1607.
 
 #### InstanceIdentifier
 
@@ -197,9 +200,7 @@ This field describes the required security properties to enable virtualization-b
 | **4.** | If present, Secure Memory Overwrite is needed.      |
 | **5.** | If present, NX protections are needed.              |
 | **6.** | If present, SMM mitigations are needed.             |
-
-> [!NOTE]
-> 4, 5, and 6 were added as of Windows 10, version 1607.
+| **7.** | If present, Mode Based Execution Control is needed. |
 
 #### SecurityServicesConfigured 
 
@@ -275,4 +276,4 @@ Set-VMSecurity -VMName  -VirtualizationBasedSecurityOptOut $true
  -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
  -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
  -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
+ -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 3785af890d..b0eb1162cb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -1,5 +1,5 @@
 ---
-title: Use a demo to see how ASR can help protect your devices
+title: Use a demo to see how ASR rules can help protect your devices
 description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
 search.product: eADQiWindows 10XVcnh
@@ -11,35 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-
-# Evaluate Attack surface reduction rules
+# Evaluate attack surface reduction rules
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-
-
-
-Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). 
-
-This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
+This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 
 >[!NOTE]
 >This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. 
@@ -48,10 +31,9 @@ This topic helps you evaluate Attack surface reduction. It explains how to demo
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
+## Use the demo tool to see how attack surface reduction rules work
 
-## Use the demo tool to see how Attack surface reduction works
-
-Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
+Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
 
 The tool is part of the Windows Defender Exploit Guard evaluation package:
 - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
@@ -96,9 +78,9 @@ Choosing the **Mode** will change how the rule functions:
 
 Mode option | Description
 -|-
-Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all.
-Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction.
-Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine.
+Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
+Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
+Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
 
 Block mode will cause a notification to appear on the user's desktop:
 
@@ -112,7 +94,6 @@ The following sections describe what each rule does and what the scenarios entai
 
 ### Rule: Block executable content from email client and webmail
 
-
 This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
 
 The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
@@ -146,18 +127,13 @@ The following scenarios can be individually chosen:
 - Extension Block
     - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
 
-
 ### Rule: Block Office applications from injecting into other processes
 
-
 >[!NOTE]
 >There is only one scenario to test for this rule.
 
-
 Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 
-
-
 ### Rule: Impede JavaScript and VBScript to launch executables
 
 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
@@ -169,24 +145,21 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
 - VBScript
     - VBScript will not be allowed to launch executable files
 
-
-
 ### Rule: Block execution of potentially obfuscated scripts
 
 Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
 
-
 - Random
     - A scenario will be randomly chosen from this list
 - AntiMalwareScanInterface
-    - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
+    - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script
 - OnAccess
     - Potentially obfuscated scripts will be blocked when an attempt is made to access them
 
 
 ## Review Attack surface reduction events in Windows Event Viewer
 
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
+You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
@@ -204,7 +177,6 @@ Event ID | Description
 1122 | Event when rule fires in Audit-mode 
 1121 | Event when rule fires in Block-mode 
 
-
 ## Use audit mode to measure impact
 
 You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
@@ -223,17 +195,14 @@ This enables all Attack surface reduction rules in audit mode.
 >If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
 
-
-
-## Customize Attack surface reduction
+## Customize attack surface reduction rules
 
 During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
 
 See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
 
-
 ## Related topics
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
 - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
 - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index 56695c3814..9fa8ab6d2b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -1,5 +1,5 @@
 ---
-title: See how CFA can help protect files from being changed by malicious apps
+title: See how controlled folder access can help protect files from being changed by malicious apps
 description: Use a custom tool to see how Controlled folder access works in Windows 10.
 keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
 search.product: eADQiWindows 10XVcnh
@@ -11,34 +11,20 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 10/02/2018
 ---
 
-
-# Evaluate Controlled folder access
+# Evaluate controlled folder access
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
 
-**Audience**
+It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
 
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-Controlled folder access is a feature that is part of Windows Defender Exploit Guard [that helps protect your documents and files from modification by suspicious or malicious apps](controlled-folders-exploit-guard.md). 
-
-It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-
-This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
+This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 
 >[!NOTE]
 >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
@@ -47,18 +33,16 @@ This topic helps you evaluate Controlled folder access. It explains how to demo
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Use the demo tool to see how Controlled folder access works
+## Use the demo tool to see how controlled folder access works
 
-Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders. 
+Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. 
 
 The tool is part of the Windows Defender Exploit Guard evaluation package:
 - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
 
-This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender Exploit Guard to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
-
-You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
-
+This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
 
+You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
 
 1. Type **powershell** in the Start menu.
 
@@ -81,9 +65,9 @@ You can enable Controlled folder access, run the tool, and see what the experien
 
     ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png)
 
-## Review Controlled folder access events in Windows Event Viewer
+## Review controlled folder access events in Windows Event Viewer
 
-You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
+You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
@@ -98,15 +82,15 @@ You can also review the Windows event log to see the events there were created w
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
-1123 | Blocked Controlled folder access event
-1127 | Blocked Controlled folder access sector write block event
-1128 | Audited Controlled folder access sector write block event
+1124 | Audited controlled folder access event
+1123 | Blocked controlled folder access event
+1127 | Blocked controlled folder access sector write block event
+1128 | Audited controlled folder access sector write block event
 
 
 ## Use audit mode to measure impact
 
-As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
 
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
 
@@ -117,21 +101,18 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
 ```
 
 >[!TIP]
->If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main  [Controlled folder access topic](controlled-folders-exploit-guard.md).
-
+>If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
 
 For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
-
-
 ## Customize protected folders and apps
 
 During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
 
-See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
 
 ## Related topics
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
+- [Use audit mode](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 499c186d35..c84eaa37c2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -1,6 +1,6 @@
 ---
-title: See how Exploit protection works in a demo
-description: See how Exploit protection can prevent suspicious behaviors from occurring on specific apps.
+title: See how exploit protection works in a demo
+description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
 keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigiation
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -14,46 +14,30 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
 
-
-
-# Evaluate Exploit protection
+# Evaluate exploit protection
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in Exploit protection. 
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection. 
 
-This topcs helps you evaluate Exploit protection. See the [Exploit protection topic](exploit-protection-exploit-guard.md) for more information on what Exploit protection does and how to configure it for real-world deployment.
+This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
 
 >[!NOTE]
 >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
->For instructions on how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see the main [Exploit protection topic](exploit-protection-exploit-guard.md) .
+>For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md).
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Enable and validate an Exploit protection mitigation
+## Enable and validate an exploit protection mitigation
 
 For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
 
-First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
+First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 
@@ -63,13 +47,13 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
     Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
     ```
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
 
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
 
-3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
 
-4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
 
 Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
 
@@ -81,20 +65,19 @@ Now that you know the mitigation has been enabled, you can test to see if it wor
 
 Lastly, we can disable the mitigation so that Internet Explorer works properly again:
 
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
 
-3.	Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
 
 4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply**
 
 5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
 
+## Review exploit protection events in Windows Event Viewer
 
-## Review Exploit protection events in Windows Event Viewer
-
-You can now review the events that Exploit protection sent to the Windows Event log to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
+You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
 
@@ -106,30 +89,30 @@ You can now review the events that Exploit protection sent to the Windows Event
 
 4. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to Exploit protection, which are all listed in the [Exploit protection](exploit-protection-exploit-guard.md) topic.
+5. This will create a custom view that filters to only show the events related to exploit protection.
 
 6. The specific event to look for in this demo is event ID 4, which should have the following or similar information:
 
     Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
 
-
 ## Use audit mode to measure impact
 
-As with other Windows Defender EG features, you can enable Exploit protection in audit mode. You can enable audit mode for individual mitigations.
+You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
 
 This lets you see a record of what *would* have happened if you had enabled the mitigation.
 
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious or malicious events generally occur over a certain period.
 
-See the [**PowerShell reference** section in the Customize Exploit protection topic](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
-
-For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-
+See the [**PowerShell reference** section in customize exploit protection](customize-exploit-protection.md#powershell-reference) for a list of which mitigations can be audited and instructions on enabling the mode.
 
+For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 
 ## Related topics
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Enable network protection](enable-network-protection.md)
+- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
+- [Enable attack surface reduction](enable-attack-surface-reduction.md)
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 1f004b79b7..ee1e9948c7 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Conduct a demo to see how Network protection works
+title: Conduct a demo to see how network protection works
 description: Quickly see how Network protection works by performing common scenarios that it protects against
 keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
 search.product: eADQiWindows 10XVcnh
@@ -11,34 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/09/2018
 ---
 
-# Evaluate Network protection
-
-
+# Evaluate network protection
 
 **Applies to:**
 
-- Windows 10 Enterprise edition, version 1709 or later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-
-
-
-Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
-
-It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
 This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site.
 
@@ -48,7 +30,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-## Enable Network protection
+## Enable network protection
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@@ -67,12 +49,11 @@ You can also carry out the processes described in this topic in audit or disable
 
 You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
 
-![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png)
+![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
  
+## Review network protection events in Windows Event Viewer
  
- ## Review Network protection events in Windows Event Viewer
- 
-You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-all-windows-defender-exploit-guard-events).
+You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
 
 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
@@ -82,18 +63,18 @@ You can also review the Windows event log to see the events there were created w
 
 4. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
 
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1125 | Event when rule fires in Audit-mode 
-1126 | Event when rule fires in Block-mode 
+1125 | Event when rule fires in audit mode 
+1126 | Event when rule fires in block mode 
 
 
 ## Use audit mode to measure impact
 
-You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled.
 
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
 
@@ -102,17 +83,12 @@ To enable audit mode, use the following PowerShell cmdlet:
 ```PowerShell
 Set-MpPreference -EnableNetworkProtection AuditMode
 ```
-
-
 >[!TIP]
->If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+>If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).
 
+## Related topics
 
-
-
- ## Related topics
-
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Protect your network](network-protection-exploit-guard.md)
 - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
 - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
index 958158f7f6..ee57054634 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -14,48 +14,36 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
 
-
-
 # Evaluate Windows Defender Exploit Guard
 
-
 **Applies to:**
 
 - Windows 10, version 1709 and later
 - Windows Server 2016
 
-
-**Audience**
-
-- Enterprise security administrators
-
-Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
 
 Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
 
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 
-
 Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
 
-
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Evaluate Network protection](evaluate-network-protection.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
 
 You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
 
 - [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
 
-
-
 ## Related topics
 
 Topic | Description 
 ---|---
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
\ No newline at end of file
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
+- [Protect your network](network-protection-exploit-guard.md) 
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index f070b8407e..1bf42dc66c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -1,5 +1,5 @@
 ---
-title: Import custom views to see Windows Defender Exploit Guard events
+title: Import custom views to see attack surface reduction events
 description: Use Windows Event Viewer to import individual views for each of the features.
 keywords: event view, exploit guard, audit, review, events
 search.product: eADQiWindows 10XVcnh
@@ -12,38 +12,30 @@ ms.date: 04/16/2018
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/08/2018
 ---
 
-
-# View Windows Defender Exploit Guard events
-
+# View attack surface reduction events
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-**Audience**
-
-- Enterprise security administrators
-
-Each of the four features in Windows Defender Exploit Guard allow you to review events in the Windows Event log. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
+You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
 
 Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
 
 This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
 
-You can also get detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md) in the Windows Defender Security Center console, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). 
+You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). 
 
-## Use custom views to review Windows Defender Exploit Guard features
+## Use custom views to review attack surface reduction capabilities
 
-You can create custom views in the Windows Event Viewer to only see events for specific features and settings.
+You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
 
 The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
 
-You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of all Windows Defender Exploit Guard events](#list-of-all-windows-defender-exploit-guard-events) section at the end of this topic for more details.
+You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
 
 ### Import an existing XML custom view
 
@@ -83,11 +75,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
 
-
-
-
-
-### XML for Attack surface reduction events
+### XML for attack surface reduction rule events
 
 ```xml
 
@@ -98,7 +86,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 ```
 
-### XML for Controlled folder access events
+### XML for controlled folder access events
 
 ```xml
 
@@ -109,7 +97,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 ```
 
-### XML for Exploit protection events
+### XML for exploit protection events
 
 ```xml
 
@@ -129,7 +117,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 ```
 
-### XML for Network protection events
+### XML for network protection events
 
 ```xml
 
@@ -141,12 +129,10 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 ```
 
+## List of attack surface reduction events
 
 
-## List of all Windows Defender Exploit Guard events
-
-
-All Windows Defender Exploit Guard events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
+All attack surface reductiond events are located under **Applications and Services Logs > Microsoft > Windows** and then the folder or provider as listed in the following table.
 
 You can access these events in Windows Event viewer:
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 64d6627554..a20efc725e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -11,32 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/09/2018
 ---
 
-
-
-# Protect devices from exploits with Windows Defender Exploit Guard
-
+# Protect devices from exploits
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. 
 
@@ -45,32 +27,25 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
-Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
- You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
+ You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
 
  When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
+  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled.
 
- Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10. 
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. 
 
  >[!IMPORTANT]
- >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+ >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 
 >[!WARNING] 
->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
 
-## Requirements
+ ## Review exploit protection events in Windows Event Viewer
 
-Windows 10 version | Windows Defender Advanced Threat Protection
--|-
-Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
-
-
- ## Review Exploit protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
 
@@ -115,13 +90,97 @@ Security-Mitigations | 24 | ROP SimExec enforce
 WER-Diagnostics | 5 | CFG Block
 Win32K | 260 | Untrusted Font
 
+## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
+
+>[!IMPORTANT]
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. 
+>  
+>You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. 
+ 
+Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+
+After July 31, 2018, it will not be supported.
+
+For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+
+## Feature comparison
+
+ The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
+
+  | Windows Defender Exploit Guard | EMET
+ -|:-:|:-:
+Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Windows 8.1; Windows 8; Windows 7
                    Cannot be installed on Windows 10, version 1709 and later
+Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) 
                    (no additional installation required)
                    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
                    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
                    Ends after July 31, 2018
+Updates | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
                    No planned updates or development
+Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
                    [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited set of mitigations
+Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
                    [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited ruleset configuration only for modules (no processes)
+Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
+Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Helps protect important folders](controlled-folders-exploit-guard.md)
                    [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Requires installation and use of EMET tool
+Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Available
+Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Requires use of EMET tool (EMET_CONF)
+System Center Configuration Manager |  [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
+Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
                    Not available
+Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) 
                    [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    Limited Windows event log monitoring
+Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] 
                    [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
                    Limited to EAF, EAF+, and anti-ROP mitigations
+
+([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
+
+([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.  
+
+Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
+-|:-:|:-:
+Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
                    As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
                    As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)]
                    Included natively in Windows 10
                    See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
                    See  [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
+
+>[!NOTE] 
+>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
+> 
+>See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+
+## Related topics
+
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 
- ## In this section
 
-Topic | Description 
----|---
-[Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) | Many of the features in the EMET are now included in Exploit protection. This topic identifies those features and explains how the features have changed or evolved.
-[Evaluate Exploit protection](evaluate-exploit-protection.md) | Undertake a demo scenario to see how Exploit protection mitigations can protect your network from malicious and suspicious behavior.
-[Enable Exploit protection](enable-exploit-protection.md) | Use Group Policy or PowerShell to enable and manage Exploit protection in your network. 
-[Customize and configure Exploit protection](customize-exploit-protection.md) | Configure mitigations for the operating system and for individual apps.
-[Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) | Export, import, and deploy the settings across your organization. You can also convert an existing EMET configuration profile and import it into Exploit protection.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
index 77b9114470..adf0afe4dd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
 keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
 description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
 search.product: eADQiWindows 10XVcnh
@@ -14,66 +14,41 @@ ms.author: v-anbic
 ms.date: 04/30/2018
 ---
 
-
-
-# Import, export, and deploy Exploit protection configurations
-
+# Import, export, and deploy exploit protection configurations
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-
-
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- Group Policy
-- PowerShell
-
-
-
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection. 
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in exploit protection. 
 
-You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
+You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
 
-You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML.
+You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
 
 This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
 
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
-
-
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
 
 ## Create and export a configuration file
 
 Before you export a configuration file, you need to ensure you have the correct settings.
 
-You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instructions for configuring mitigations.
+You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
 
-When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
+When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
 
+### Use the Windows Security app to export a configuration file
 
-
-
-### Use the Windows Defender Security Center app to export a configuration file
-
-
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
 
-    ![Highlight of the Exploit protection settings option in the Windows Defender Security Center app](images/wdsc-exp-prot.png)
+    ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png)
         
 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
 
@@ -82,7 +57,6 @@ When you have configured Exploit protection to your desired state (including bot
 >[!NOTE]
 >When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
 
-
 ### Use PowerShell to export a configuration file
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
@@ -97,12 +71,11 @@ Change `filename` to any name or location of your choosing.
 > [!IMPORTANT]
 > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
 
-
 ## Import a configuration file
 
-You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+You can import an exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
 
-After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
+After importing, the settings will be instantly applied and can be reviewed in the Windows Security app.
 
 ### Use PowerShell to import a configuration file
 
@@ -114,16 +87,16 @@ After importing, the settings will be instantly applied and can be reviewed in t
     Set-ProcessMitigation -PolicyFilePath filename.xml 
     ```
 
-Change `filename` to the location and name of the Exploit protection XML file.
+Change `filename` to the location and name of the exploit protection XML file.
 
 >[!IMPORTANT]
 >
->Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
+>Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
 
 
-## Convert an EMET configuration file to an Exploit protection configuration file
+## Convert an EMET configuration file to an exploit protection configuration file
 
-You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10.
+You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
 
 You can only do this conversion in PowerShell.
 
@@ -166,7 +139,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Exploit Guard > Exploit protection**.
+5.  Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
 
     ![Screenshot of the group policy setting for exploit protection](images/exp-prot-gp.png)
 
@@ -182,8 +155,8 @@ You can use Group Policy to deploy the configuration you've created to multiple
 
 ## Related topics
 
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
index 7ac4ae1438..03dd9e1ec9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
@@ -11,18 +11,16 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: iaanw
 ms.author: iawilt
-ms.date: 02/20/2018
+ms.date: 08/09/2018
 ---
 
-
-
 # Memory integrity
 
-
 **Applies to:**
 
-- Windows 10, version 1709
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.
 
+
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index df6a6b9037..934d1154de 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -1,5 +1,5 @@
 ---
-title: Use Network protection to help prevent connections to bad sites
+title: Use network protection to help prevent connections to bad sites
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 keywords: Network protection, exploits, malicious website, ip, domain, domains
 search.product: eADQiWindows 10XVcnh
@@ -11,49 +11,28 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/09/2018
 ---
 
-
-
-# Protect your network with Windows Defender Exploit Guard
+# Protect your network
 
 **Applies to:**
 
-- Windows 10, version 1709 or higher
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Group Policy
-- PowerShell
-- Configuration service providers for mobile device management
-
-
-Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
 
 It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
+Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 
-Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-
-When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
 You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
 
-
-
 ## Requirements
 
 Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection.
@@ -63,10 +42,9 @@ Windows 10 version | Windows Defender Antivirus
 Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
 
 
-## Review Network protection events in Windows Event Viewer
+## Review network protection events in Windows Event Viewer
 
-
-You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain:
+You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
 
@@ -80,20 +58,17 @@ You can review the Windows event log to see events that are created when Network
 
 4. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
 
  Event ID | Description
 -|-
 5007 | Event when settings are changed
-1125 | Event when Network protection fires in Audit-mode 
-1126 | Event when Network protection fires in Block-mode 
-
-
-
+1125 | Event when network protection fires in audit mode 
+1126 | Event when network protection fires in block mode 
 
  ## In this section
 
 Topic | Description 
 ---|---
-[Evaluate Network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
-[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.
+[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/TOC.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 71dea75d8e..158a8a98ac 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -1,6 +1,6 @@
 ---
-title: Requirements and deployment planning guidelines for irtualization-based protection of code integrity (Windows 10)
-description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
+title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10)
+description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -9,15 +9,15 @@ author: brianlic-msft
 ms.date: 10/20/2017
 ---
 
-# Requirements and deployment planning guidelines for virtualization-based protection of code integrity
+# Baseline protections and additional qualifications for virtualization-based protection of code integrity
 
 **Applies to**
--   Windows 10
--   Windows Server 2016
 
-Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. 
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. 
+Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
+
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
 
 > [!WARNING]
 >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
@@ -25,13 +25,13 @@ For example, hardware that includes CPU virtualization extensions and SLAT will
 The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
 
 > [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
 
 ## Baseline protections
 
 |Baseline Protections            | Description                                        | Security benefits |
 |--------------------------------|----------------------------------------------------|-------------------|
-| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  | 
+| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  |
 | Hardware: **CPU virtualization extensions**,
                    plus **extended page tables** | These hardware features are required for VBS:
                    One of the following virtualization extensions:
                    • VT-x (Intel) or
                    • AMD-V
                    And:
                    • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
 | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
 | Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot)  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
@@ -64,11 +64,11 @@ The following tables describe additional hardware and firmware qualifications, a
 
 
                    
 
-### Additional security qualifications starting with Windows 10, version 1703 
+### Additional security qualifications starting with Windows 10, version 1703
 
 
 | Protections for Improved Security          | Description                                        | Security benefits |
 |---------------------------------------------|----------------------------------------------------|------|
 | Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
                    • UEFI runtime service must meet these requirements: 
                        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. 
                        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both 
                            • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. 
                    Notes:
                    • This only applies to UEFI runtime service memory, and not UEFI boot service memory. 
                    • This protection is applied by VBS on OS page tables.

                     Please also note the following: 
                    • Do not use sections that are both writeable and exceutable
                    • Do not attempt to directly modify executable system memory
                    • Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware.   |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware.
                    • Blocks additional security attacks against SMM.  |
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware.
                    • Blocks additional security attacks against SMM.  |
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index 412c817281..847b1fa492 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -1,5 +1,5 @@
 ---
-title: Troubleshoot problems with Attack surface reduction rules
+title: Troubleshoot problems with attack surface reduction rules
 description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
 keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
 search.product: eADQiWindows 10XVcnh
@@ -11,27 +11,20 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 09/18/2018
 ---
 
-# Troubleshoot Attack surface reduction rules
+# Troubleshoot attack surface reduction rules
 
 **Applies to:**
 
-- Windows 10, version 1709 or higher
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-**Audience**
-
-- IT administrators
-
-When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
 
 - A rule blocks a file, process, or performs some other action that it should not (false positive)
 - A rule does not work as described, or does not block a file or process that it should (false negative)
 
-
-
 There are four steps to troubleshooting these problems:
 
 1. Confirm that you have met all pre-requisites
@@ -39,11 +32,9 @@ There are four steps to troubleshooting these problems:
 3. Add exclusions for the specified rule (for false positives)
 3. Submit support logs
 
-
-
 ## Confirm pre-requisites
 
-Attack surface reduction (ASR) will only work on devices with the following conditions:
+Attack surface reduction rules will only work on devices with the following conditions:
 
 >[!div class="checklist"]
 > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
@@ -51,47 +42,44 @@ Attack surface reduction (ASR) will only work on devices with the following cond
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
 
-
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
 
 ## Use audit mode to test the rule
 
 There are two ways that you can test if the rule is working. 
 
-You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only. 
+You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only. 
 
-The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly.
+The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly.
 
 If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
 
-You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with.
+Follow the instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
 
 >[!TIP]
->While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. 
+>While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. 
 
 Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
 
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
 
 >[!TIP] 
 >Audit mode will stop the rule from blocking the file or process. 
 >
 >If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. 
 >
->Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
 
+If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
 
-If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
-
-1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive).
-2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
+1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
 
 ## Add exclusions for a false positive
 
-You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders.
+You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
 
 This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
 
@@ -102,12 +90,11 @@ To add an exclusion, see the [Customize Attack surface reduction](customize-atta
 >
 >This means any files or folders that are excluded will be excluded from all ASR rules.
 
-
 If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
 
 ## Collect diagnostic data
 
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with attack surface reduction rules.
 
 When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
 
@@ -116,14 +103,8 @@ You must also attach associated files in a .zip file (such as the file or execut
 Follow the link below for instructions on how to collect the .cab file:
 
 > [!div class="nextstepaction"]
-> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
-
-
-
-
-
+> [Collect and submit diagnostic data](collect-cab-files-exploit-guard-submission.md)
 
 ## Related topics
 
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
index 8410be06b9..31f4604299 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
 keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
 description: Remove unwanted Exploit protection mitigations.
 search.product: eADQiWindows 10XVcnh
@@ -11,34 +11,18 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/09/2018
 ---
 
-
-
-# Troubleshoot Exploit protection mitigations
-
+# Troubleshoot exploit protection mitigations
 
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
+When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
 
-**Audience**
-
-- Enterprise security administrators
-
-
-**Manageability available with**
-
-- Windows Defender Security Center app
-- PowerShell
-
-
-When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
-
-You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
+You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
 
 1. Remove all process mitigations with this PowerShell script:
 
@@ -205,13 +189,13 @@ You can manually remove unwanted mitigations in Windows Defender Security Center
     
     ```
 
-If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
+If you haven’t already, it's a good idea to download and use the [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) to complete your Exploit protection customization.
 
 ## Related topics
 
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
index 2b7764fdb5..f2f8024158 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@@ -11,16 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 08/09/2018
 ---
 
-# Troubleshoot Network protection
+# Troubleshoot network protection
 
 **Applies to:**
 
-- Windows 10, version 1709 or higher
-
-**Audience**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 - IT administrators
 
@@ -29,8 +27,6 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e
 - Network protection blocks a website that is safe (false positive)
 - Network protection fails to block a suspicious or known malicious website (false negative)
 
-
-
 There are four steps to troubleshooting these problems:
 
 1. Confirm that you have met all pre-requisites
@@ -38,19 +34,16 @@ There are four steps to troubleshooting these problems:
 3. Add exclusions for the specified rule (for false positives)
 3. Submit support logs
 
-
-
 ## Confirm pre-requisites
 
-Windows Defender Exploit Guard will only work on devices with the following conditions:
+Network protection will only work on devices with the following conditions:
 
 >[!div class="checklist"]
 > - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
-
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
 
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
 
@@ -58,33 +51,33 @@ If these pre-requisites have all been met, proceed to the next step to test the
 
 There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
 
-You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions.
+You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions.
 
 If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
 
 >[!TIP]
->While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. 
+>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. 
 
-You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
+You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
 
-1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
+1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
 
 
 >[!IMPORTANT] 
->Audit mode will stop Network protection from blocking known malicious connections. 
+>Audit mode will stop network protection from blocking known malicious connections. 
 >
->If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. 
+>If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. 
 >
 >Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
 
 
-If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. 
+If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. 
 
 ## Report a false positive or false negative
 
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection.
 
 When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
 
@@ -93,11 +86,6 @@ You can also attach a diagnostic .cab file to your submission if you wish (this
 > [!div class="nextstepaction"]
 > [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
 
-
-
-
-
-
 ## Related topics
 
 - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 96ed1733a8..cfea6fdd1f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -11,23 +11,14 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/30/2018
+ms.date: 08/09/2018
 ---
 
-
-
 # Windows Defender Exploit Guard
 
-
 **Applies to:**
 
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-
-**Audience**
-
-- Enterprise security administrators
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
 
@@ -52,13 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
 
-Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies, which also includes:
-- [Windows Defender Security Center](../windows-defender-atp/windows-defender-security-center-atp.md)
-- [Windows Defender Antivirus in Windows 10](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
-- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
-- [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md)
+Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
 
-You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
+You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
 
 ## Requirements
 
@@ -68,14 +55,12 @@ This section covers requirements for each feature in Windows Defender EG.
 |--------|---------|
 | ![not supported](./images/ball_empty.png) | Not supported |
 | ![supported](./images/ball_50.png) | Supported |
-| ![supported, enhanced](./images/ball_75.png) | Includes advanced exploit protection for the kernel mode via [HVCI](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity) |
-| ![supported, full reporting](./images/ball_full.png) | Includes automated reporting into the Windows Defender ATP console|
-
+| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
 
 | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
 | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
-| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
 | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 
@@ -84,7 +69,7 @@ The following table lists which features in Windows Defender EG require enabling
 | Feature | Real-time protection |
 |-----------------| ------------------------------------ |
 | Exploit protection | No requirement |
-| Attack surface reduction | Must be enabled |
+| Attack surface reduction rules | Must be enabled |
 | Network protection | Must be enabled |
 | Controlled folder access | Must be enabled |
 
@@ -92,9 +77,9 @@ The following table lists which features in Windows Defender EG require enabling
 
 Topic | Description 
 ---|---
-[Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
-[Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
-[Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
-[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
+[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
+[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
+[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
 
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png
index bf7a3e3910..a60f5edbab 100644
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png
index 98083a937c..68b94302a1 100644
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png and b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/TOC.md b/windows/security/threat-protection/windows-defender-security-center/oldTOC.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-security-center/TOC.md
rename to windows/security/threat-protection/windows-defender-security-center/oldTOC.md
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 4dad649653..94651ad2a2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Account protection in the Windows Defender Security Center app
+title: Account protection in the Windows Security app
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
 keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
 search.product: eADQiWindows 10XVcnh
@@ -33,7 +33,7 @@ You can also choose to hide the section from users of the machine. This can be u
 
 ## Hide the Account protection section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -46,7 +46,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Account protection**.
+5.  Expand the tree to **Windows components > Windows Security > Account protection**.
 
 6.  Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**.
 
@@ -55,4 +55,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index aa52a93e41..b3d73ce4da 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,5 +1,5 @@
 ---
-title: App & browser control in the Windows Defender Security Center app
+title: App & browser control in the Windows Security app
 description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
 keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
 search.product: eADQiWindows 10XVcnh
@@ -44,7 +44,7 @@ You can only prevent users from modifying Exploit protection settings by using G
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**.
+5.  Expand the tree to **Windows components > Windows Security > App and browser protection**.
 
 6.  Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
 
@@ -52,7 +52,7 @@ You can only prevent users from modifying Exploit protection settings by using G
 
 ## Hide the App & browser control section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -65,7 +65,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**.
+5.  Expand the tree to **Windows components > Windows Security > App and browser protection**.
 
 6.  Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
 
@@ -74,4 +74,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index b528a224eb..30cc2c355d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,5 +1,5 @@
 ---
-title: Customize Windows Defender Security Center contact information
+title: Customize Windows Security contact information
 description: Provide information to your employees on how to contact your IT department when a security issue occurs
 keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
 search.product: eADQiWindows 10XVcnh
@@ -14,7 +14,7 @@ ms.author: v-anbic
 ms.date: 04/30/2018
 ---
 
-# Customize the Windows Defender Security Center app for your organization
+# Customize the Windows Security app for your organization
 
 **Applies to**
 
@@ -28,7 +28,7 @@ ms.date: 04/30/2018
 
 - Group Policy
 
-You can add information about your organization in a contact card to the Windows Defender Security Center app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. 
+You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. 
 
 ![](images/security-center-custom-flyout.png)
 
@@ -56,7 +56,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**.
+5.  Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
 
 6.  You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other: 
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 67d58174c1..2e68201ba8 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -1,5 +1,5 @@
 ---
-title: Device & performance health in the Windows Defender Security Center app
+title: Device & performance health in the Windows Security app
 description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
 keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
 search.product: eADQiWindows 10XVcnh
@@ -32,7 +32,7 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t
 
 ## Hide the Device performance & health section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -45,7 +45,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Device performance and health**.
+5.  Expand the tree to **Windows components > Windows Security > Device performance and health**.
 
 6.  Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
 
@@ -54,4 +54,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 64af9bb9d8..3dea1e0c3a 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -1,5 +1,5 @@
 ---
-title: Device security in the Windows Defender Security Center app
+title: Device security in the Windows Security app
 description: Use the Device security section to manage security built into your device, including virtualization-based security.
 keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
 search.product: eADQiWindows 10XVcnh
@@ -11,25 +11,22 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 10/02/2018
 ---
 
-
 # Device security
 
 **Applies to**
 
 - Windows 10, version 1803 and later
 
-
-The **Device security** section contains information and settings for built-in device security. 
+The **Device security** section contains information and settings for built-in device security.
 
 You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
-
 ## Hide the Device security section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -40,15 +37,59 @@ This can only be done in Group Policy.
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Device security**.
+3.  Expand the tree to **Windows components > Windows Security > Device security**.
 
-6.  Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
+4.  Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
 
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+
+## Disable the Clear TPM button
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+>[!IMPORTANT]
+>### Requirements
+>
+>You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
+
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3.  Expand the tree to **Windows components > Windows Security > Device security**.
+
+4.  Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+## Hide the TPM Firmware Update recommendation
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3.  Expand the tree to **Windows components > Windows Security > Device security**.
+
+4.  Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+## Disable Memory integrity switch
+If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch.
+
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3.  Expand the tree to **Windows components > Windows Security > Device security**.
+
+4.  Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 47bf08fc3f..e691142a85 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -1,5 +1,5 @@
 ---
-title: Family options in the Windows Defender Security Center app
+title: Family options in the Windows Security app
 description: Hide the Family options section in enterprise environments
 keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
 search.product: eADQiWindows 10XVcnh
@@ -24,14 +24,14 @@ ms.date: 04/30/2018
 
 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments.
 
-Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 
 In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to this section.
 
 
 ## Hide the Family options section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -44,7 +44,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Family options**.
+5.  Expand the tree to **Windows components > Windows Security > Family options**.
 
 6.  Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
 
@@ -53,4 +53,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 4986db4e3e..1aea2d2d26 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Firewall and network protection in the Windows Defender Security Center app
+title: Firewall and network protection in the Windows Security app
 description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
 keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
 search.product: eADQiWindows 10XVcnh
@@ -22,14 +22,14 @@ ms.date: 04/30/2018
 - Windows 10, version 1703 and later
 
 
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
 
 In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
 
 ## Hide the Firewall & network protection section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -38,18 +38,18 @@ This can only be done in Group Policy.
 >
 >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Firewall and network protection**.
+5.  Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
 
 6.  Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
 
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+7.  Deploy the updated GPO as you normally do. 
 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 551ce1779b..a21f6e6715 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,6 +1,6 @@
 ---
-title: Hide notifications from the Windows Defender Security Center app
-description: Prevent Windows Defender Security Center app notifications from appearing on user endpoints
+title: Hide notifications from the Windows Security app
+description: Prevent Windows Security app notifications from appearing on user endpoints
 keywords: defender, security center, app, notifications, av, alerts
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -14,7 +14,7 @@ ms.author: v-anbic
 ms.date: 04/30/2018
 ---
 
-# Hide Windows Defender Security Center app notifications
+# Hide Windows Security app notifications
 
 **Applies to**
 
@@ -28,7 +28,7 @@ ms.date: 04/30/2018
 
 - Group Policy
 
-The Windows Defender Security Center app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
+The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
 
 In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
 
@@ -58,7 +58,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Notifications**.
+5.  Expand the tree to **Windows components > Windows Security > Notifications**.
 
 6.  Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
 
@@ -67,7 +67,7 @@ This can only be done in Group Policy.
 
 ## Use Group Policy to hide all notifications
 
-You can hide all notifications that are sourced from the Windows Defender Security Center app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
+You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
 
 This can only be done in Group Policy.
 
@@ -80,7 +80,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Notifications**.
+5.  Expand the tree to **Windows components > Windows Security > Notifications**.
 
 6.  Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 5d7d2ce96b..e8c72f679d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -1,5 +1,5 @@
 ---
-title: Virus and threat protection in the Windows Defender Security Center app
+title: Virus and threat protection in the Windows Security app
 description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products.
 keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
 search.product: eADQiWindows 10XVcnh
@@ -28,7 +28,7 @@ In Windows 10, version 1803, this section also contains information and settings
 
 IT administrators and IT pros can get more information and documentation about configuration from the following:
 
-- [Windows Defender Antivirus in the Windows Defender Security Center app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
+- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
 - [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
 - [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
 - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
@@ -40,7 +40,7 @@ You can choose to hide the **Virus & threat protection** section or the **Ransom
 
 ## Hide the Virus & threat protection section
 
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
 
 This can only be done in Group Policy.
 
@@ -53,7 +53,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**.
+5.  Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
 
 6.  Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
 
@@ -62,11 +62,11 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Defender Security Center app.
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Security app.
 
 This can only be done in Group Policy.
 
@@ -79,7 +79,7 @@ This can only be done in Group Policy.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**.
+5.  Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
 
 6.  Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index a4423252ca..3a2be655e3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -1,6 +1,6 @@
 ---
-title: Manage Windows Defender Security Center in Windows 10 in S mode
-description: Windows Defender Security Center settings are different in Windows 10 in S mode
+title: Manage Windows Security in Windows 10 in S mode
+description: Windows Security settings are different in Windows 10 in S mode
 keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -14,7 +14,7 @@ ms.author: v-anbic
 ms.date: 04/30/2018
 ---
 
-# Manage Windows Defender Security Center in Windows 10 in S mode
+# Manage Windows Security in Windows 10 in S mode
 
 **Applies to**
 
@@ -30,15 +30,15 @@ ms.date: 04/30/2018
 
 Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
 
-The Windows Defender Security Center interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
+The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
 
-![Screen shot of the Windows Defender Security Center app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
+![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
 
 For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode).
 
-##Managing Windows Defender Security Center settings with Intune
+##Managing Windows Security settings with Intune
 
 In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts.
 
-For information about using Intune to manage Windows Defender Security Center settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10).
+For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10).
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index c98c737aad..0ac415f224 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -1,6 +1,6 @@
 ---
-title: The Windows Defender Security Center  app
-description: The Windows Defender Security Center app brings together common Windows security features into one place
+title: The Windows Security  app
+description: The Windows Security app brings together common Windows security features into one place
 keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -11,43 +11,35 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 10/02/2018
 ---
 
 
 
 
 
-# The Windows Defender Security Center app
+# The Windows Security app
 
 **Applies to**
 
 - Windows 10, version 1703 and later
 
-
-
-
-In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
-
-In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
-
-
-![Screen shot of the Windows Defender Security Center app showing that the device is protected and five icons for each of the features](images/security-center-home.png)
-
-
-
-In Windows 10, version 1709, we increased the scope of the app to also show information from third-party antivirus and firewall apps.
-
->[!NOTE]
->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-This library describes the Windows Defender Security Center app, and provides information on configuring certain features, including:
+This library describes the Windows Security app, and provides information on configuring certain features, including:
 
 
 - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
 - [Hiding notifications](wdsc-hide-notifications.md)
 
-You can't uninstall the Windows Defender Security Center app, but you can do one of the following:
+In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
+
+In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
+
+![Screen shot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png)
+
+>[!NOTE]
+>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+You can't uninstall the Windows Security app, but you can do one of the following:
 
 - Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). 
 - Hide all of the sections on client computers (see below).
@@ -57,47 +49,43 @@ You can find more information about each section, including options for configur
 
 
 - [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive.
-- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. 
 - [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
 - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
 - [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.  
 - [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
 
 
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
-
-
-
-
-## Open the Windows Defender Security Center app
+## Open the Windows Security app
 - Click the icon in the notification area on the taskbar.
 
-    ![Screen shot of the icon for the Windows Defender Security Center app on the Windows task bar](images/security-center-taskbar.png)
-- Search the Start menu for **Windows Defender Security Center**.
+    ![Screen shot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png)
+- Search the Start menu for **Windows Security**.
 
-    ![Screen shot of the Start menu showing the results of a search for the Windows Defender Security Center app, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
+    ![Screen shot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
 - Open an area from Windows **Settings**.
 
-    ![Screen shot of Windows Settings showing the different areas available in the Windows Defender Security Center](images/settings-windows-defender-security-center-areas.png)
+    ![Screen shot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png)
 
 
 > [!NOTE]
-> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. See the topics for each of the sections for links to configuring the associated features or products.
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
 
 
 
-## How the Windows Defender Security Center app works with Windows security features
+## How the Windows Security app works with Windows security features
 
 
 >[!IMPORTANT]
->Windows Defender AV and the Windows Defender Security Center app use similarly named services for specific purposes.  
+>Windows Defender AV and the Windows Security app use similarly named services for specific purposes.  
 >  
->The Windows Defender Security Center app uses the Windows Defender Security Center Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.  
+>The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.  
 >  
 >These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.  
 >  
@@ -106,22 +94,22 @@ You can find more information about each section, including options for configur
 >Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).  
 
 > [!WARNING] 
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.  
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.  
 >  
 >It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. 
 >  
 >This will significantly lower the protection of your device and could lead to malware infection. 
 
-The Windows Defender Security Center app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. 
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. 
 
 It acts as a collector or single place to see the status and perform some configuration for each of the features.
 
-Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center app. The Windows Defender Security Center app itself will still run and show status for the other security features.
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
 
 > [!IMPORTANT] 
-> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center app.
+> Individually disabling any of the services will not disable the other services or the Windows Security app.
 
-For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Defender Security Center app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index 11e79cb879..f11f1ad904 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -1,6 +1,6 @@
 ---
 title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
-description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices.
+description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices.
 keywords: SmartScreen Filter, Windows SmartScreen
 ms.prod: w10
 ms.mktglfcycl: explore
@@ -19,14 +19,14 @@ ms.date: 10/13/2017
 
 Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
 
-## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen
-Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
+## How employees can use Windows Security to set up Windows Defender SmartScreen
+Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
 
 >[!NOTE]
 >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
 
-**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device**
-1. Open the Windows Defender Security Center app, and then click **App & browser control**.
+**To use Windows Security to set up Windows Defender SmartScreen on a device**
+1. Open the Windows Security app, and then click **App & browser control**.
 
 2. In the **App & browser control** screen, choose from the following options:
 
@@ -52,7 +52,7 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S
         
         - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
 
-        ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png)
+        ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png)
 
 ## How SmartScreen works when an employee tries to run an app
 Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
new file mode 100644
index 0000000000..19f2d4873f
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/TOC.md
@@ -0,0 +1,109 @@
+# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
+## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+## [Design Guide](windows-firewall-with-advanced-security-design-guide.md)
+### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md)
+#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md)
+### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+#### [Basic Design](basic-firewall-policy-design.md)
+#### [Domain Isolation Design](domain-isolation-policy-design.md)
+#### [Server Isolation Design](server-isolation-policy-design.md)
+#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md)
+### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+#### [Basic Design Example](firewall-policy-design-example.md)
+#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md)
+#### [Server Isolation Design Example](server-isolation-policy-design-example.md)
+#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md)
+### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+#### [Gathering the Info You Need](gathering-the-information-you-need.md)
+##### [Network](gathering-information-about-your-current-network-infrastructure.md)
+##### [Active Directory](gathering-information-about-your-active-directory-deployment.md)
+##### [Computers](gathering-information-about-your-devices.md)
+##### [Other Relevant Information](gathering-other-relevant-information.md)
+#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
+### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md)
+#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+##### [Exemption List](exemption-list.md)
+##### [Isolated Domain](isolated-domain.md)
+##### [Boundary Zone](boundary-zone.md)
+##### [Encryption Zone](encryption-zone.md)
+#### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
+#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+##### [Documenting the Zones](documenting-the-zones.md)
+##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+###### [Planning Network Access Groups](planning-network-access-groups.md)
+###### [Planning the GPOs](planning-the-gpos.md)
+####### [Firewall GPOs](firewall-gpos.md)
+######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
+####### [Isolated Domain GPOs](isolated-domain-gpos.md)
+######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
+######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
+####### [Boundary Zone GPOs](boundary-zone-gpos.md)
+######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
+####### [Encryption Zone GPOs](encryption-zone-gpos.md)
+######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
+####### [Server Isolation GPOs](server-isolation-gpos.md)
+###### [Planning GPO Deployment](planning-gpo-deployment.md)
+### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
+### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
+### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
+### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
+### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
+### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
+### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
+### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
+#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
+#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
+#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
+#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
+#### [Configure Authentication Methods](configure-authentication-methods.md)
+#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
+#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
+#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
+#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
+#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
+#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
+#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+#### [Create a Group Policy Object](create-a-group-policy-object.md)
+#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
+#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
+#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
+#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
+#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
+#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
+#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
+#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
+#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
+#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
+#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
+#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md)
+#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
+#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
rename to windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
index 8df6f869aa..98a41989a0 100644
--- a/windows/security/identity-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
rename to windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
index 281ad6dac7..01300466cb 100644
--- a/windows/security/identity-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
+++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
rename to windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
index 5cebf022c7..80be70956a 100644
--- a/windows/security/identity-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
rename to windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 6b62911649..ca09cb0b1b 100644
--- a/windows/security/identity-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md
rename to windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
index c42b348566..52a0ff1746 100644
--- a/windows/security/identity-protection/windows-firewall/basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md
rename to windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
index 1cd6e00adf..c6efd1da85 100644
--- a/windows/security/identity-protection/windows-firewall/boundary-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/boundary-zone.md
rename to windows/security/threat-protection/windows-firewall/boundary-zone.md
index 8bbf2b4e08..4b8a3f82d9 100644
--- a/windows/security/identity-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
rename to windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
index 1b0eb72de4..a3077b6d8b 100644
--- a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
index bdd5a0c1de..5703ac0670 100644
--- a/windows/security/identity-protection/windows-firewall/certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md
rename to windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
index 1b9c21d3ce..62420de298 100644
--- a/windows/security/identity-protection/windows-firewall/change-rules-from-request-to-require-mode.md
+++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
index 0a85219b4b..0494cf7b90 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
index 8f72339a24..cc95a9fe0e 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
index 73e079e959..36a838b94a 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
index 23127bc7f3..c0097b7a82 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
index 8ee694fdd7..59459f5637 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
rename to windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
index 2d8c7601d4..12aff1bf77 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md
rename to windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
index f405e2bb9a..b42bfc69b3 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-creating-group-policy-objects.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
rename to windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
index 5df5d2c5b6..7b6bd39b54 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
rename to windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
index 483fe71c65..559291765a 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
rename to windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
index f072701a49..9a7e901ac8 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
index 99969245fc..d58d940b08 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
index dc40a91804..e482d00b69 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
index 8a58ee4cde..18e9197b4e 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
index 2b9b09d474..dcf7575556 100644
--- a/windows/security/identity-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/configure-authentication-methods.md
rename to windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
index d0a86b59f7..b23f0c7d01 100644
--- a/windows/security/identity-protection/windows-firewall/configure-authentication-methods.md
+++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
rename to windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
index 95c923e55b..05db2ff779 100644
--- a/windows/security/identity-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
rename to windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
index 8b65b64896..63802f55e1 100644
--- a/windows/security/identity-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
+++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
rename to windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
index 4ebecbd05c..4ec20e462c 100644
--- a/windows/security/identity-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
+++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md
rename to windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
index 011e37612c..b9cb9944ae 100644
--- a/windows/security/identity-protection/windows-firewall/configure-the-rules-to-require-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md
rename to windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index d108f8e07b..ba32647e26 100644
--- a/windows/security/identity-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
similarity index 89%
rename from windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
rename to windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
index 4aeab49c4b..b3e437f93d 100644
--- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md
@@ -6,8 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
+ms.localizationpriority: medium
+author: Justinha
+ms.date: 07/30/2018
 ---
 
 # Configure the Workstation Authentication Certificate Template
@@ -36,7 +37,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro
 
 6.  Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
 
-7.  Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+7.  Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
 
 8.  Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
 
diff --git a/windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
rename to windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
index 69fe26b5c4..b0f250ecfb 100644
--- a/windows/security/identity-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
rename to windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
index c8b0f4c9f5..1895dc3017 100644
--- a/windows/security/identity-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
+++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: securit
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
rename to windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
index 6199641b1f..af70080d9b 100644
--- a/windows/security/identity-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md
rename to windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
index acf2f55a73..9aefd85144 100644
--- a/windows/security/identity-protection/windows-firewall/create-a-group-account-in-active-directory.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md
rename to windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index 4cbdd983d0..dd292b0bea 100644
--- a/windows/security/identity-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
index 06f204cb58..f9d1765c2f 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
index edf9d7479c..efde773a84 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-authentication-request-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
index 4ddb3567bf..a4ecccf7e2 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-inbound-icmp-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index 066e7e1ea1..d20966c5d7 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
index 301a6ed8f0..36d61e5346 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
index 9e07ad036f..4f3a998eee 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-outbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
rename to windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
index 293c0b91b8..f0d4c6761c 100644
--- a/windows/security/identity-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
rename to windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
index a2be760876..aec0ec391f 100644
--- a/windows/security/identity-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
+++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
rename to windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 8f0ee31021..7744378add 100644
--- a/windows/security/identity-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 05/25/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
rename to windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
index 2ed2c83937..48712e94eb 100644
--- a/windows/security/identity-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
+++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
rename to windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
index 1169fd195d..5023cacc9c 100644
--- a/windows/security/identity-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/documenting-the-zones.md
rename to windows/security/threat-protection/windows-firewall/documenting-the-zones.md
index 092e1b70c1..ee0a546b86 100644
--- a/windows/security/identity-protection/windows-firewall/documenting-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md
rename to windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index b6738968f0..cb91e6f3ab 100644
--- a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 97c2561cf6..db21ce0ac9 100644
--- a/windows/security/identity-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md
rename to windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
index 7f83f9dc04..825edaca3a 100644
--- a/windows/security/identity-protection/windows-firewall/enable-predefined-inbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md
rename to windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
index 21011137b7..df3c7329ae 100644
--- a/windows/security/identity-protection/windows-firewall/enable-predefined-outbound-rules.md
+++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md
rename to windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
index a3169a163b..6ed1c4c636 100644
--- a/windows/security/identity-protection/windows-firewall/encryption-zone-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/encryption-zone.md
rename to windows/security/threat-protection/windows-firewall/encryption-zone.md
index 29681be588..35aa4212f1 100644
--- a/windows/security/identity-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
rename to windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
index e0bcd65419..720c7272ac 100644
--- a/windows/security/identity-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md
rename to windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
index 5e47503c42..4cf8c409e1 100644
--- a/windows/security/identity-protection/windows-firewall/exempt-icmp-from-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/exemption-list.md
rename to windows/security/threat-protection/windows-firewall/exemption-list.md
index 7f06dcc4f1..21a3e2c957 100644
--- a/windows/security/identity-protection/windows-firewall/exemption-list.md
+++ b/windows/security/threat-protection/windows-firewall/exemption-list.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
similarity index 95%
rename from windows/security/identity-protection/windows-firewall/firewall-gpos.md
rename to windows/security/threat-protection/windows-firewall/firewall-gpos.md
index 5c244fa5b6..ad1d17f139 100644
--- a/windows/security/identity-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md
rename to windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 76d4cb1d81..07ca7e7c61 100644
--- a/windows/security/identity-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
index ab28af81ed..4c2a252889 100644
--- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
index b6b0712078..c3a22d6df6 100644
--- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
@@ -61,7 +62,7 @@ Other examples of incompatibility include:
 
 -   Network monitoring tools might be unable to parse ESP packets that are not encrypted (ESP-Null).
 
-    >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](http://www.microsoft.com/download/details.aspx?id=44226).
+    >**Note:**  Microsoft Message Analyzer can help in troubleshooting of unencrypted IPsec packets. The latest version of Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
      
 ## Network address translation (NAT)
 
diff --git a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md
rename to windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
index 1d21b2750c..8c1b016757 100644
--- a/windows/security/identity-protection/windows-firewall/gathering-information-about-your-devices.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md
rename to windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index eaafe2cb9f..2ecc649ffb 100644
--- a/windows/security/identity-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
@@ -22,7 +23,7 @@ This topic discusses several other things that you should examine to see whether
 
 Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch:
 
--   **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](http://technet.microsoft.com/network/dd277647.aspx).
+-   **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](https://technet.microsoft.com/network/dd277647.aspx).
 
 -   **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5  KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization.
 
diff --git a/windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md
rename to windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index 267025d913..b2c85e5dd0 100644
--- a/windows/security/identity-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md
rename to windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
index ecac9fe271..38018ab8e2 100644
--- a/windows/security/identity-protection/windows-firewall/gpo-domiso-boundary.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md
rename to windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index 3d554f3a9e..99ff5ffcf6 100644
--- a/windows/security/identity-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 ms.date: 08/17/2017
 ---
 
diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md
rename to windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
index 2d72894c44..bed2d46cda 100644
--- a/windows/security/identity-protection/windows-firewall/gpo-domiso-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
rename to windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
index 6ca14e5412..1f645f91c2 100644
--- a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
rename to windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
index 31c28d7a4f..f13c70d1c7 100644
--- a/windows/security/identity-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
rename to windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
index 78403c5c87..30a391a025 100644
--- a/windows/security/identity-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/images/corpnet.gif b/windows/security/threat-protection/windows-firewall/images/corpnet.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/corpnet.gif
rename to windows/security/threat-protection/windows-firewall/images/corpnet.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/createipsecrule.gif b/windows/security/threat-protection/windows-firewall/images/createipsecrule.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/createipsecrule.gif
rename to windows/security/threat-protection/windows-firewall/images/createipsecrule.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif b/windows/security/threat-protection/windows-firewall/images/powershelllogosmall.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/powershelllogosmall.gif
rename to windows/security/threat-protection/windows-firewall/images/powershelllogosmall.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif b/windows/security/threat-protection/windows-firewall/images/qmcryptoset.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/qmcryptoset.gif
rename to windows/security/threat-protection/windows-firewall/images/qmcryptoset.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-design2example1.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-design2example1.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-design2example1.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-design3example1.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-design3example1.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-design3example1.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-designexample1.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-designexample1.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-designexample1.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif b/windows/security/threat-protection/windows-firewall/images/wfas-designflowchart1.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-designflowchart1.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-designflowchart1.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainiso.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-domainiso.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-domainiso.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainisoencrypt.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-domainisoencrypt.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-domainisoencrypt.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainisohighsec.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-domainisohighsec.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-domainisohighsec.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif b/windows/security/threat-protection/windows-firewall/images/wfas-domainnag.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-domainnag.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-domainnag.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-icon-checkbox.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfas-implement.gif b/windows/security/threat-protection/windows-firewall/images/wfas-implement.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfas-implement.gif
rename to windows/security/threat-protection/windows-firewall/images/wfas-implement.gif
diff --git a/windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif b/windows/security/threat-protection/windows-firewall/images/wfasdomainisoboundary.gif
similarity index 100%
rename from windows/security/identity-protection/windows-firewall/images/wfasdomainisoboundary.gif
rename to windows/security/threat-protection/windows-firewall/images/wfasdomainisoboundary.gif
diff --git a/windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
rename to windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 88bf7a60c3..e40d8d7a2e 100644
--- a/windows/security/identity-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md
rename to windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
index 584608f5b5..d32fbbad7b 100644
--- a/windows/security/identity-protection/windows-firewall/isolated-domain-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/isolated-domain.md
rename to windows/security/threat-protection/windows-firewall/isolated-domain.md
index ff2b3914ed..32a9043172 100644
--- a/windows/security/identity-protection/windows-firewall/isolated-domain.md
+++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md
rename to windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
index fa46126446..ca4b001e6a 100644
--- a/windows/security/identity-protection/windows-firewall/isolating-apps-on-your-network.md
+++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 10/13/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md
rename to windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
index 60fbc82328..746570ffbd 100644
--- a/windows/security/identity-protection/windows-firewall/link-the-gpo-to-the-domain.md
+++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
rename to windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
index e1793dc9f8..7eefeac0b2 100644
--- a/windows/security/identity-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
rename to windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
index 9c3e678890..d45ed57dfc 100644
--- a/windows/security/identity-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
similarity index 96%
rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
index 6c935f8c41..2894154e47 100644
--- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index f99c3dfeb5..f4e67423c5 100644
--- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
similarity index 95%
rename from windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
rename to windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
index 04fceb336d..485b4917f9 100644
--- a/windows/security/identity-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/02/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
rename to windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index d14fa0d2a9..a49296f5d8 100644
--- a/windows/security/identity-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md
rename to windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
index e876f9cde7..75bbce24b9 100644
--- a/windows/security/identity-protection/windows-firewall/planning-certificate-based-authentication.md
+++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md
rename to windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
index 717d5b0f83..9ec2562b8a 100644
--- a/windows/security/identity-protection/windows-firewall/planning-domain-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md
rename to windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
index 12e737f353..6222a6da9c 100644
--- a/windows/security/identity-protection/windows-firewall/planning-gpo-deployment.md
+++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
rename to windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
index 9cdb57a7f3..d43c0a263c 100644
--- a/windows/security/identity-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
rename to windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
index 44804c8c56..38d6aa0b45 100644
--- a/windows/security/identity-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/planning-network-access-groups.md
rename to windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 39d5ac3285..2a53064efd 100644
--- a/windows/security/identity-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md
rename to windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index 91b3f895f0..0dc7dc181b 100644
--- a/windows/security/identity-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
rename to windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index e5b08697f1..73a2f757c7 100644
--- a/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-the-gpos.md
rename to windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 7223799e78..f3db2bbad9 100644
--- a/windows/security/identity-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
rename to windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index ebd4d51ffc..9a39c0de1d 100644
--- a/windows/security/identity-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
rename to windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 3f7fedacfe..a2f19872e7 100644
--- a/windows/security/identity-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md
rename to windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
index cd7c4edaf0..d3ae509319 100644
--- a/windows/security/identity-protection/windows-firewall/procedures-used-in-this-guide.md
+++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
similarity index 97%
rename from windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
rename to windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index 96c1ca94eb..2ab0ca6442 100644
--- a/windows/security/identity-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
@@ -18,7 +19,7 @@ ms.date: 04/19/2017
 
 Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
 
-Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](http://www.microsoft.com/security/sir/default.aspx).
+Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/sir/default.aspx).
 
 Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
 
diff --git a/windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
rename to windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 779a932959..b9a8de9993 100644
--- a/windows/security/identity-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
rename to windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 05964574a6..05a97f9e40 100644
--- a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
rename to windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 9bdfeb710a..4ff811eafc 100644
--- a/windows/security/identity-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
rename to windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
index c7896c65f7..565a73b576 100644
--- a/windows/security/identity-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
similarity index 96%
rename from windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
rename to windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 484c6d3772..6bac7d1d1f 100644
--- a/windows/security/identity-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
@@ -85,7 +86,7 @@ Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
 $computer = Get-ADComputer -LDAPFilter "(name=server1)"
 Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer
 
-# Create and link the GPO to the domain 
+# Create and link the GPO to the domain
 $gpo = New-gpo IPsecRequireInRequestOut
 $gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes
 
@@ -94,7 +95,7 @@ $gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Grou
 $gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace
 
 #Set up the certificate for authentication
-$gponame = "corp.contoso.com\IPsecRequireInRequestOut" 
+$gponame = "corp.contoso.com\IPsecRequireInRequestOut"
 $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA"
 $myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop –PolicyStore GPO:$gponame
 
@@ -126,7 +127,7 @@ New-NetIPsecRule  -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet
 Make sure that you install the required certificates on the participating computers.
 
 >**Note:**  
--   For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
+-   For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
 -   You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
 -   For remote devices, you can create a secure website to facilitate access to the script and certificates.
 
diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/server-isolation-gpos.md
rename to windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
index b59c41958c..5d7aec4d89 100644
--- a/windows/security/identity-protection/windows-firewall/server-isolation-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md
rename to windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index 4b13a1d554..a0bac113cf 100644
--- a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 04/19/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md
rename to windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 4a20f290d1..016568e7c7 100644
--- a/windows/security/identity-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
rename to windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
index 5d8b1b2e47..1dae92ce6c 100644
--- a/windows/security/identity-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
similarity index 98%
rename from windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
rename to windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
index 2c0c44064d..5be8b4b176 100644
--- a/windows/security/identity-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
rename to windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
index d981220703..a41e88727a 100644
--- a/windows/security/identity-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
similarity index 96%
rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index aa3448684e..64ec16e1ac 100644
--- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
@@ -23,7 +24,7 @@ In future versions of Windows, Microsoft might remove the netsh functionality fo
 
 Windows PowerShell and netsh command references are at the following locations.
 
--   [Netsh Commands for Windows Defender Firewall](http://technet.microsoft.com/library/cc771920)
+-   [Netsh Commands for Windows Defender Firewall](https://technet.microsoft.com/library/cc771920)
 
 ## Scope
 
@@ -38,11 +39,11 @@ This guide is intended for IT pros, system administrators, and IT managers, and
 | Section | Description |
 | - | - |
 | [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
-| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules| 
-| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`| 
-| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters| 
-| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation| 
-| [Additional resources](#additional-resources) | More information about Windows PowerShell| 
+| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
+| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
+| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
+| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
+| [Additional resources](#additional-resources) | More information about Windows PowerShell|
 
 ## Set profile global defaults
 
@@ -73,7 +74,7 @@ The following scriptlets set the default inbound and outbound actions, specifies
 **Netsh**
 
 ``` syntax
-netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound 
+netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
 netsh advfirewall set allprofiles settings inboundusernotification enable
 netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
 netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
@@ -87,26 +88,26 @@ Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow
 
 ### Disable Windows Defender Firewall with Advanced Security
 
-Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). 
+Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
 
 Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
 
 - Start menu can stop working
 - Modern applications can fail to install or update
-- Activation of Windows via phone fails 
+- Activation of Windows via phone fails
 - Application or OS incompatibilities that depend on Windows Defender Firewall
 
-Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed. 
+Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
 
 If disabling Windows Defender Firewall is required, do not disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
 Stopping the Windows Defender Firewall service is not supported by Microsoft.
 
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility. 
-You should not disable the firewall yourself for this purpose. 
+Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
+You should not disable the firewall yourself for this purpose.
 
 The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
 
-Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**. 
+Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
 For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
 
 The following example disables Windows Defender Firewall for all profiles.
@@ -145,13 +146,13 @@ Here, **domain.contoso.com** is the name of your Active Directory Domain Service
 
 ``` syntax
 netsh advfirewall set store gpo=domain.contoso.com\gpo_name
-netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block 
+netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block
 ```
 
 Windows PowerShell
 
 ``` syntax
-New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name 
+New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
 ```
 
 ### GPO Caching
@@ -165,7 +166,7 @@ Windows PowerShell
 ``` syntax
 $gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name
 New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo
-Save-NetGPO –GPOSession $gpo 
+Save-NetGPO –GPOSession $gpo
 ```
 
 Note that this does not batch your individual changes, it loads and saves the entire GPO at once. So if any other changes are made by other administrators, or in a different Windows PowerShell window, saving the GPO overwrites those changes.
@@ -226,7 +227,7 @@ If the group is not specified at rule creation time, the rule can be added to th
 Windows PowerShell
 
 ``` syntax
-$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” 
+$rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet”
 $rule.Group = “Telnet Management”
 $rule | Set-NetFirewallRule
 ```
@@ -341,7 +342,7 @@ New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore
 
 ### Add custom authentication methods to an IPsec rule
 
-If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](http://technet.microsoft.com/library/cc757847(WS.10).aspx) .
+If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](https://technet.microsoft.com/library/cc757847(WS.10).aspx) .
 
 You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
 
@@ -479,7 +480,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp
 Windows PowerShell
 
 ``` syntax
-Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore 
+Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore
 ```
 
 It is important to note that the revealed sources do not contain a domain name.
@@ -502,7 +503,7 @@ Windows PowerShell
 ``` syntax
 $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos
 $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation
-New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation 
+New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation
 ```
 
 ### Configure IPsec tunnel mode
@@ -578,7 +579,7 @@ To deploy server isolation, we layer a firewall rule that restricts traffic to a
 
 The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the  device, user, or both by specifying the restriction parameters.
 
-A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](https://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
 
 Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
 
@@ -600,7 +601,7 @@ Windows PowerShell
 $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
 ```
 
-For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](http://technet.microsoft.com/library/ff730940.aspx).
+For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](https://technet.microsoft.com/library/ff730940.aspx).
 
 Telnet is an application that does not provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
 
@@ -633,7 +634,7 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
 
 ### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
 
-Authenticated bypass allows traffic from a specified trusted  device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update  devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx).
+Authenticated bypass allows traffic from a specified trusted  device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update  devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](https://technet.microsoft.com/library/cc753463(WS.10).aspx).
 
 In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a  device or user account that is a member of the specified  device or user security group.
 
diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
index 7167d7496a..b89e03159e 100644
--- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 08/17/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
similarity index 99%
rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
index 7714a6969c..17bc826d98 100644
--- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 10/05/2017
 ---
diff --git a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
similarity index 94%
rename from windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md
rename to windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 9bf49e209f..9b266aec88 100644
--- a/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -5,6 +5,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: medium
 author: brianlic-msft
 ms.date: 10/13/2017
 ---
@@ -38,7 +39,7 @@ To help address your organizational network security challenges, Windows Defende
 | Topic | Description
 | - | - |
 | [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. |
-| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
+| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
 | [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
 | [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
 | [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) |  Learn how to deploy Windows Defender Firewall with Advanced Security. |
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index acd9ab7b9e..efe30a1df5 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -16,6 +16,7 @@ ms.date: 06/25/2018
 
 -   Windows 10
 -   Windows Server 2016 
+-   Office 2016 
 
 ## Using security baselines in your organization 
 
diff --git a/windows/security/wdatp/images/WDATP-components.png b/windows/security/wdatp/images/WDATP-components.png
deleted file mode 100644
index 51f4335265..0000000000
Binary files a/windows/security/wdatp/images/WDATP-components.png and /dev/null differ
diff --git a/windows/security/wdatp/images/wdatp-pillars.png b/windows/security/wdatp/images/wdatp-pillars.png
deleted file mode 100644
index 06ad5e6ed2..0000000000
Binary files a/windows/security/wdatp/images/wdatp-pillars.png and /dev/null differ
diff --git a/windows/security/wdatp/images/wdatp-pillars2.png b/windows/security/wdatp/images/wdatp-pillars2.png
deleted file mode 100644
index bbe88f3638..0000000000
Binary files a/windows/security/wdatp/images/wdatp-pillars2.png and /dev/null differ
diff --git a/windows/security/wdatp/index.md b/windows/security/wdatp/index.md
deleted file mode 100644
index cb401fa3e4..0000000000
--- a/windows/security/wdatp/index.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Windows Defender Advanced Threat Protection
-description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
-keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.date: 06/04/2018
----
-
-# Windows Defender Advanced Threat Protection
-
-Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats.
-
-
-![Windows Defender ATP components](images/wdatp-pillars2.png)
-
-**Attack surface reduction**
                    
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
-
-**Next generation protection**
                    
-To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
-
-**Endpoint detection and response**
                    
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. 
-
-**Auto investigation and remediation**
                    
-In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. 
-
-**Security posture**
                    
-Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
-
-**Management and APIs**
                    
-Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and  automate workflows.
-
-Understand how capabilities align within the Windows Defender ATP suite offering:
-
-
- Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture 
-:---|:---|:---|:---|:---
- [Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)

                     [Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)

                     [Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)

                     [Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

                     [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) 

                      [Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) 

                     [Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)

                      [Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) |  [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) 

                     [Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) 

                     [Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines) 

                     [Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) 

                     [Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline) 

                     [Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) 
                     [Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) 

                     [Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)
                     
                     [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) 

                     [Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection) 

                     [Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
-
-These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index).
-
-
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index 22e6c40651..6c8ae105ee 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
 # [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 ## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
 ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
 ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
diff --git a/windows/whats-new/images/1_AppBrowser.png b/windows/whats-new/images/1_AppBrowser.png
new file mode 100644
index 0000000000..6e1f32e389
Binary files /dev/null and b/windows/whats-new/images/1_AppBrowser.png differ
diff --git a/windows/whats-new/images/2_InstallWDAG.png b/windows/whats-new/images/2_InstallWDAG.png
new file mode 100644
index 0000000000..e45f714a35
Binary files /dev/null and b/windows/whats-new/images/2_InstallWDAG.png differ
diff --git a/windows/whats-new/images/3_ChangeSettings.png b/windows/whats-new/images/3_ChangeSettings.png
new file mode 100644
index 0000000000..968eb0c3c0
Binary files /dev/null and b/windows/whats-new/images/3_ChangeSettings.png differ
diff --git a/windows/whats-new/images/4_ViewSettings.jpg b/windows/whats-new/images/4_ViewSettings.jpg
new file mode 100644
index 0000000000..72ee4db754
Binary files /dev/null and b/windows/whats-new/images/4_ViewSettings.jpg differ
diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png
new file mode 100644
index 0000000000..a99f5992a0
Binary files /dev/null and b/windows/whats-new/images/Defender.png differ
diff --git a/windows/whats-new/images/FastSignIn.png b/windows/whats-new/images/FastSignIn.png
new file mode 100644
index 0000000000..1bd763dbea
Binary files /dev/null and b/windows/whats-new/images/FastSignIn.png differ
diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png
new file mode 100644
index 0000000000..7a1928501e
Binary files /dev/null and b/windows/whats-new/images/Multi-app_kiosk_inFrame.png differ
diff --git a/windows/whats-new/images/Normal_inFrame.png b/windows/whats-new/images/Normal_inFrame.png
new file mode 100644
index 0000000000..8d0559d0ee
Binary files /dev/null and b/windows/whats-new/images/Normal_inFrame.png differ
diff --git a/windows/whats-new/images/RDPwBio2.png b/windows/whats-new/images/RDPwBio2.png
new file mode 100644
index 0000000000..6cffe649fe
Binary files /dev/null and b/windows/whats-new/images/RDPwBio2.png differ
diff --git a/windows/whats-new/images/RDPwBioTime.png b/windows/whats-new/images/RDPwBioTime.png
new file mode 100644
index 0000000000..d3007e8279
Binary files /dev/null and b/windows/whats-new/images/RDPwBioTime.png differ
diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png
new file mode 100644
index 0000000000..f329d74d3e
Binary files /dev/null and b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png differ
diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png
new file mode 100644
index 0000000000..4afa324aec
Binary files /dev/null and b/windows/whats-new/images/WebSignIn.png differ
diff --git a/windows/whats-new/images/beaming.png b/windows/whats-new/images/beaming.png
new file mode 100644
index 0000000000..096c1d43f4
Binary files /dev/null and b/windows/whats-new/images/beaming.png differ
diff --git a/windows/whats-new/images/block-suspicious-behaviors.png b/windows/whats-new/images/block-suspicious-behaviors.png
new file mode 100644
index 0000000000..31a2cf5727
Binary files /dev/null and b/windows/whats-new/images/block-suspicious-behaviors.png differ
diff --git a/windows/whats-new/images/hyper-v.png b/windows/whats-new/images/hyper-v.png
new file mode 100644
index 0000000000..27f482a6dd
Binary files /dev/null and b/windows/whats-new/images/hyper-v.png differ
diff --git a/windows/whats-new/images/kiosk-mode.PNG b/windows/whats-new/images/kiosk-mode.PNG
new file mode 100644
index 0000000000..57c420a9c2
Binary files /dev/null and b/windows/whats-new/images/kiosk-mode.PNG differ
diff --git a/windows/whats-new/images/regeditor.png b/windows/whats-new/images/regeditor.png
new file mode 100644
index 0000000000..947718ee80
Binary files /dev/null and b/windows/whats-new/images/regeditor.png differ
diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png
new file mode 100644
index 0000000000..8fd800dcfa
Binary files /dev/null and b/windows/whats-new/images/virus-and-threat-protection.png differ
diff --git a/windows/whats-new/images/your-phone.png b/windows/whats-new/images/your-phone.png
new file mode 100644
index 0000000000..708c6c004a
Binary files /dev/null and b/windows/whats-new/images/your-phone.png differ
diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md
index e37e313557..c6ac6d12ab 100644
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@@ -16,6 +16,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
 
 ## In this section
 
+- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
 - [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
 - [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 78339d5cb2..7a67f0f951 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -22,7 +22,7 @@ Below is a list of some of the new and updated features included in  the initial
 
 ### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
 
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. 
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
 
 [Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
 
@@ -33,9 +33,9 @@ With Windows 10, you can create provisioning packages that let you quickly and e
 
 #### New Applocker features in Windows 10, version 1507
 
--   A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
--   A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
--   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+-   A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+-   A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+-   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
 
 [Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
 
@@ -229,7 +229,7 @@ In Windows 10, User Account Control has added some improvements.
 
 #### New User Account Control features in Windows 10, version 1507
 
--   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+-   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
 
 [Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
 
@@ -237,8 +237,8 @@ In Windows 10, User Account Control has added some improvements.
 
 Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:
 
-- Always-on auto connection behavior 
-- App=triggered VPN 
+- Always-on auto connection behavior
+- App=triggered VPN
 - VPN traffic filters
 - Lock down VPN
 - Integration with Microsoft Passport for Work
@@ -252,7 +252,7 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptop
 
 ### MDM support
 
-MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more. 
+MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.
 
 MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
 
@@ -271,7 +271,7 @@ When a personal device is unenrolled, the user's data and apps are untouched, wh
 Enterprises have the following identity and management choices.
 
 | Area | Choices |
-|---|---|                                                                                                                                                                            
+|---|---|
 | Identity   | Active Directory; Azure AD         |
 | Grouping   | Domain join; Workgroup; Azure AD join    |
 | Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
@@ -306,7 +306,7 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
 ### Microsoft Store for Business
 **New in Windows 10, version 1511**
 
-With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. 
+With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
 
 For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview).
 
@@ -323,7 +323,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279
 
 -   **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281).
 
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx).
 
 
 Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 9beb4709cd..a363f852cd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -210,7 +210,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
 
 ### Uninstalled in-box apps no longer automatically reinstall
 
-Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. 
+Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
 
 Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
 
@@ -234,7 +234,7 @@ Some of the other new CSPs are:
 
 - The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
 
-IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
+IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
 
 [Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
 
@@ -244,7 +244,7 @@ The Windows version of mobile application management (MAM) is a lightweight solu
 
 For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
 
-### MDM diagnostics		
+### MDM diagnostics
 
 In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
 
@@ -314,7 +314,7 @@ Miracast over Infrastructure offers a number of benefits:
 
 Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
 
-### Enabling Miracast over Infrastructure 
+### Enabling Miracast over Infrastructure
 
 If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
 
@@ -322,8 +322,8 @@ If you have a device that has been updated to Windows 10, version 1703, then you
 - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
     - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
     - As a Miracast source, the  PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. 
-- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.  
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
 
 It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
 
@@ -334,7 +334,7 @@ The following new features aren't part of Windows 10, but help you make the most
 
 Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
 
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
+The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
 
 For more information about Upgrade Readiness, see the following topics:
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 7db90dbaca..df2abc4ea4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -234,3 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu
 [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
                    
 [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
                    
 [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/)
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
new file mode 100644
index 0000000000..62ee95e835
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -0,0 +1,242 @@
+---
+title: What's new in Windows 10, version 1809
+description: New and updated features in Windows 10, version 1809
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: dawnwood
+ms.date: 10/02/2018
+ms.localizationpriority: high
+---
+
+# What's new in Windows 10, version 1809 for IT Pros
+
+>Applies To: Windows 10, version 1809, also known as Windows 10 October 2018 Update
+
+In this article we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. 
+
+The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
+
+ 
+
+
+
+
+> [!video https://www.youtube.com/embed/hAva4B-wsVA]
+
+## Your Phone app
+
+Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo.  Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
+
+For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. 
+
+![your phone](images/your-phone.png "your phone")
+
+The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. 
+
+## Wireless projection experience
+
+One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes:
+
+* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible
+* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
+* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
+
+![wireless projection banner](images/beaming.png "wireless projection banner")
+
+## Windows Autopilot self-deploying mode
+
+Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. 
+
+This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. 
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider,and provision policies and applications, all with no user authentication or user interaction required. 
+
+To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying). 
+
+## Kiosk setup experience
+
+We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
+
+To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. 
+![set up a kiosk](images/kiosk-mode.png "set up a kiosk")
+
+Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
+
+1.__Digital / Interactive signage__ that displays a specific website full-screen and runs InPrivate mode.
+2.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
+
+![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
+
+Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. 
+
+**Note** the following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings.
+
+1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
+
+![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
+
+2.__Normal mode__ runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
+
+![normal mode](images/Normal_inFrame.png "normal mode")
+
+Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+![Registry editor dropdown](images/regeditor.png "Registry editor dropdown")
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+![Enter your credentials](images/RDPwBioTime.png "Windows Hello")
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click __Connect__.
+
+Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click __More choices__ to choose alternate credentials.
+
+![Enter your credentials](images/RDPwBio2.png "Windows Hello personal")
+
+In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016")
+
+## Security Improvements 
+
+We’ve continued to work on the **Current threats** area in  [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
+
+![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings")
+
+You can enable a new protection setting, **Block suspicious behaviors**, which brings [Windows Defender Exploit Guard attack surface reduction technology](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to all users. To enable this setting, go to the **Virus & threat protection** section and click **Manage settings**, as shown in the following screenshot:
+
+![Block suspicious behaviors](images/block-suspicious-behaviors.png "Block suspicious behaviors")
+
+With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+
+When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which inclueds domain, private, and public networks).
+
+
                    HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1 
                    
+
+### BitLocker
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Decice Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. 
+
+This is an update to the [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. 
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+####  Delivering BitLocker policy to AutoPilot devices during OOBE 
+
+You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. 
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+### Windows Defender Application Guard Improvements
+
+Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. 
+
+Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security.For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709).
+
+To try this, 
+1. Go to**Windows Security** and select **App & browser control**.
+![Security at a glance](images/1_AppBrowser.png "app and browser control")
+2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device.
+![Isolated browser](images/2_InstallWDAG.png "isolated browsing")
+3. Select **Change Application Guard** settings.
+![change WDAG settings](images/3_ChangeSettings.png "change settings")
+4. Configure or check Application Guard settings.
+![view WDAG settings](images/4_ViewSettings.jpg "view settings")
+
+### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**. 
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. 
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. 
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+![alt text](images/defender.png "Windows Security Center")
+
+### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
+
+You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/en-us/windows/wsl/release-notes#build-17618-skip-ahead).
+
+### Microsoft Edge Group Policies
+
+We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies).
+
+### Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. 
+
+### Windows 10 Pro S Mode requires a network connection
+
+A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE). 
+
+### Windows Defender ATP
+
+[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
+
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
                    
+Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Custom detection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
                    
+ With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 
+
+
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
                    
+Windows Defender ATP adds support for this scenario by providing MSSP integration. 
+The integration will allow MSSPs to take the following actions:
+Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
                    
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
                    
+Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+
+
+- [Onboard Windows Server 2019](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) 
                    
+Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. 
+
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/onboard-downlevel-windows-defender-advanced-threat-protection)
                    
+Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+
+## Faster sign-in to a Windows 10 shared pc
+
+Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809.
+2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+![fast sign-in](images/fastsignin.png "fast sign-in")
+
+## Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. 
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+![Web sign-in](images/websignin.png "web sign-in")
\ No newline at end of file